Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Spyware attacks; please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Spyware attacks; please help

Unread postby removeslyspy » March 24th, 2005, 12:28 am

Hi,

Repeated attacks by spywares; running adware and spybot hasn't helped. Microsoft Spyware keeps reporting blocked spyware every 30-45 secs. The "End Taskbar" window appears every time I restart the system.

Any help will be really appreciated.

SB

Please find as follows the hijack log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:17 PM, on 3/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2\bin\java.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\iptq.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\javaax.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Downloads\Spyware Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metalink.oracle.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cwowm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.1.241:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BAECFF6A-2CC0-095A-0883-1BA36541C515} - C:\WINDOWS\sdkur.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iptq.exe] C:\WINDOWS\system32\iptq.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://usnbka021.us.ul.com:9002/jinitiator/oajinit.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AFB0561-79B5-43AC-A9C2-D25220B9F72A}: NameServer = 10.40.1.155,10.40.1.156
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.ul.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.ul.com
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dgskmon.dll (file missing)
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\i2420choef4c0.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmp32.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
removeslyspy
Active Member
 
Posts: 4
Joined: March 23rd, 2005, 2:53 am
Location: Chicago, US
Top
Advertisement
Register to Remove

Unread postby Nellie2 » March 24th, 2005, 7:22 pm

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Don't scan yet. We will do it in safe mode.

Download and install the VX2 Cleaner plugin from here Follow the instructions for installation on that page

Ensure hidden files and folders are set to show;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
You may want to print these instructions or save them to word pad as you will need to carry out the rest of the instructions in safe mode and be disconnected from the internet.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called Workstation NetLogon Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present

javaax.exe
iptq.exe

Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.

C:\WINDOWS\javaax.exe
C:\WINDOWS\system32\iptq.exe
C:\WINDOWS\system32\cwowm.dll
C:\WINDOWS\sdkur.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\loader.exe
C:\WINDOWS\system32\msmp32.exe
C:\WINDOWS\system32\dgskmon.dll

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cwowm.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {BAECFF6A-2CC0-095A-0883-1BA36541C515} - C:\WINDOWS\sdkur.dll

O4 - HKLM\..\Run: [iptq.exe] C:\WINDOWS\system32\iptq.exe
O4 - Global Startup: loader.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dgskmon.dll (file missing)

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msmp32.exe (file missing)

The following step is important as you may have several malware files in your temp directories.

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.

Scan with Adaware by opening it and clicking the "Next" button to start the scan.

When the scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Run adaware again only this time run the VX2 cleaner tool.

Now reboot,.

Finally run hijackthis again and post a fresh log along with the about buster log. :)
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Top

Problem not resolved

Unread postby removeslyspy » March 25th, 2005, 5:57 am

Problem still not resolved. Please find as follows the hijack and aboutblaster logs.

---------------
HiJack Log:
---------------
Logfile of HijackThis v1.99.1
Scan saved at 3:59:22 AM, on 3/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mshg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ipac32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Downloads\Spyware Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nbkweb1.ul.com/nbk.proxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.1.241:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {011D0D79-1BD4-5167-DD32-029CC16A44CD} - C:\WINDOWS\system32\d3vi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ipac32.exe] C:\WINDOWS\system32\ipac32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

http://usnbka021.us.ul.com:9002/jinitiator/oajinit.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -

http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AFB0561-79B5-43AC-A9C2-D25220B9F72A}: NameServer = 10.40.1.155,10.40.1.156
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.ul.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.ul.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mshg.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat

5.0\bin\tomcat.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



-----------------
AboutBlaster Log:
-----------------
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25


Removed Data Streams:
C:\WINDOWS\dahotfix.log:eepxw
C:\WINDOWS\eFaxview.exe.manifest:ufgez
C:\WINDOWS\FeatherTexture.bmp:wlaqi
C:\WINDOWS\nsw.log:cnjuy
C:\WINDOWS\ODBC.INI:izihb
C:\WINDOWS\q329623.log:bfqqn
C:\WINDOWS\Q810243.log:eigdp
C:\WINDOWS\Q811630.log:iyzer
C:\WINDOWS\Q814033.log:qqzyy
C:\WINDOWS\system.ini:tfavr
C:\WINDOWS\ToshDefs.reg:mmzez
C:\WINDOWS\yacs.log:hwobf


Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25


Removed Data Streams:
C:\WINDOWS\dahotfix.log:eepxw
C:\WINDOWS\eFaxview.exe.manifest:ufgez
C:\WINDOWS\FeatherTexture.bmp:wlaqi
C:\WINDOWS\nsw.log:cnjuy
C:\WINDOWS\ODBC.INI:izihb
C:\WINDOWS\q329623.log:bfqqn
C:\WINDOWS\Q810243.log:eigdp
C:\WINDOWS\Q811630.log:iyzer
C:\WINDOWS\Q814033.log:qqzyy
C:\WINDOWS\system.ini:tfavr
C:\WINDOWS\ToshDefs.reg:mmzez
C:\WINDOWS\yacs.log:hwobf


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
removeslyspy
Active Member
 
Posts: 4
Joined: March 23rd, 2005, 2:53 am
Location: Chicago, US
Top

Unread postby Nellie2 » March 25th, 2005, 11:47 am

Before I go on, when you ran the VX2 removal tool, did it find anything?
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Top

VX2 removal tool

Unread postby removeslyspy » March 26th, 2005, 11:22 am

The VX2 removal tool did not find anything.

Thanks.
removeslyspy
Active Member
 
Posts: 4
Joined: March 23rd, 2005, 2:53 am
Location: Chicago, US
Top

Unread postby Nellie2 » March 26th, 2005, 11:37 am

ok, please disconnect from the internet and close IE and keep it closed until you have finished.

Boot into safe mode and run CWShredder once more, make sure you hit 'fix' as opposed to 'scan only'

Then find and delete these files, if they aren't there don't worry about it

C:\WINDOWS\system32\d3vi.dll
C:\WINDOWS\system32\ipac32.exe
C:\WINDOWS\mshg.exe

Run hijackthis and fix the following in the same way that you did before;

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {011D0D79-1BD4-5167-DD32-029CC16A44CD} - C:\WINDOWS\system32\d3vi.dll

O4 - HKLM\..\Run: [ipac32.exe] C:\WINDOWS\system32\ipac32.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mshg.exe" /s (file missing)

Close hijackthis and then run Adaware and About:buster once more

Boot back to normal mode and post a fresh hijack log along with the latest about Buster log please
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Top

Unread postby ChrisRLG » April 14th, 2005, 6:45 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 426 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index