Jump to content


Photo

Virus/Malware continually re-infesting Mobile laptop


  • This topic is locked This topic is locked
10 replies to this topic

#1 roadmaster64

roadmaster64

    Member

  • New Member
  • Pip
  • 1 posts

Posted 22 December 2007 - 12:18 PM

PC : Toshiba Satellite M35X-S161
OS : MS Windows XP Home Edition Ver 2002, Sp2

This is my friends Laptop, it became so infested with Viruses and Malware that he couldn't do anything with it, I offered to help him out by doing what i could, but I have reached an impass. I Installed several different programs to get rid of as much as i could. At one point I thought to pat myself on the back, I had every virus and malware removed. (or so i thought) as soon as i opened up Internet Explorer I started having browser hijacks and it kept sending me to search pages, most of the links wouldnt work, and some websites would load others wouldn't. Also something keeps trying to Modify Explorer.EXE or so thats what Kaspersky keeps telling me.

Then i found that some of the viruses were back. :(

here is a list of some of the viruses that I removed.

After AVG install

threat detected:

c:\Windows\System32\xxyxyww.dll trojan horse BXO.CML
c:\Windows\System32\geeby.dll trojan horse BXO.CMX

AVG updated:
while running scan found threats:

ie_updater.exe Trojan horse Downloader.Generic6.ZWX
wsusupd.exe Trojan horse Generic8.OJI
28042.exe Trojan horse Pakes_c.CT
62544.exe Trojan horse Pakes_c.CT
957123844.exe Trojan horse Pakes_c.CT
957123845.exe Trojan horse Pakes_c.CT
ie_updates3r.exe Trojan horse Downloader.Generic6.ZWX
p4ck.exe Virus found Dropper.FreeJoiner
printer.exe Trojan horse Downloader.Small.60.P
ieupdr2.exe Trojan horse Downloader.Generic6.ZWX
1616.exe Trojan horse Downloader.Generic6.XTC
16host.exe Trojan horse Downloader.Generic6.XTC
16sys.exe Trojan horse Downloader.Generic6.XTC
agentagent.exe Trojan horse Downloader.Generic6.XTC
agenthost.exe Trojan horse Downloader.Generic6.XTC
file.exe Trojan horse Generic_c.FSF
hostserver.exe Trojan horse Downloader.Generic6.XTC
lookserver.exe Trojan horse Downloader.Generic6.XTC
looksv.exe Trojan horse Downloader.Generic6.XTC
powerwin.exe Trojan horse Downloader.Generic6.XTC
svwin.exe Trojan horse Downloader.Generic6.XTC
synsv.exe Trojan horse Downloader.Generic6.XTC
syssv.exe Trojan horse Downloader.Generic6.XTC
win16.exe Trojan horse Downloader.Generic6.XTC
xrun.exe Trojan horse Downloader.Agent.MFJ
lsass.exe Trojan horse Downloader.Agent.14.M
spoolsv.exe Trojan horse Downloader.Generic6.XTC
quit.exe Trojan horse Downloader.Generic6.RXV
dmuno.exe Trojan horse SHeur.GSP
ajogw.exe Trojan horse Lop.3.D
rfxgu.exe Trojan horse Lop.3.D

AVG Anti-Spyware.exe

Scan

Adware.Generic
TrackingCookie.Doubleclick
TrackingCookie.Adtrak
Not-A-Virus.PSWTool.Win32.PWDump2
Not-A-Virus.PSWTool.Win32.RAS.a
Hijacker.Small.jf
Downloader.Searcher.e
Downloader.VB.bkw
Downloader.Agent.uj
Downloader.Alphabet
Downloader.Agent.eus
Not-A-Virus.Adware.BHO
Not-A-Virus.Downloader.Win32.UltimateFix.e
Logger.BZub.bm
Not-A-Virus.Adware.Virtumonde
Downloader.Tiny.aed
Logger.Zbot.bg
Trojan.Small

2nd scan

Adware.Generic
TrackingCookie.Yieldmanager
TrackingCookie.Advertising
TrackingCookie.Doubleclick
TrackingCookie.Adtrak


I did a HiJackThis Scan and if this was my laptop I'd just start clicking away at what i think are bad entries, but this is my friends and he doesn't have a restore disk and I wouldn't want to start fixing good entries and mess up his Laptop, so I would appreciate any help anyone can give with this Log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 00:47, on 2007-12-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\RAMASST.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: 0 - {EA2962DD-5D67-41BE-18B5-EFC619EBAD50} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [dmptr.exe] C:\WINDOWS\system32\dmptr.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198175736109
O17 - HKLM\System\CCS\Services\Tcpip\..\{38CC50B5-D764-44F5-9B2C-D0F3D7E5AF9A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B858DE2-0426-4150-8E69-96C0F05735D4}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6BCEB3-09A0-4A78-A54B-5EA81B15620D}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\pronyca.html

--
End of file - 6443 bytes


If the color formatting of the filenames doesn't help out to make reading easier just let me know and i wont do it next time. :)

Edited by roadmaster64, 22 December 2007 - 12:48 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 25 December 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 25 December 2007 - 11:57 AM

Hi,

Please print for your reference.

You are using an obsolete version of HijackThis.

Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Delete the older version once you have successfully downloaded and installed the latest version.

Submit a fresh HijackThis log for my review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 roadmaster

roadmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 December 2007 - 07:19 PM

Hi,

Please print for your reference.

You are using an obsolete version of HijackThis.

Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:

  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Delete the older version once you have successfully downloaded and installed the latest version.

Submit a fresh HijackThis log for my review.



Here is the updated HijackThis Log. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:55 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\VCSExpress.exe
C:\Documents and Settings\System Operator\My Documents\Visual Studio 2008\Projects\Server Core\Server Core\bin\Debug\Server Core.vshost.exe
C:\Program Files\WordPerfect Mail\Programs\bin\WPMail.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\ConnectUO Desktop\CUODesktop.exe
C:\Program Files\EA Games\Ultima Online 9th Anniversary Collection\client.exe
C:\Program Files\Agent Ransack\AgentRansack.exe
D:\RunUo SvN Core Attempt\Server Core.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runuo.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - D:\Program Files\SmartWhois\swmsie.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - D:\Program Files\SmartWhois\swmsie.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - D:\Program Files\SmartWhois\swmsie.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174066388734
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174283528140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8653 bytes



#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 26 December 2007 - 07:54 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Download Combofix to your desktop. Important.

Nothing suspicious was found on your logs. Lets start with this.

1 - Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link http://www.bleepingc...opic114351.html to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthis log.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

p.s.
When replying to your topic, please use the Posted Image button.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 roadmaster

roadmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 December 2007 - 12:41 PM

Heres my ComboFix log.

ComboFix 07-12-21.4 - Pat 2007-12-26 9:18:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -8:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Helper
C:\Program Files\ini.ini\
C:\Program Files\network monitor
C:\Program Files\smss.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\RunOnce.tmp
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DRIVER
-------\LEGACY_MICROSOFT_INET_SERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WINDOWS_MANAGEMENT_SERVICE
-------\core
-------\Microsoft Inet Service


((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-25 16:13 . 2007-12-25 16:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 01:39 . 2007-12-22 01:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-22 01:30 . 2007-12-22 01:30 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\Grisoft
2007-12-22 01:29 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-21 22:39 . 2007-12-21 22:44 <DIR> d-------- C:\XP Home I386
2007-12-21 22:23 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-21 22:23 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-12-21 22:23 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-21 22:23 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-21 22:23 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-21 22:23 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-12-21 22:23 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-12-21 22:21 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-21 22:20 . 2004-08-03 20:56 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-21 22:19 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-21 22:18 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-21 22:17 . 2004-08-03 22:59 2,015,232 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-21 22:16 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-21 22:15 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-21 22:14 . 2004-08-03 18:31 811,064 --a--c--- C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-21 22:13 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-21 22:12 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-21 22:11 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-21 22:10 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-21 22:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-21 22:08 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-21 22:07 . 2004-08-03 23:18 2,148,352 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-21 21:59 . 2007-12-21 22:04 <DIR> d-------- C:\Slipstreamed_I386
2007-12-21 21:56 . 2006-02-07 08:35 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-21 21:43 . 2002-08-29 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2007-12-21 21:41 . 2002-08-29 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-21 21:40 . 2002-08-29 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-21 21:39 . 2003-03-24 16:52 109,328 --a--c--- C:\WINDOWS\system32\dllcache\fp98swin.exe
2007-12-21 21:39 . 2003-03-24 16:52 14,608 --a--c--- C:\WINDOWS\system32\dllcache\fp98sadm.exe
2007-12-21 21:37 . 2007-12-21 21:37 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-21 21:37 . 2007-12-21 21:37 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2007-12-21 21:37 . 2007-12-21 21:37 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2007-12-21 21:37 . 2007-12-21 21:37 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2007-12-21 21:37 . 2007-12-21 21:37 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-12-21 21:35 . 2002-08-29 04:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-12-21 21:29 . 2004-08-03 20:56 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2007-12-21 21:26 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-12-21 21:26 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-21 21:26 . 2004-08-03 23:00 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys
2007-12-21 21:26 . 2004-08-03 23:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2007-12-21 21:26 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2007-12-21 21:26 . 2004-08-04 00:56 27,136 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2007-12-21 21:26 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-12-21 21:26 . 2004-08-04 00:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-12-21 21:20 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2007-12-21 21:20 . 2001-08-17 13:51 19,584 --a--c--- C:\WINDOWS\system32\dllcache\rasirda.sys
2007-12-21 10:31 . 2007-12-21 10:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-21 10:26 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002005_.tmp
2007-12-21 10:26 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-21 10:23 . 2007-12-21 10:23 <DIR> d-------- C:\WINDOWS\EHome
2007-12-21 04:42 . 2004-08-03 20:56 93,184 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-21 04:38 . 2004-08-03 20:56 132,096 --a--c--- C:\WINDOWS\system32\dllcache\wmipdskq.dll
2007-12-21 04:38 . 2004-08-03 20:56 126,464 --a--c--- C:\WINDOWS\system32\dllcache\wmiapsrv.exe
2007-12-21 04:38 . 2004-08-03 20:56 89,088 --a--c--- C:\WINDOWS\system32\dllcache\wmiaprpl.dll
2007-12-21 04:38 . 2004-08-03 20:56 62,976 --a--c--- C:\WINDOWS\system32\dllcache\wmipjobj.dll
2007-12-21 04:38 . 2004-08-03 20:56 62,464 --a--c--- C:\WINDOWS\system32\dllcache\wmipiprt.dll
2007-12-21 04:37 . 2004-08-03 20:56 196,608 --a--c--- C:\WINDOWS\system32\dllcache\wmiadap.exe
2007-12-21 04:37 . 2004-08-03 20:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\wbemtest.exe
2007-12-21 04:37 . 2004-08-03 20:56 43,520 --a--c--- C:\WINDOWS\system32\dllcache\wbemsvc.dll
2007-12-21 04:37 . 2004-08-03 20:56 6,656 --a--c--- C:\WINDOWS\system32\dllcache\wmiapres.dll
2007-12-21 04:36 . 2004-08-03 20:56 178,176 --a--c--- C:\WINDOWS\system32\dllcache\wbemdisp.dll
2007-12-21 04:35 . 2004-08-03 20:56 71,680 --a--c--- C:\WINDOWS\system32\dllcache\wbemcons.dll
2007-12-21 04:34 . 2004-08-03 20:56 237,056 --a--c--- C:\WINDOWS\system32\dllcache\provthrd.dll
2007-12-21 04:34 . 2004-08-03 20:56 212,992 --a--c--- C:\WINDOWS\system32\dllcache\ntevt.dll
2007-12-21 04:34 . 2004-08-03 20:56 196,608 --a--c--- C:\WINDOWS\system32\dllcache\wbemcntl.dll
2007-12-21 04:34 . 2004-08-03 20:56 131,584 --a--c--- C:\WINDOWS\system32\dllcache\viewprov.dll
2007-12-21 04:34 . 2004-08-03 20:56 36,864 --a--c--- C:\WINDOWS\system32\dllcache\scrcons.exe
2007-12-21 04:32 . 2004-08-04 00:56 1,134,592 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-12-21 04:31 . 2004-08-03 20:56 1,251,840 --a--c--- C:\WINDOWS\system32\dllcache\comsvcs.dll
2007-12-21 04:30 . 2004-08-03 20:56 397,312 --a------ C:\WINDOWS\system32\fxstiff.dll
2007-12-21 04:30 . 2004-08-03 20:56 397,312 --a--c--- C:\WINDOWS\system32\dllcache\fxstiff.dll
2007-12-21 04:30 . 2004-08-03 20:56 246,272 --a------ C:\WINDOWS\system32\fxst30.dll
2007-12-21 04:30 . 2004-08-03 20:56 246,272 --a--c--- C:\WINDOWS\system32\dllcache\fxst30.dll
2007-12-21 04:30 . 2004-08-03 20:56 154,112 --a------ C:\WINDOWS\system32\fxsui.dll
2007-12-21 04:30 . 2004-08-03 20:56 154,112 --a--c--- C:\WINDOWS\system32\dllcache\fxsui.dll
2007-12-21 04:29 . 2004-08-03 20:56 562,176 --a------ C:\WINDOWS\system32\fxsst.dll
2007-12-21 04:29 . 2004-08-03 20:56 562,176 --a--c--- C:\WINDOWS\system32\dllcache\fxsst.dll
2007-12-21 04:29 . 2004-08-03 20:56 267,776 --a------ C:\WINDOWS\system32\fxssvc.exe
2007-12-21 04:29 . 2004-08-03 20:56 267,776 --a--c--- C:\WINDOWS\system32\dllcache\fxssvc.exe
2007-12-21 04:29 . 2004-08-03 20:56 8,704 --a------ C:\WINDOWS\system32\fxsperf.dll
2007-12-21 04:29 . 2004-08-03 20:56 8,704 --a--c--- C:\WINDOWS\system32\dllcache\fxsperf.dll
2007-12-21 04:29 . 2004-08-03 20:56 6,656 --a------ C:\WINDOWS\system32\fxsres.dll
2007-12-21 04:29 . 2004-08-03 20:56 6,656 --a--c--- C:\WINDOWS\system32\dllcache\fxsres.dll
2007-12-21 04:28 . 2004-08-03 20:56 229,376 --a------ C:\WINDOWS\system32\fxscover.exe
2007-12-21 04:28 . 2004-08-03 20:56 229,376 --a--c--- C:\WINDOWS\system32\dllcache\fxscover.exe
2007-12-21 04:28 . 2004-08-03 20:56 143,360 --a------ C:\WINDOWS\system32\fxsclnt.exe
2007-12-21 04:28 . 2004-08-03 20:56 143,360 --a--c--- C:\WINDOWS\system32\dllcache\fxsclnt.exe
2007-12-21 04:28 . 2004-08-03 20:56 27,136 --a------ C:\WINDOWS\system32\fxsdrv.dll
2007-12-21 04:28 . 2004-08-03 20:56 27,136 --a--c--- C:\WINDOWS\system32\dllcache\fxsdrv.dll
2007-12-21 04:28 . 2004-08-03 20:56 23,552 --a------ C:\WINDOWS\system32\fxsext32.dll
2007-12-21 04:28 . 2004-08-03 20:56 23,552 --a--c--- C:\WINDOWS\system32\dllcache\fxsext32.dll
2007-12-21 04:27 . 2004-08-03 20:56 285,184 --a------ C:\WINDOWS\system32\fxscomex.dll
2007-12-21 04:27 . 2004-08-03 20:56 285,184 --a--c--- C:\WINDOWS\system32\dllcache\fxscomex.dll
2007-12-21 04:26 . 2004-08-03 20:56 452,096 --a------ C:\WINDOWS\system32\fxsapi.dll
2007-12-21 04:26 . 2004-08-03 20:56 452,096 --a--c--- C:\WINDOWS\system32\dllcache\fxsapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 19:33 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-18 19:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-18 19:13 --------- d-----w C:\Program Files\Symantec
2007-12-18 15:03 73 ----a-w C:\Program Files\ini.ini
2007-12-18 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-09 23:50 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-09 01:52 --------- d-----w C:\Program Files\Common Files\Real
2007-11-09 01:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 01:50 --------- d-----w C:\Program Files\Quicken
2007-11-09 01:43 --------- d-----w C:\Program Files\Napster
2007-11-09 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-09 01:05 --------- d-----w C:\Program Files\Toshiba
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-26 16:53]
"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 15:07]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 15:23]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 12:45]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 08:39]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 14:43]
"dmptr.exe"="C:\WINDOWS\system32\dmptr.exe" []
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 17:14]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 14:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 15:22]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 20:10]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 C:\WINDOWS\agrsmmsg.exe]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2006-02-07 08:39]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2006-02-07 08:36]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2006-02-07 08:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-19 15:18:56]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\pronyca.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csuck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys [2004-07-30 14:05]
R1 SrvcEPECioctl;SrvcEPECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys [2004-08-19 13:03]
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys [2004-07-30 14:05]
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys [2004-07-30 14:05]
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys [2004-07-30 14:05]
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys [2004-06-25 09:37]
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys [2004-08-27 12:29]
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys [2004-06-25 09:37]
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys [2004-06-25 10:00]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 00:19:58 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 09:23:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 9:24:25 - machine was rebooted [Pat]


heres my new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:07 AM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [dmptr.exe] C:\WINDOWS\system32\dmptr.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198175736109
O17 - HKLM\System\CCS\Services\Tcpip\..\{38CC50B5-D764-44F5-9B2C-D0F3D7E5AF9A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B858DE2-0426-4150-8E69-96C0F05735D4}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6BCEB3-09A0-4A78-A54B-5EA81B15620D}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\pronyca.html

--
End of file - 6252 bytes


This laptop seems to be working better, before your first reply i installed Kaspersky full version on it and ran it serveral times, i cant seem to do the "click" right on some links, I have to right click and open in new link using the laptop buttons. And the time befor last when i ran Explore.EXE Kaspersky brought up a window telling me something wanted to modify that file. I chose the allow option, waiting to see what that will do.

When i type the following site into the IE Addressbar then hit enter or click the Go button i get the following search page:

http://search.live.c...q=www.runuo.com

I know the RunUo site is up cause i can type it into my Desktop pc and it brings the site right up.. but i'll turn around and try other sites and they seem to work ok. I've checked Internet Setting and Kaspersky Settings, if i click on an entry in the search page or right click then open in new window i get a "The page connot be displayed" ie.. cannot find server, but i turn to my desktop pc and it brings it up again fine.

could i have changed a setting somewhere? this seems specific to the RunUo site address, its usually this site i check to see if Internet is working or not.

several things i also did before your first post was to use my XP Home Install disk to repair the windows installation "not the Recovery Console option" and also i used the "SFC /scannow" in the RUN command.

I appreciate your help.

Edited by roadmaster, 26 December 2007 - 01:23 PM.


#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 26 December 2007 - 02:03 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from this site:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis may launch, close it.

Disable AVG Anti-Spyware (formerly ewido):
Please disable AVG Anti-Spyware, as it may interfere with the fix.
  • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an ‘S’ in the system tray.
  • In the Resident Shield section, toggle the AVG Anti-Spyware active protection ‘off’ by clicking Change state which will then change the protection status to 'inactive'.
  • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
  • Reply ‘no’ and set it to ‘inactive’ for the duration of your cleanup.
Once your log is clean you can re-enable Ewido.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [dmptr.exe] C:\WINDOWS\system32\dmptr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38CC50B5-D764-44F5-9B2C-D0F3D7E5AF9A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B858DE2-0426-4150-8E69-96C0F05735D4}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6BCEB3-09A0-4A78-A54B-5EA81B15620D}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101


Click on Fix Checked when finished and exit HijackThis.

Delete this file in bold if found.
C:\WINDOWS\system32\dmptr.exe

At the end of the fix, you need to restart your computer again.

Note:

If you have problems with your internet connection after this fix, try this.
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.


Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 roadmaster

roadmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 27 December 2007 - 02:12 AM

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [dmptr.exe] C:\WINDOWS\system32\dmptr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{38CC50B5-D764-44F5-9B2C-D0F3D7E5AF9A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B858DE2-0426-4150-8E69-96C0F05735D4}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6BCEB3-09A0-4A78-A54B-5EA81B15620D}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

Click on Fix Checked when finished and exit HijackThis.

Delete this file in bold if found.
C:\WINDOWS\system32\dmptr.exe


When i ran HijackThis all of the above entries were deleted already by fixwareout.

heres the fixwareout\report.txt

Username "Pat" - 12/26/2007 22:22:36 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmptr"
HKLM\SOFTWARE\~\Winlogon\ "System"="csuck.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.70 85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{38CC50B5-D764-44F5-9B2C-D0F3D7E5AF9A}
"nameserver"="85.255.116.70,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{5B858DE2-0426-4150-8E69-96C0F05735D4}
"nameserver"="85.255.116.70,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CC6BCEB3-09A0-4A78-A54B-5EA81B15620D}
"nameserver"="85.255.116.70,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CC6BCEB3-09A0-4A78-A54B-5EA81B15620D}
"DhcpNameServer"="85.255.116.70,85.255.112.101" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}48497F0FCFA4-1EA9-20F4-8CE7-00B4D73C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}52228091FD88-DB99-3FB4-987D-64374317{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "feqmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F00BB677F8B2-5C0B-7304-D82B-F2C62848{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "rtpmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "wohmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "onumd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "kcusc" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmqef.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmhow.exe" Value deleted
HKCR\CLSID\{E77CA008-F831-475B-AF47-BB28645EB73C}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe\""
"ZoomingHook"="c:\\WINDOWS\\System32\\ZoomingHook.exe"
"TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"NDSTray.exe"="NDSTray.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"CeEPOWER"="C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe"
"CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


and here's the new HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:15 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.runuo.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198175736109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198697179109
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\pronyca.html

--
End of file - 5834 bytes


As a side note, earlier today (the 26th) I was trying to get on the Windows Update site but no matter what i tried i couldn't get on, after running fixwareout i can now access windows update and the website runuo.com that i mentioned in my last post is no longer blocked.

roadmaster

Edited by roadmaster, 27 December 2007 - 02:17 AM.


#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 27 December 2007 - 10:15 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 roadmaster

roadmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 28 December 2007 - 04:05 AM

Laptop seems to be working good now, thanks for all your help. you can remove this thread or do whatever you do to threads which have been successfully handled.

again kuddo's to you.

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 08 January 2008 - 09:23 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button