win32/clspring.faq - Geeks to Go!

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

win32/clspring.faq, detected & deleted then reinfects itself

Options

davidmainstay View Member Profile	Mar 8 2007, 10:44 AM Post #1
New Member Posts: 2 OS: xp	My realtime scanner from Computer Associates identifies & deletes win32/clsping.fq and then detects that the system is once again infected with win32/clsping.fq. Here is my log file. Thanks!!!!! Logfile of HijackThis v1.99.1 Scan saved at 8:18:53 AM, on 3/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\Brmfrmps.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\system32THotkey.exe C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\TPSODDCtl.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Common Files\??curity\n?lookup.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\toshiba\ivp\ism\ivpsvmgr.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\ExtractNow\extractnow.exe C:\TEMP\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {81A99149-F047-4090-8AAD-D11FF4EFB734} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {C0D7E922-75C6-5940-B32B-5C17201A75C9} - C:\WINDOWS\system32\ufo.dll O2 - BHO: (no name) - {C1D7E920-75B5-5D41-B32E-5D17226D75C8} - C:\WINDOWS\system32\ufo.dll O2 - BHO: (no name) - {E7E9F57E-2947-40B1-9BBF-0896D19C092F} - C:\DOCUME~1\Mark\LOCALS~1\Temp\~DP132.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe O4 - HKLM\..\Run: [TabletTip] "C:\Program files\Common Files\microsoft shared\ink\tabtip.exe" /resume O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32THotkey.exe O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe O4 - HKLM\..\Run: [ThpSrv] c:\WINDOWS\system32\thpsrv /logon O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [rqzq] C:\Program Files\Common Files\rqzq\rqzqm.exe O4 - HKCU\..\Run: [Apsi] "C:\DOCUME~1\Mark\MYDOCU~1\SMANTE~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Aflubtn] "C:\Program Files\Common Files\??curity\n?lookup.exe" 99001122 O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Search Wizard - {828780F4-D063-4a87-A517-DF6DD7F4B9F9} - C:\Program Files\ZillionDigits\Search Wizard\SearchWizard.dll (HKCU) O9 - Extra 'Tools' menuitem: Search Wizard - {828780F4-D063-4a87-A517-DF6DD7F4B9F9} - C:\Program Files\ZillionDigits\Search Wizard\SearchWizard.dll (HKCU) O13 - DefaultPrefix: O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O15 - Trusted Zone: http://maxebrdi.fnismls.com O15 - Trusted Zone: .fnismls.com O15 - Trusted Zone: .getmedianow.com O15 - Trusted Zone: .live.com O15 - Trusted Zone: http://.turbotax.com O15 - Trusted Zone: *.virtualearth.net O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/clients/y/vpt0_x.cab O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://maxebrdi.fnismls.com/Paragon/Codeba...rintControl.cab O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2F32E326-8D8D-49A4-9B3F-00DB593DDD2C} (ACIWizard.CPointInterface) - https://ols.adin.net/Controls/ACIWizard.CAB O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Mark\LOCALS~1\Temp\IXP000.TMP\setup.cab O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://maxebrdi.fnismls.com/Paragon/Codeba...stemChecker.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://xlonhcld.xlontech.net/100348/qmpbet...2ie06011811.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Crustyoldbloke View Member Profile	Mar 8 2007, 11:00 AM Post #2
Malware Surgeon Posts: 15,098 From: Worcestershire, England OS: Windows XP Professional SP2	Hello David and welcome to Geeks to Go As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible. ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can. Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix. Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.) You have quite a mixture of malware and Trojans. Let’s see what we can do. Who is Mark? I note that you are running HijackThis from a Temporary Folder; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder! Click My Computer, then C:\ and then Program Files. In the menu bar, go to File>New>Folder. That will create a folder named New Folder, which you can right-click on and rename to HJT or HijackThis. Now you have C:\Program Files\HijackThis. Cut ‘n’ Paste your HijackThis.exe into it. To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop: Killbox by Option^Explicit CCleaner AVG AntiSpyware combofix.exe Please install, and update AVG Anti Spyware Load AVGas and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Deselect "Only if threats were found" Close AVGas. Do not run it yet. Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: Safe Mode In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient. AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop). Please ensure you post that log in your reply. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {81A99149-F047-4090-8AAD-D11FF4EFB734} - (no file) O2 - BHO: (no name) - {C0D7E922-75C6-5940-B32B-5C17201A75C9} - C:\WINDOWS\system32\ufo.dll O2 - BHO: (no name) - {C1D7E920-75B5-5D41-B32E-5D17226D75C8} - C:\WINDOWS\system32\ufo.dll O2 - BHO: (no name) - {E7E9F57E-2947-40B1-9BBF-0896D19C092F} - C:\DOCUME~1\Mark\LOCALS~1\Temp\~DP132.dll O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - HKCU\..\Run: [rqzq] C:\Program Files\Common Files\rqzq\rqzqm.exe O4 - HKCU\..\Run: [Apsi] "C:\DOCUME~1\Mark\MYDOCU~1\SMANTE~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Aflubtn] "C:\Program Files\Common Files\??curity\n?lookup.exe" 99001122 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O13 - DefaultPrefix: Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode. Please install Killbox by Option^Explicit. Please double-click Killbox.exe to run it. Select Delete on Reboot then Click on the All Files button. Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\Program Files\Common Files\??curity\n?lookup.exe C:\WINDOWS\system32\ufo.dll C:\DOCUME~1\Mark\LOCALS~1\Temp\~DP132.dll C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\Common Files\rqzq\rqzqm.exe C:\DOCUME~1\Mark\MYDOCU~1\SMANTE~1\wuauboot.exe Return to Killbox, go to the File menu, and choose Paste from Clipboard. Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues Double click combofix.exe & follow the prompts. When it has finished, it will produce a log. Please post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please)

davidmainstay View Member Profile	Mar 9 2007, 12:39 PM Post #3
New Member Posts: 2 OS: xp	Completed the reccommended steps. Here are the 3 new Log Files. --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 7:11:12 AM 3/9/2007 + Scan result: C:\WINDOWS\system32\dae.dll -> Adware.AdHelper : Ignored. C:\Program Files\Common Files\rqzq\rqzqd\rqzqc.dll -> Adware.TargetServer : Ignored. G:\New Program Downloads\PHOTOSHOP 9 & PLUGINS\Adobe Photoshop Plugin - Auto FX Studio Bundle Pro v.2.0-FULL.exe/eatsb2/CRACK/autofx studio.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined). G:\New Program Downloads\PHOTOSHOP 9 & PLUGINS\Adobe Photoshop Plugin - Auto FX Studio Bundle Pro v.2.0-FULL.exe/eatsb2/CRACK/autofxplug patch.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined). C:\Program Files\eMule\Incoming\Microsoft Office Publisher 2003(gala) Crack and Serial.exe -> Downloader.Agent.aht : Cleaned with backup (quarantined). C:\Program Files\Common Files\rqzq\rqzqp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined). C:\Program Files\Common Files\rqzq\rqzqa.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.247realmedia : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.247realmedia : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@emimusic.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@homestore.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@laptopmag.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@mpire.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@msnclassifieds.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@networksolutions.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@pinnaclesystems.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@scholastic.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@usatoday1.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@wpni.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@2o7[2].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@crutchfield.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.2o7 : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC9.tmp -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> TrackingCookie.Adtech : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Advertising : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCA.tmp -> TrackingCookie.Advertising : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Atdmt : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCB.tmp -> TrackingCookie.Atdmt : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Bfast : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> TrackingCookie.Bluemountain : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> TrackingCookie.Bluestreak : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> TrackingCookie.Bridgetrack : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp -> TrackingCookie.Bridgetrack : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> TrackingCookie.Burstnet : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> TrackingCookie.Burstnet : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> TrackingCookie.Casalemedia : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> TrackingCookie.Clickbank : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> TrackingCookie.Com : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCE.tmp -> TrackingCookie.Com : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp -> TrackingCookie.Coremetrics : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq942.tmp -> TrackingCookie.Doubleclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD0.tmp -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wak4endpwep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wjkowjc5keo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@e-2dj6wak4sncjagp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> TrackingCookie.Falkag : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD1.tmp -> TrackingCookie.Falkag : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Fastclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Fastclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq88.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD2.tmp -> TrackingCookie.Hitbox : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Hitslink : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp -> TrackingCookie.Hitslink : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> TrackingCookie.Hotlog : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq943.tmp -> TrackingCookie.Hotlog : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> TrackingCookie.Hypertracker : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Linksynergy : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp -> TrackingCookie.Linksynergy : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp -> TrackingCookie.Mediaplex : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD3.tmp -> TrackingCookie.Mediaplex : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq194.tmp -> TrackingCookie.Onestat : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> TrackingCookie.Pointroll : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> TrackingCookie.Pointroll : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> TrackingCookie.Pro-market : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> TrackingCookie.Pro-market : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD4.tmp -> TrackingCookie.Qksrv : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Questionmarket : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD5.tmp -> TrackingCookie.Questionmarket : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> TrackingCookie.Realtracker : Cleaned. C:\Documents and Settings\Mark\Local Settings\Temp\Cookies\mark@revenue[2].txt -> TrackingCookie.Revenue : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> TrackingCookie.Revenue : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> TrackingCookie.Ru4 : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp -> TrackingCookie.Ru4 : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> TrackingCookie.Serving-sys : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> TrackingCookie.Serving-sys : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp -> TrackingCookie.Serving-sys : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Serving-sys : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> TrackingCookie.Spylog : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Spylog : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> TrackingCookie.Statcounter : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Statcounter : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> TrackingCookie.Tacoda : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Tacoda : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> TrackingCookie.Targetnet : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> TrackingCookie.Tradedoubler : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp -> TrackingCookie.Trafficmp : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp -> TrackingCookie.Trafficmp : Cleaned. C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Tribalfusion : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> TrackingCookie.Tribalfusion : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> TrackingCookie.Valueclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp -> TrackingCookie.Valueclick : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq84.tmp -> TrackingCookie.Webtrendslive : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD7.tmp -> TrackingCookie.Webtrendslive : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Yieldmanager : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> TrackingCookie.Yieldmanager : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> TrackingCookie.Zedo : Cleaned. C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD8.tmp -> TrackingCookie.Zedo : Cleaned. ::Report end =============================================================== "Mark" - 07-03-09 10:07:07 Service Pack 2 ComboFix 07-03-08 - Running from: "C:\TEMP" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\{34A72~1 C:\Program Files\Common Files\{94A72~1 C:\Program Files\Ipwindows C:\Program Files\Outerinfo ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\Program Files\Common Files\CURITY~1 C:\qoobox\purity\Program Files\Common Files\CURITY~1\n?lookup.exe ((((((((((((((((((((((((((((((( Files Created from 2007-02-09 to 2007-03-09 )))))))))))))))))))))))))))))))))) 2007-03-09 07:58 <DIR> d-------- C:\Program Files\CCleaner 2007-03-09 07:30 <DIR> d-------- C:\!KillBox 2007-03-08 22:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-03-08 10:22 <DIR> d-------- C:\Program Files\Rand McNally 2007-03-06 00:13 1,617,920 --a------ C:\WINDOWS\system32\cdintf250.dll 2007-03-06 00:13 <DIR> d-------- C:\Program Files\Rapattoni Corporation 2007-02-28 14:14 <DIR> d-------- C:\Program Files\The Rosetta Stone 2007-02-28 13:41 <DIR> d--h----- C:\DOCUME~1\Mark\InstallAnywhere 2007-02-28 11:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero 2007-02-26 20:10 <DIR> d-------- C:\Program Files\ZillionDigits 2007-02-26 20:05 <DIR> d-------- C:\Program Files\Google 2007-02-15 11:20 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe 2007-02-14 17:18 <DIR> d-------- C:\Program Files\CDRoller 2007-02-14 17:18 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\CDRoller 2007-02-09 09:51 <DIR> d-------- C:\Program Files\ItsDeductible2006 2007-02-09 09:51 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0 2007-02-09 09:48 <DIR> d-------- C:\Program Files\TurboTax (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-09 07:09 -------- d-------- C:\Program Files\Common Files\rqzq 2007-03-08 10:28 -------- d--h----- C:\Program Files\installshield installation information 2007-03-03 10:31 -------- d-------- C:\Program Files\sonic 2007-03-03 00:13 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\macromedia 2007-03-02 14:35 -------- d-------- C:\Program Files\emule 2007-03-02 01:13 -------- d-------- C:\Program Files\Common Files\macromedia 2007-03-02 01:12 -------- d-------- C:\Program Files\macromedia 2007-02-28 11:10 -------- d-------- C:\Program Files\Common Files\ahead 2007-02-25 22:10 -------- d-------- C:\Program Files\coolpro2 2007-02-25 17:11 -------- d-------- C:\Program Files\java 2007-02-23 19:25 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\vso 2007-02-19 19:12 -------- d-------- C:\Program Files\extractnow 2007-02-19 19:12 -------- d-------- C:\Program Files\calendar creator 2007-02-19 19:12 -------- d-------- C:\Program Files\banner maker pro 6 2007-02-09 09:52 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\intuit 2007-02-09 09:50 -------- d-------- C:\Program Files\quicken 2007-02-05 14:13 -------- d-------- C:\Program Files\winforms desktop 2007-02-04 12:00 -------- d-------- C:\Program Files\avi.net 2007-01-30 08:07 32177 ---hs---- C:\Program Files\Common Files\yazzle1122oinuninstaller.exe 2007-01-29 12:16 -------- d-------- C:\Program Files\dvdfab platinum 3 2007-01-25 17:36 0 --a------ C:\WINDOWS\brdfxspd.dat 2007-01-25 17:34 -------- d---s---- C:\DOCUME~1\Mark\APPLIC~1\microsoft 2007-01-25 14:42 50 --a------ C:\WINDOWS\system32\bridf04a.dat 2007-01-25 14:42 -------- d-------- C:\Program Files\brother 2007-01-11 05:52 -------- d-------- C:\DOCUME~1\Mark\APPLIC~1\adobeum 2007-01-03 13:19 171008 ---hs---- C:\Program Files\Common Files\yazzle1122oinadmin.exe 2006-12-14 14:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2006-12-14 14:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TabletWizard"="C:\\WINDOWS\\help\\SplshWrp.exe" "TabletTip"="\"C:\\Program files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume" "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe" "SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray" "00THotkey"="C:\\WINDOWS\\system32\THotkey.exe" "CrossMenu"="C:\\Program Files\\Toshiba\\CrossMenu\\CrossMenu.exe" "000StTHK"="000StTHK.exe" "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe" "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "AGRSMMSG"="AGRSMMSG.exe" "TPSMain"="TPSMain.exe" "TPSODDCtl"="TPSODDCtl.exe" "NDSTray.exe"="NDSTray.exe" "TAcelMgr"="C:\\Program Files\\TOSHIBA\\Acceleration Utilities\\TAcelMgr\\TAcelMgr.exe" "TSkrMain"="C:\\Program Files\\TOSHIBA\\Acceleration Utilities\\Shaker\\TSkrMain.exe" "ThpSrv"="c:\\WINDOWS\\system32\\thpsrv /logon" "TFNF5"="TFNF5.exe" "TosRotation"="\"C:\\Program Files\\TOSHIBA\\TOSHIBA Rotation Utility\\TRot.exe\"" "SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe" "TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "TFncKy"="TFncKy.exe" "Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe" "TAudEffect"="C:\\Program Files\\TOSHIBA\\TAudEffect\\TAudEff.exe /run" "TMESRV.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon" "TMERzCtl.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service" "TMESBS.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMESBS32.EXE /Client" "Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run" "IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless" "CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\"" "CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\"" "YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart" "CFSServ.exe"="CFSServ.exe -NoClient" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe" "SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04a\\BrStDvPt.exe" "ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun" "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe " "item"="Adobe Acrobat Speed Launcher" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Anapod Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Anapod Manager.lnk" "backup"="C:\\WINDOWS\\pss\\Anapod Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\Installer\\{7752BF7C-BE8E-4D3E-9C4D-DB1446ECA6A3}\\Icon_anamgr.exe " "item"="Anapod Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax 4.1.lnk" "backup"="C:\\WINDOWS\\pss\\eFax 4.1.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\EFAXME~1.1\\J2GTray.exe " "item"="eFax 4.1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SPCSCM.exe.LNK] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SPCSCM.exe.LNK" "backup"="C:\\WINDOWS\\pss\\SPCSCM.exe.LNKCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Sprint\\AIRCAR~1\\SPRINT~1\\SPCSCM.exe S" "item"="SPCSCM.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Adobe Gamma.lnk] "path"="C:\\Documents and Settings\\Mark\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE " "item"="Adobe Gamma" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] "path"="C:\\Documents and Settings\\Mark\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr" "item"="Microsoft Office OneNote 2003 Quick Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Acrotray" "hkey"="HKLM" "command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CloneCDTray" "hkey"="HKLM" "command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="J2GDllCmd" "hkey"="HKLM" "command"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="OpScheduler" "hkey"="HKLM" "command"="\"C:\\Program Files\\ScanSoft\\OmniPage15.0\\OpScheduler.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Opware15" "hkey"="HKLM" "command"="\"C:\\Program Files\\ScanSoft\\OmniPage15.0\\Opware15.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF3 Registry Controller] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RegistryController" "hkey"="HKLM" "command"="\"C:\\Program Files\\ScanSoft\\OmniPage15.0\\PDFConverter3\\\\RegistryController.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SSBkgdupdate" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WatchDog" "hkey"="HKLM" "command"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SQLAgent$PINNACLESYS"=dword:00000003 "SPCSUtilityService"=dword:00000002 "iPod Service"=dword:00000003 "bmwebcfg"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "TabletWizard"=hex(2):25,77,69,6e,64,69,72,25,5c,68,65,6c,70,5c,77,69,7a,61,72,\ 64,2e,68,74,61,00 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "TabletWizard"=hex(2):25,77,69,6e,64,69,72,25,5c,68,65,6c,70,5c,77,69,7a,61,72,\ 64,2e,68,74,61,00 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\ LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\ NetworkService REG_MULTI_SZ DnsCache\ DcomLaunch REG_MULTI_SZ DcomLaunchTermService\ rpcss REG_MULTI_SZ RpcSs\ imgsvc REG_MULTI_SZ StiSvc\ termsvcs REG_MULTI_SZ TermService\ [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f6e92a1-434b-11db-95f4-00166f3e1a63}] Shell\AutoRun\command H:\autorun.exe "install.html" ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070309-072423-684 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) backup-20070309-072423-367 O13 - DefaultPrefix: backup-20070309-072423-462 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present backup-20070309-072423-786 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present backup-20070309-072422-839 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present backup-20070309-072422-704 O4 - HKCU\..\Run: [rqzq] C:\Program Files\Common Files\rqzq\rqzqm.exe backup-20070309-072422-881 O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe backup-20070309-072422-971 O4 - HKCU\..\Run: [Apsi] "C:\DOCUME~1\Mark\MYDOCU~1\SMANTE~1\wuauboot.exe" -vt yazb backup-20070309-072422-170 O4 - HKCU\..\Run: [Aflubtn] "C:\Program Files\Common Files\??curity\n?lookup.exe" 99001122 backup-20070309-072422-749 O2 - BHO: (no name) - {E7E9F57E-2947-40B1-9BBF-0896D19C092F} - C:\DOCUME~1\Mark\LOCALS~1\Temp\~DP132.dll backup-20070309-072422-528 O2 - BHO: (no name) - {C1D7E920-75B5-5D41-B32E-5D17226D75C8} - C:\WINDOWS\system32\ufo.dll backup-20070309-072422-509 O2 - BHO: (no name) - {C0D7E922-75C6-5940-B32B-5C17201A75C9} - C:\WINDOWS\system32\ufo.dll backup-20070309-072422-592 O2 - BHO: (no name) - {81A99149-F047-4090-8AAD-D11FF4EFB734} - (no file) ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-03-09 10:10:27 ==================================================================== Logfile of HijackThis v1.99.1 Scan saved at 10:25:15 AM, on 3/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\system32THotkey.exe C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\TPSODDCtl.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe C:\WINDOWS\system32\thpsrv.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\Brmfrmps.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\WINDOWS\System32\svchost.exe C:\toshiba\ivp\ism\ivpsvmgr.exe C:\WINDOWS\system32\cidaemon.exe C:\TEMP\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe O4 - HKLM\..\Run: [TabletTip] "C:\Program files\Common Files\microsoft shared\ink\tabtip.exe" /resume O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32THotkey.exe O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe O4 - HKLM\..\Run: [ThpSrv] c:\WINDOWS\system32\thpsrv /logon O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Search Wizard - {828780F4-D063-4a87-A517-DF6DD7F4B9F9} - C:\Program Files\ZillionDigits\Search Wizard\SearchWizard.dll (HKCU) O9 - Extra 'Tools' menuitem: Search Wizard - {828780F4-D063-4a87-A517-DF6DD7F4B9F9} - C:\Program Files\ZillionDigits\Search Wizard\SearchWizard.dll (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O15 - Trusted Zone: http://maxebrdi.fnismls.com O15 - Trusted Zone: .fnismls.com O15 - Trusted Zone: .getmedianow.com O15 - Trusted Zone: .live.com O15 - Trusted Zone: http://.turbotax.com O15 - Trusted Zone: *.virtualearth.net O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/clients/y/vpt0_x.cab O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://maxebrdi.fnismls.com/Paragon/Codeba...rintControl.cab O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2F32E326-8D8D-49A4-9B3F-00DB593DDD2C} (ACIWizard.CPointInterface) - https://ols.adin.net/Controls/ACIWizard.CAB O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Mark\LOCALS~1\Temp\IXP000.TMP\setup.cab O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://maxebrdi.fnismls.com/Paragon/Codeba...stemChecker.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://xlonhcld.xlontech.net/100348/qmpbet...2ie06011811.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.e

Crustyoldbloke

Mar 9 2007, 03:23 PM

Post #4

Malware Surgeon
Group Icon

Posts: 15,098
From: Worcestershire, England
OS: Windows XP Professional SP2

Hello again

I ask questions about names I see in HJT logs as it often tells me about accounts on the PC; I am not just curious. I asked in my last post who Mark is. Could you please tell me?

It is unusual for AVGas to ignore bad files, but the log says it has.

Please look at the 015 entries in HJT. Are these intentional or news to you?

Your HJT log looks good otherwise.

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\dae.dll.
C:\Program Files\Common Files\rqzq\rqzqd\rqzqc.dll
C:\Program Files\Common Files\yazzle1122oinadmin.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please