Help with Internet slow down and access problems [CLOSED]

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

Help with Internet slow down and access problems [CLOSED]

Options

Sab56 View Member Profile	Jun 19 2008, 11:20 AM Post #1
New Member Posts: 4 OS: XP	I was having major Internet slowdown and access problems before I wandered into your site, I followed the prerequisite steps in your Malware Guide and they seem to have taken care of the problem and I also ran Virtumundo and Vundo as some of the viruses were indentifed as Vundo. I ran a HJT log to make sure i've gotten everything. I'm running a Toshiba Laptop with XP SP3 and all the major updates installed and I traditionally use Firefox which I just upgraded to FF3. Please help if you can. Thank you in advance for your time and efforts HiJack This Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:54:39 AM, on 6/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Jose\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - {31C44199-FA00-87D3-2A91-F72D61D4AD93} - C:\WINDOWS\system32\tksxfgtp.dll (file missing) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe O2 - BHO: (no name) - {31C44199-FA00-87D3-2A91-F72D61D4AD93} - C:\WINDOWS\system32\tksxfgtp.dll (file missing) O2 - BHO: (no name) - {38FFD9B9-E425-4970-990F-482FACFE2A7E} - C:\WINDOWS\system32\qoMccCTj.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {9BF64A5F-57D3-4CAB-BD2C-ECE635439407} - C:\WINDOWS\system32\ljJcDUol.dll (file missing) O2 - BHO: {40a7539a-2528-8168-ba14-d4a7a02c0eff} - {ffe0c20a-7a4d-41ab-8618-8252a9357a04} - C:\WINDOWS\system32\qklihrvo.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Winstx] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstm] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstj] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstp] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winste] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstf] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstk] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winsta] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstg] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstv] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstl] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstr] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstw] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstu] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstq] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winsts] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winsti] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winsty] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstn] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstd] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Eprc] "C:\DOCUME~1\Jose\MYDOCU~1\YMBOLS~1\winword.exe" -vt yazr O4 - HKCU\..\Run: [Ghvw] C:\Program Files\?racle\n?tdde.exe O4 - HKCU\..\Run: [Winstz] C:\361101032253735984.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Policies\Explorer\Run: [{606A9EA4-069C-1033-0123-060511240001}] "C:\Program Files\Common Files\{606A9EA4-069C-1033-0123-060511240001}\Update.exe" te-110-12-0000213 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O20 - AppInit_DLLs: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing) O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing) O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing) O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 10690 bytes

Rorschach112 View Member Profile	Jun 19 2008, 11:31 AM Post #2
GeekU Teacher Posts: 19,272 From: Dublin OS: XP	Hello Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. Please visit this web page for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Sab56 View Member Profile	Jun 19 2008, 11:10 PM Post #3
New Member Posts: 4 OS: XP	Ok I beleive I got in all that you told me, I did run into an issue I dont have the XP boot disk and couldn't locate the Recovery Console for Service Pack 3, so I used the one for 2 and it seemed to work without issue. Here is the SDFix Log: SDFix: Version 1.194 Run by Jose on Thu 06/19/2008 at 08:20 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\Config\lsass.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 20:32:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe::Enabled:NIE - Toshiba Software Upgrade Engine" "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe::Enabled:Toshiba Software Upgrades Pinger" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Application Loader" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe::Enabled:AOLTsMon" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe::Enabled:AOLTopSpeed" "C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe::Enabled:AOL" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe::Enabled:ConfigFree SUMMIT Engine" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe::Enabled:RTC App Sharing" "C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe::Enabled:Windowsr NetMeetingr" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe::Enabled:Yahoo! FT Server" "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe::Enabled:Remote Assistance - Windows Messenger and Voice" "C:\\StubInstaller.exe"="C:\\StubInstaller.exe::Enabled:LimeWire swarmed installer" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe::Enabled:Nero ShowTime" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Documents and Settings\\Jose\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jose\\Desktop\\utorrent.exe::Enabled:�Torrent" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe::Enabled:Mozilla Firefox" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Fri 31 Aug 2007 30,720 ...HR --- "C:\WINDOWS\CdaC13BA.EXE" Fri 31 Aug 2007 112,128 ...HR --- "C:\WINDOWS\CdaC14BA.DLL" Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Mon 3 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 14 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Finished! Here is the Combo Fix Log: ComboFix 08-06-19.1 - Jose 2008-06-19 23:34:37.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.932 [GMT -6:00] Running from: C:\Documents and Settings\Jose\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jose\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Jose\Application Data\macromedia\Flash Player\#SharedObjects\QDND484Y\www.broadcaster.com C:\Documents and Settings\Jose\Application Data\macromedia\Flash Player\#SharedObjects\QDND484Y\www.broadcaster.com\BCLUserPrefs.sol C:\Documents and Settings\Jose\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Jose\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Documents and Settings\Jose\My Documents\SSTEM~1 C:\Documents and Settings\Jose\My Documents\YMBOLS~1 C:\Program Files\Common Files\{306A9~1 C:\Program Files\Common Files\{606A9~1 C:\WINDOWS\BM6359ad97.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\jTCccMoq.ini C:\WINDOWS\system32\jTCccMoq.ini2 C:\WINDOWS\system32\loUDcJjl.ini C:\WINDOWS\system32\loUDcJjl.ini2 C:\WINDOWS\system32\qosvelnu.dll C:\WINDOWS\system32\rwqsobxq.dll C:\WINDOWS\system32\yfjirmbu.ini . ((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 ))))))))))))))))))))))))))))))) . 2008-06-19 20:01 . 2008-06-19 20:02 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-19 19:52 . 2008-06-19 20:37 <DIR> d-------- C:\SDFix 2008-06-19 11:06 . 2008-04-22 22:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-19 11:06 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-19 11:06 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-19 11:06 . 2008-04-22 22:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-19 11:06 . 2008-04-22 22:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-19 11:06 . 2008-04-22 22:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-19 11:06 . 2008-04-22 22:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-19 11:06 . 2008-04-22 22:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-19 11:06 . 2008-04-22 01:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-19 10:58 . 2008-06-19 10:58 <DIR> d-------- C:\VundoFix Backups 2008-06-19 10:52 . 2008-04-14 06:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-19 10:52 . 2008-05-08 08:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys 2008-06-18 07:24 . 2008-06-18 07:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet 2008-06-18 07:02 . 2008-06-18 07:02 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-06-18 07:02 . 2008-06-18 07:02 <DIR> d-------- C:\WINDOWS\system32\en 2008-06-18 07:02 . 2008-06-18 07:02 <DIR> d-------- C:\WINDOWS\system32\bits 2008-06-18 07:02 . 2008-06-18 07:02 <DIR> d-------- C:\WINDOWS\l2schemas 2008-06-18 07:00 . 2008-06-18 07:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-06-18 06:53 . 2008-06-18 06:53 <DIR> d-------- C:\WINDOWS\EHome 2008-06-18 05:34 . 2004-08-03 22:29 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys 2008-06-18 05:25 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2008-06-18 05:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2008-06-18 05:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-06-18 05:25 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2008-06-18 00:50 . 2008-06-18 00:55 <DIR> d-------- C:\Program Files\Panda Security 2008-06-17 22:44 . 2008-06-17 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-17 22:43 . 2008-06-18 00:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-17 22:43 . 2008-06-17 22:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-17 22:43 . 2008-06-17 22:43 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com 2008-06-17 22:32 . 2008-06-17 22:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-17 22:32 . 2008-06-17 22:32 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\Malwarebytes 2008-06-17 22:32 . 2008-06-17 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-17 22:32 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-17 22:32 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-17 22:31 . 2008-06-17 22:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-06-16 19:29 . 2008-06-16 19:28 691,545 --a------ C:\WINDOWS\unins000.exe 2008-06-16 19:29 . 2008-06-16 19:29 2,539 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-20 05:38 --------- d-----w C:\Documents and Settings\Jose\Application Data\WTablet 2008-06-20 02:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-18 13:53 --------- d-----w C:\Documents and Settings\Jose\Application Data\uTorrent 2008-06-17 01:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-11 07:14 --------- d-----w C:\Documents and Settings\Jose\Application Data\AdobeUM 2008-05-28 08:47 --------- d-----w C:\Documents and Settings\Jose\Application Data\Any Video Converter Professional 2008-05-10 03:30 --------- d-----w C:\Program Files\Any Video Converter Professional 2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 14:02 --------- d-----w C:\Documents and Settings\Jose\Application Data\Move Networks 2008-05-07 07:01 5,514 -c--a-w C:\Documents and Settings\Jose\Application Data\wklnhst.dat 2008-05-07 06:54 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-05-07 06:53 --------- d-----w C:\Program Files\Microsoft.NET 2008-04-28 02:10 --------- d-----w C:\Program Files\Any Video Converter 2008-04-28 02:10 --------- d-----w C:\Documents and Settings\Jose\Application Data\Any Video Converter 2008-04-20 23:30 --------- d-----w C:\Program Files\Quicken 2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe 2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll 2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll 2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll 2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe 2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe 2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll 2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe 2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe 2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe 2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll 2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll 2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll 2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll 2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll 2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . -c--a-w 344,064 2005-08-06 05:05:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe -c--a-w 94,208 2005-11-24 20:38:08 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe -c--a-w 188,416 2005-05-19 15:57:36 C:\Program Files\ltmoh\bak\Ltmoh.exe -c--a-w 155,648 2006-07-03 05:39:12 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 282,624 2007-04-27 15:41:54 C:\Program Files\QuickTime\qttask.exe -c--a-w 471,040 2006-08-18 10:15:35 C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe -c--a-w 688,218 2004-10-14 23:26:40 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe -c--a-w 98,394 2004-10-14 23:28:02 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe -c--a-w 65,536 2004-12-30 08:32:20 C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe -c--a-w 352,256 2005-11-25 21:07:16 C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe -c--a-w 122,880 2005-04-27 00:13:20 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe -c--a-w 1,077,322 2005-07-15 18:52:42 C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe -c--a-w 73,728 2005-11-10 18:24:50 C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe -c--a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe -c--a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe -c--a-w 122,940 2005-08-01 13:10:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31C44199-FA00-87D3-2A91-F72D61D4AD93}] C:\WINDOWS\system32\tksxfgtp.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38FFD9B9-E425-4970-990F-482FACFE2A7E}] C:\WINDOWS\system32\qoMccCTj.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BF64A5F-57D3-4CAB-BD2C-ECE635439407}] C:\WINDOWS\system32\ljJcDUol.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [ ] "Winstx"="C:\361101032253735984.exe" [ ] "Winstm"="C:\36110103225100468296.exe" [ ] "Winstj"="C:\36110103225100468296.exe" [ ] "Winste"="C:\36110103225100468296.exe" [ ] "Winstf"="C:\361101032253735984.exe" [ ] "Winstk"="C:\361101032253735984.exe" [ ] "Winsta"="C:\361101032253735984.exe" [ ] "Winstg"="C:\36110103225100468296.exe" [ ] "Winstv"="C:\36110103225100468296.exe" [ ] "Winstr"="C:\36110103225100468296.exe" [ ] "Winstw"="C:\36110103225100468296.exe" [ ] "Winstu"="C:\361101032253735984.exe" [ ] "Winstq"="C:\36110103225100468296.exe" [ ] "Winsts"="C:\36110103225100468296.exe" [ ] "Winsti"="C:\36110103225100468296.exe" [ ] "Winsty"="C:\361101032253735984.exe" [ ] "Winstn"="C:\361101032253735984.exe" [ ] "Eprc"="C:\DOCUME~1\Jose\MYDOCU~1\YMBOLS~1\winword.exe" [ ] "Ghvw"="C:\Program Files\?racle\n?tdde.exe" [ ] "Winstz"="C:\361101032253735984.exe" [ ] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-18 00:46 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2005-11-10 13:14 15473664 C:\WINDOWS\RTHDCPL.exe] "NDSTray.exe"="NDSTray.exe" [] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 08:29 88203 C:\WINDOWS\agrsmmsg.exe] "TFncKy"="TFncKy.exe" [] "TPSMain"="TPSMain.exe" [2005-05-31 23:00 282624 C:\WINDOWS\system32\TPSMain.exe] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [ ] "CFSServ.exe"="CFSServ.exe" [] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 01:21 176128] "HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 22:34 49152] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664] "HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-05-04 16:17 491520] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ] "BarbieGirlsTray"="C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-14 20:59 24576] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-11-04 21:20:51 155648] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-18 00:46 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-18 00:46 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Documents and Settings\\Jose\\Desktop\\utorrent.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16] R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 13:12] R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 12:30] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5834012b-84ca-11db-9d05-0016e30ec92b}] \Shell\AutoRun\command - setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d59b4f8-303d-11dc-9d63-0016e30ec92b}] \Shell\AutoRun\command - F:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-06-19 17:06:02 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 23:38:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-06-19 23:43:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-20 05:43:42 Pre-Run: 1,159,864,320 bytes free Post-Run: 1,048,322,048 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 265 --- E O F --- 2008-06-19 17:08:27 And here is the HiJack This Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:04:30 AM, on 6/20/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Jose\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - {31C44199-FA00-87D3-2A91-F72D61D4AD93} - C:\WINDOWS\system32\tksxfgtp.dll (file missing) O2 - BHO: (no name) - {31C44199-FA00-87D3-2A91-F72D61D4AD93} - C:\WINDOWS\system32\tksxfgtp.dll (file missing) O2 - BHO: (no name) - {38FFD9B9-E425-4970-990F-482FACFE2A7E} - C:\WINDOWS\system32\qoMccCTj.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {9BF64A5F-57D3-4CAB-BD2C-ECE635439407} - C:\WINDOWS\system32\ljJcDUol.dll (file missing) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Winstx] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstm] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstj] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winste] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstf] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstk] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winsta] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstg] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstv] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstr] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstw] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winstu] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstq] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winsts] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winsti] C:\36110103225100468296.exe O4 - HKCU\..\Run: [Winsty] C:\361101032253735984.exe O4 - HKCU\..\Run: [Winstn] C:\361101032253735984.exe O4 - HKCU\..\Run: [Eprc] "C:\DOCUME~1\Jose\MYDOCU~1\YMBOLS~1\winword.exe" -vt yazr O4 - HKCU\..\Run: [Ghvw] C:\Program Files\?racle\n?tdde.exe O4 - HKCU\..\Run: [Winstz] C:\361101032253735984.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O20 - AppInit_DLLs: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing) O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing) O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing) O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 9782 bytes Thanks again for all your help!!

Rorschach112 View Member Profile	Jun 20 2008, 04:21 AM Post #4
GeekU Teacher Posts: 19,272 From: Dublin OS: XP	Hello 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE KillAll:: AWF:: C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe C:\Program Files\ltmoh\bak\Ltmoh.exe C:\Program Files\QuickTime\bak\qttask.exe C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe C:\WINDOWS\system32\bak\ctfmon.exe C:\WINDOWS\system32\bak\NeroCheck.exe C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE Folder:: Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5834012b-84ca-11db-9d05-0016e30ec92b}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d59b4f8-303d-11dc-9d63-0016e30ec92b}] Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner and click Accept You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post.

Rorschach112 View Member Profile	Jun 24 2008, 04:27 PM Post #5
GeekU Teacher Posts: 19,272 From: Dublin OS: XP	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Malware Removal - HijackThis� Logs Go Here · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

		Topic Title	Replies / Views	Topic Information
		Malware Removal - HijackThis� Logs Go Here Internet slow down and crashes [RESOLVED]	5 / 567	7th January 2006 - 04:04 PM Kristina started - last by Dragon
		Malware Removal - HijackThis� Logs Go Here Need help with Internet access problem [RESOLVED]