Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

unknown spyware infection (maybe winhound?)

Started by youngerbrother , Dec 01 2006 01:22 AM

  • This topic is locked This topic is locked

#1
youngerbrother
Posted 01 December 2006 - 01:22 AM

youngerbrother

    New Member

  • Member
  • Pip
  • 9 posts
Hello There-
I followed all of the instructions but still seem to be infected. Please help!

Thanks!
Chris

Panda Scan results:

Incident Status Location

Adware:Adware/SpySheriff Not disinfected c:\winstall.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\uadgyyaz.exe
Virus:Trj/LowZones.SM Disinfected Operating system
Adware:adware/spysheriff Not disinfected c:\winstall.exe
Potentially unwanted tool:application/pesttrap Not disinfected c:\program files\PestTrap
Virus:Trj/Keylog.GA Disinfected C:\!KillBox\geede.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\jkkjh.dll
Virus:Trj/Keylog.GA Disinfected C:\!KillBox\vtsts.dll
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Chris.X-5000\Cookies\chris@adrevolver[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris.X-5000\Cookies\chris@apmebf[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris.X-5000\Cookies\chris@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris.X-5000\Cookies\chris@doubleclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris.X-5000\Cookies\chris@realmedia[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\SmitfraudFix\swreg.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\SmitfraudFix.zip[SmitfraudFix/swreg.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\smitRem\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\smitRem\swreg.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\smitRem.exe[smitRem/swreg.exe]
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\hnvdbssm.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\jbabexjv.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\kyryjdtd.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\tmajxyii.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\ugmpxxxw.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\unkohzzb.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\Chris.X-5000\zkuatqzb.exe
Virus:Trj/LowZones.SM Disinfected C:\ej.exe
Adware:Adware/BraveSentry Not disinfected C:\Program Files\PestTrap\heur000.dll
Adware:Adware/BraveSentry Not disinfected C:\Program Files\PestTrap\heur001.dll
Adware:Adware/BraveSentry Not disinfected C:\Program Files\PestTrap\heur002.dll
Adware:Adware/BraveSentry Not disinfected C:\Program Files\PestTrap\heur003.dll
Potentially unwanted tool:Application/PestTrap Not disinfected C:\Program Files\PestTrap\Uninstall.exe
Virus:Trj/Firebypass.AR Disinfected C:\WINDOWS\system32\ntoskrnl.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\swreg.

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:33 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\winstall.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Documents and Settings\Chris.X-5000\uadgyyaz.exe
C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TCtryIOHook] c:\WINDOWS\System32\TCtrlIOHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147409599864
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147409707976
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

smitfiles:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 11/30/2006
The current time is: 11:12:39.50

Running from
C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :whistling:

ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:03:34 PM, 11/30/2006
+ Report-Checksum: E4852AF9

+ Scan result:

C:\Documents and Settings\Chris.X-5000\akvzoipp.exe -> Downloader.Small.cpg : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\Cookies\chris@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Chris.X-5000\xstviwdz.exe -> Downloader.Small.cpg : Cleaned with backup
C:\nj.exe -> Downloader.Small.cpg : Cleaned with backup


::Report End


Thanks again!
  • 0

Advertisements

#2
Daemon
Posted 01 December 2006 - 02:50 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

  • 0

#3
youngerbrother
Posted 01 December 2006 - 12:28 PM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Daemon-
Here they are. Thanks again for your help!

-Chris

SUPERAntiSpyware Scan Log
Generated 12/01/2006 at 10:05 AM

Application Version : 3.3.1020

Core Rules Database Version : 3140
Trace Rules Database Version: 1157

Scan type : Complete Scan
Total Scan Time : 00:44:56

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 5678
Registry threats detected : 2
File items scanned : 44516
File threats detected : 102

Trojan.NWFrame
[gwiz] C:\WINDOWS\SYSTEM32\NTSYSTEM.EXE
C:\WINDOWS\SYSTEM32\NTSYSTEM.EXE

Trojan.Windows Installer
[Windows installer] C:\WINSTALL.EXE
C:\WINSTALL.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Chris.X-5000\Cookies\chris@serving-sys[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@apmebf[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@tribalfusion[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@mb[5].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@pitchforkmedia[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@tacoda[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@burstnet[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@trafficmp[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@xxxcounter[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@adknowledge[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@38262[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@mb[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@38290[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@mediaplex[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@2o7[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@roiservice[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@realmedia[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@38266[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@casalemedia[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@fastclick[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@nextag[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@ad[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@adrevolver[3].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@bluestreak[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@atdmt[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@mb[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@advertising[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@82761755[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@doubleclick[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@38278[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@statcounter[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@38270[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@belnk[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@mb[3].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@adbrite[2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\[email protected][2].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@38295[1].txt
C:\Documents and Settings\Chris.X-5000\Cookies\chris@adrevolver[1].txt

Trojan.PestTrap
C:\Program Files\PestTrap\base.avd
C:\Program Files\PestTrap\base001.avd
C:\Program Files\PestTrap\base002.avd
C:\Program Files\PestTrap\found.wav
C:\Program Files\PestTrap\heur000.dll
C:\Program Files\PestTrap\heur001.dll
C:\Program Files\PestTrap\heur002.dll
C:\Program Files\PestTrap\heur003.dll
C:\Program Files\PestTrap\notfound.wav
C:\Program Files\PestTrap\PestTrap.dvm
C:\Program Files\PestTrap\PestTrap.exe
C:\Program Files\PestTrap\removed.wav
C:\Program Files\PestTrap\Uninstall.exe
C:\Program Files\PestTrap

Adware.Vundo Variant
C:\!KILLBOX\JKKJH.DLL

Trojan.SpySheriff
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\HNVDBSSM.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\JBABEXJV.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\KYRYJDTD.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\TMAJXYII.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\UADGYYAZ.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\UGMPXXXW.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\UNKOHZZB.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS.X-5000\ZKUATQZB.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E630DE7-5F3B-4F5C-851B-9E351BAD557E}\RP248\A0069585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E630DE7-5F3B-4F5C-851B-9E351BAD557E}\RP248\A0069683.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E630DE7-5F3B-4F5C-851B-9E351BAD557E}\RP248\A0069684.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E630DE7-5F3B-4F5C-851B-9E351BAD557E}\RP248\A0069685.EXE
C:\WINDOWS\Prefetch\HNVDBSSM.EXE-38824C06.pf
C:\WINDOWS\Prefetch\UADGYYAZ.EXE-075FCBFC.pf
C:\WINDOWS\Prefetch\UGMPXXXW.EXE-3482E1F3.pf

Trojan.Downloader-NtOsKernel
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E630DE7-5F3B-4F5C-851B-9E351BAD557E}\RP248\A0069742.DLL






Logfile of HijackThis v1.99.1
Scan saved at 10:26:19 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ZoomingHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TCtryIOHook] c:\WINDOWS\System32\TCtrlIOHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147409599864
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147409707976
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Daemon
Posted 02 December 2006 - 01:33 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\system32\bikini.exe

Click 'Exit' when done.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [bikini] bikini.exe

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.
  • 0

#5
youngerbrother
Posted 02 December 2006 - 08:36 PM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:36:01 PM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris.X-5000\Desktop\spyware tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TCtryIOHook] c:\WINDOWS\System32\TCtrlIOHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147409599864
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147409707976
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Daemon
Posted 03 December 2006 - 04:35 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
That looks better - how is it running now?
  • 0

#7
youngerbrother
Posted 03 December 2006 - 12:15 PM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Running much better now, thank you. For some reason, though, my desktop background went to blue when I rebooted from safe mode. It's locked up and won't allow me to change back to a photo. Any ideas?

Thanks again!
-Chris
  • 0

#8
Daemon
Posted 03 December 2006 - 12:31 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
We didn't do anything in Safe Mode - please provide more details.
  • 0

#9
youngerbrother
Posted 03 December 2006 - 07:20 PM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I followed the directions from the "Click Here before posting a Hijack This log" part of this page, which included doing several scans with ewido and adaware while in safe mode. When I rebooted after safe mode, the deskdop background feature was no longer working, and is frozen up.

-Chris
  • 0

#10
Daemon
Posted 04 December 2006 - 01:23 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
I assume by frozen up you have tried Start>Settings>Control Panel>Display>Desktop to change it back to your preferred background?
  • 0

Advertisements

#11
youngerbrother
Posted 05 December 2006 - 12:15 AM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yes, with no results.
  • 0

#12
Daemon
Posted 05 December 2006 - 12:52 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK do this for me. Click here to download Wallpaper.zip. Extract Wallpaper.reg from the zip file and save it to the desktop. When done, double-click the Wallpaper.reg and when asked to merge say yes.

Reboot and let me know if you can set it now.
  • 0

#13
youngerbrother
Posted 06 December 2006 - 01:21 PM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Daemon-
That was weird. I followed your directions and upon rebooting, windows wouldn't start correctly. I tried it several times and finally had to start in SAFE mode and do a system restore to a couple of weeks ago to get windows to start. Now I'm right back where I started! I still can't get a desktop background to come up, and the control to do so is frozen up, except to change the color. Any ideas? I'm using a Toshiba Satellite laptop and I've backed up all of my documents to discs, so there is nothing on the computer right now that I need to keep. I'm thinking about removing the partitions and just seeing if I can start all over and reinstall the software I want to use (like Windows, Norton, digital camera software etc.) Is this possible? Is it possible to just wipe everything away and start with a clean slate?

Thanks again for all of your help!
-Chris
  • 0

#14
Daemon
Posted 06 December 2006 - 01:45 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm.. that shouldn't have happened - the regfix just reinstates your wallpaper settings.

It is starting to sound like something is corrupted - if you have backups of everything important and CDs to reinstall, then a reformat and start again will wipe everything away.
  • 0

#15
youngerbrother
Posted 06 December 2006 - 02:20 PM

youngerbrother

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
And could you describe for me how I would do that?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP