Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

more Trojan Zlob [RESOLVED]


  • This topic is locked This topic is locked

#1
fjchild

fjchild

    Member

  • Member
  • PipPip
  • 13 posts
Yesterday and today my noon scan by Symantec AV 9.0.0.338 logged that it had found (separate) examples of Trojan Zlob. It could not clean but did successfully delete both days.

I run Symantec live time and also Ad-watch in Win XP Pro.

The Symantec web site does not seem to have ever heard of Zlob, however.
Other sites claim it's an unusually persistant buggy.

I haven't run Hijackthis yet as one of the thousands of excellent advice sites claims it's out of date now anyway.

I have no indications of any infection or unusual computer operation.

Seems like a non-issue but what do I know?

Thanks for your attention.

AJS
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

I haven't run Hijackthis yet as one of the thousands of excellent advice sites claims it's out of date now anyway.

What site said that :) ? Would love to read their post about that out of curiosity



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
About.com:Antivirus Software
http://antivirus.abo...3/14/257830.htm
Mary Landesman's Antivirus Software Blog

From Mary Landesman,
Your Guide to Antivirus Software.

Trend Micro HijackThis

# Interesting that Trend Micro buys HijackThis after malware advancements have made the tool's usefulness all but obsolete: Trend Micro HijackThis

I'm going to file this one under the "What were they thinking?" folder.

Trend's website says they do not officially support the product. No doubt.
Wednesday March 14, 2007

I'll try that DSS & be back.
  • 0

#4
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK.
Deckard's System Scanner v20071014.68
Run by Abby Sale on 2008-01-05 22:48:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
22: 2008-01-06 03:48:39 UTC - RP56 - Deckard's System Scanner Restore Point
21: 2008-01-05 19:54:50 UTC - RP55 - System Checkpoint
20: 2008-01-04 04:23:42 UTC - RP54 - System Checkpoint
19: 2008-01-02 19:38:11 UTC - RP53 - System Checkpoint
18: 2008-01-01 18:19:58 UTC - RP52 - System Checkpoint


-- First Restore Point --
1: 2007-12-16 03:56:28 UTC - RP35 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Abby Sale.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:23 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Downloads\dss.exe
C:\Internet\HIJACK~1\Abby Sale.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: BDEX System - {C2DE4340-CB68-450F-90CD-9BE1A26739D7} - C:\WINDOWS\domnftwmnf.dll
O3 - Toolbar: The emlkdvo - {47906C8A-7A72-45A8-AA59-0CEC20BD3B36} - C:\WINDOWS\emlkdvo.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StartSecurDoc] C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
O4 - HKLM\..\Run: [AWMON] "C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-20 Startup: ConfigureBJMK1.lnk = C:\Program Files\Boldon James\Messaging and Directory\MasterKey\configurebjmk1.exe (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Outlook 2000.lnk = C:\Program Files\Microsoft Office\Office\Outlook.exe
O4 - Startup: TODAYME (autoexec.nt).PIF = C:\Almanac\TODAYME\TODAYME.BAT
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\INTERNET\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newy.../FTWebUtils.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193761944346
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Desktop Manager 5.7.712.12266 (GoogleDesktopManager-121207-085209) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 9018 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SDDisk2K (WinMagic SecureDoc) - c:\windows\system32\drivers\sddisk2k.sys
R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 TMEI3E - c:\windows\system32\drivers\tmei3e.sys <Not Verified; Toshiba Corporation; Toshiba Mobile Extension>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 Tmesrv (Tmesrv3) - "c:\program files\toshiba\tme3\tmesrv31.exe" /service <Not Verified; TOSHIBA; TOSHIBA MobileExtension Service>

S2 Retrospect Helper - "c:\program files\dantz\retrospect\rthlpsvc.exe" <Not Verified; Dantz Development Corporation; Retrospect>
S3 bepprldr (BCL easyPDF SDK Loader) - "c:\program files\common files\bcl technologies\easypdf 4\bepprldr.exe" <Not Verified; ; bepprldr Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_103D&SUBSYS_00011179&REV_83\4&16793A72&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_103D&SUBSYS_00011179&REV_83\4&16793A72&0&40F0
Service: E100B


-- Files created between 2007-12-05 and 2008-01-05 -----------------------------

2008-01-05 19:25:03 0 dr-h----- C:\Documents and Settings\Abby Sale\Recent
2008-01-03 22:41:51 0 --a------ C:\Documents and Settings\Abby Sale\LOG
2008-01-03 15:33:56 583 ---h----- C:\fc2tree.dat
2008-01-03 15:31:41 0 d-------- C:\Pictures
2008-01-03 12:13:03 0 d-------- C:\0Backup
2008-01-03 07:54:16 0 d-------- C:\WINDOWS\pss
2008-01-01 12:34:31 0 d-------- C:\Program Files\Common Files\xing shared
2008-01-01 11:29:52 6 --a------ C:\x.bat
2007-12-28 09:39:28 0 d-------- C:\JEWISH
2007-12-28 08:40:35 0 d-------- C:\WINDOWS\Downloaded Installations
2007-12-23 20:51:43 0 d-------- C:\WINDOWS\Sun
2007-12-22 23:42:28 0 d-------- C:\Program Files\Trillian
2007-12-22 14:34:41 0 d-------- C:\Program Files\MediaVideoCodec
2007-12-22 14:33:52 77824 --a------ C:\WINDOWS\fvkwdrt.exe
2007-12-22 14:33:52 200704 --a------ C:\WINDOWS\emlkdvo.dll <Not Verified; ; emlkdvo Module>
2007-12-22 14:33:52 278528 --a------ C:\WINDOWS\domnftwmnf.dll <Not Verified; ; domnftwmnf>
2007-12-22 14:33:52 253952 --a------ C:\WINDOWS\bvtqfvx.dll
2007-12-22 14:33:52 217088 --a------ C:\WINDOWS\alxvdvm.dll <Not Verified; ; alxvdvm>
2007-12-21 04:20:24 0 d-------- C:\00
2007-12-19 17:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-12-18 08:31:28 0 d-------- C:\MUSIC
2007-12-17 15:29:54 102364 -----n--- C:\WINDOWS\hpqins13.dat
2007-12-16 20:27:38 0 d-------- C:\Program Files\CCleaner
2007-12-16 19:07:34 1283 --a------ C:\Deltemp.bat
2007-12-16 19:07:34 5124 --a------ C:\Del_Temp_Folders.bat
2007-12-15 20:43:40 0 d-------- C:\Program Files\Dantz
2007-12-15 19:53:43 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-15 16:52:55 0 d-------- C:\Program Files\Maxtor
2007-12-15 16:34:28 0 d-------- C:\Program Files\AlotNotes
2007-12-15 12:48:51 0 d-------- C:\WINDOWS\Icons
2007-12-15 12:48:51 0 d-------- C:\WINDOWS\Iconmgr
2007-12-15 12:37:04 0 d-------- C:\Program Files\Google
2007-12-15 10:55:14 0 d-------- C:\Program Files\Common Files\HP
2007-12-15 10:33:22 0 d-------- C:\Program Files\Hewlett-Packard
2007-12-15 10:27:33 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2007-12-15 10:27:33 69454 --a------ C:\WINDOWS\hpoins05.dat
2007-12-15 10:14:28 0 d-------- C:\WINDOWS\FontsTc
2007-12-15 10:14:19 0 d-------- C:\WINDOWS\FontsFS-from_Fontsmart
2007-12-15 10:14:15 0 d-------- C:\WINDOWS\FontsAb
2007-12-15 10:14:02 0 d-------- C:\WINDOWS\FONTS_UN
2007-12-15 10:09:39 0 d-------- C:\Viewers
2007-12-15 10:02:25 0 d-------- C:\Almanac
2007-12-14 23:13:38 0 d-------- C:\Tech Stuff
2007-12-14 23:06:56 0 d-------- C:\Skating
2007-12-14 23:06:35 0 d-------- C:\Raleigh
2007-12-14 23:05:15 0 d-------- C:\Purchases
2007-12-14 22:14:47 0 d-------- C:\temp
2007-12-14 22:12:30 0 d-------- C:\Medical - Our
2007-12-14 21:28:25 0 d-------- C:\Tasks (not scheduled)
2007-12-14 17:25:57 0 d-------- C:\Music-New Downloads
2007-12-14 17:24:09 0 d-------- C:\)Changed files
2007-12-14 17:16:32 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-12-14 17:16:32 0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-12-14 17:14:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-14 17:02:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-14 16:54:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 16:53:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-14 16:53:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-14 16:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Retrospect
2007-12-14 16:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-14 16:51:46 28672 --a------ C:\Documents and Settings\Abby Sale\atwbxdet.dll <Not Verified; ; atwbxdet Module>
2007-12-14 16:45:25 10 --a------ C:\Documents and Settings\Abby Sale\usb002
2007-12-14 16:45:25 10 --a------ C:\Documents and Settings\Abby Sale\usb
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.jpi_cache
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.java
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.GalleryRemote
2007-12-14 16:45:22 630784 --a------ C:\Documents and Settings\Abby Sale\GoToAssist_chat2way__317_en.exe <Not Verified; Citrix Online; GoToAssist>
2007-12-14 16:45:22 630784 --a------ C:\Documents and Settings\Abby Sale\chatlnk.exe <Not Verified; Citrix Online; GoToAssist>
2007-12-14 15:56:12 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-14 15:24:29 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-14 15:24:29 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-14 15:24:29 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2007-12-14 15:24:29 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2007-12-14 15:24:29 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2007-12-14 15:24:29 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2007-12-14 15:22:12 0 d-------- C:\Program Files\HP
2007-12-13 17:12:33 0 d-------- C:\GRULE
2007-12-13 15:04:10 0 d-------- C:\Utils
2007-12-13 14:37:31 0 d-------- C:\Program Files\Common Files\BCL Technologies
2007-12-13 14:37:31 0 d-------- C:\Program Files\BCL Technologies
2007-12-13 14:37:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 12:44:09 0 d-------- C:\Downloads
2007-12-13 11:17:56 0 d-------- C:\Documents and Settings\All Users\Templates
2007-12-12 21:08:44 0 d-------- C:\Documents and Settings\tinker\Application Data\Intuit
2007-12-07 23:40:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-07 23:40:00 1359 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-12-07 23:30:48 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-12-07 23:22:38 0 d-------- C:\Documents and Settings\tinker\Application Data\Lavasoft
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\InterVideo
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\InterTrust
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\Identities
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\Adobe
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\SendTo
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\Recent
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\PrintHood
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\NetHood
2007-12-07 23:21:41 0 dr------- C:\Documents and Settings\tinker\My Documents
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\Local Settings
2007-12-07 23:21:41 0 dr------- C:\Documents and Settings\tinker\Favorites
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Desktop
2007-12-07 23:21:41 0 d---s---- C:\Documents and Settings\tinker\Cookies
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\Application Data
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\toshiba
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\Symantec
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\Sun
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\New York Life
2007-12-07 23:21:41 0 d---s---- C:\Documents and Settings\tinker\Application Data\Microsoft
2007-12-07 23:21:40 0 d-------- C:\Documents and Settings\tinker\WINDOWS
2007-12-07 23:21:40 0 d--h----- C:\Documents and Settings\tinker\Templates
2007-12-07 23:21:40 0 dr------- C:\Documents and Settings\tinker\Start Menu
2007-12-07 23:21:40 1572864 --ah----- C:\Documents and Settings\tinker\NTUSER.DAT
2007-12-07 22:20:16 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Macromedia
2007-12-07 22:20:12 3597 --a------ C:\WINDOWS\mozver.dat
2007-12-07 22:12:20 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-07 22:06:40 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Forte
2007-12-07 21:27:04 0 dr------- C:\Documents and Settings\Abby Sale\Favorites
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Real
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Printer Info Cache
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Nvu
2007-12-07 21:26:27 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Learn2.com
2007-12-07 21:26:26 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\InstallShield
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Image Zone Express
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Hewlett-Packard
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\GTek
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Google
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\eRoom
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Apple Computer
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Paltalk
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\IndividualMedical
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Help
2007-12-07 21:26:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Uniblue
2007-12-07 21:26:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\RegClean
2007-12-07 13:34:06 0 d-------- C:\Trbck


-- Find3M Report ---------------------------------------------------------------

2008-01-04 13:15:18 0 d-------- C:\Program Files\ltmoh
2008-01-04 08:11:01 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Adobe
2008-01-01 12:34:31 0 d-------- C:\Program Files\Common Files
2008-01-01 12:34:27 0 d-------- C:\Program Files\Common Files\Real
2007-12-15 19:55:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 19:54:27 0 d-------- C:\Program Files\Symantec
2007-12-15 16:53:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-07 23:32:01 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\AdobeUM
2007-12-07 23:32:00 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Intuit
2007-12-07 23:31:54 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Mozilla
2007-12-07 23:31:52 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\toshiba
2007-12-07 22:49:12 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Netscape
2007-12-07 13:32:05 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Lavasoft
2007-11-14 17:36:43 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Template
2007-11-13 11:23:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Sonic


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2DE4340-CB68-450F-90CD-9BE1A26739D7}]
12/22/2007 12:57 PM 278528 --a------ C:\WINDOWS\domnftwmnf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/26/2004 09:03 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/26/2004 09:03 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [08/03/2003 06:01 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/30/2003 06:46 PM]
"AGRSMMSG"="AGRSMMSG.exe" [02/20/2004 05:00 PM C:\WINDOWS\agrsmmsg.exe]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [06/28/2004 07:24 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 10:28 PM C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [06/01/2004 10:43 PM C:\WINDOWS\system32\TPSMain.exe]
"TFNF5"="TFNF5.exe" [12/02/2003 04:15 PM C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [03/02/2004 03:45 PM]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [01/21/2003 08:00 PM]
"NDSTray.exe"="NDSTray.exe" []
"TFncKy"="TFncKy.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [03/25/2004 05:36 PM]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [05/26/2004 03:04 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [07/20/2004 03:04 AM]
"StartSecurDoc"="C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe" [06/01/2006 11:55 AM]
"@"="" []
"AWMON"="C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [09/16/2004 04:15 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/29/2004 04:44 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/12/2004 03:18 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 05:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:\INSTALL.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51fe75d1-96c4-11dc-8621-000e7be50164}]
AutoRun\command- E:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-01-05 22:51:02 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.50GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 494.77 MiB / 209.04 MiB
Pagefile Memory (total/avail): 1155.32 MiB / 840.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.45 MiB

C: is Fixed (NTFS) - 52.7 GiB total, 39.22 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6025GAS - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 52.7 GiB - C:
\PARTITION1 - Unknown - 3.19 GiB



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"="C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe:*:Disabled:Adaptive Server Anywhere Database Engine"
"C:\\Program Files\\WinMagic\\SecureDoc-NT\\SDPin.exe"="C:\\Program Files\\WinMagic\\SecureDoc-NT\\SDPin.exe:*:Enabled:SecureDoc "
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\INTERNET\\Netscape\\Netscape Browser\\netscape.exe"="C:\\INTERNET\\Netscape\\Netscape Browser\\netscape.exe:*:Enabled:Netscape"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Abby Sale\Application Data
ASANY9=C:\Program Files\Sybase\SQL Anywhere 9
ASANYSH9=C:\Program Files\Sybase\shared
AXF41_DMC_TBLPATH=C:\Program Files\Antenna\XSLFormatterV41\base2
AXF41_FONT_CONFIGFILE=C:\Program Files\Antenna\XSLFormatterV41\font-config.xml
AXF41_HOME=C:\Program Files\Antenna\XSLFormatterV41
AXF41_HYPDIC_PATH=C:\Program Files\Antenna\XSLFormatterV41\hyphenation
AXF41_LIC_PATH=C:\Program Files\Antenna\XSLFormatterV41
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MURGATROID
ComSpec=C:\WINDOWS\system32\cmd.exe
Device=C:\WINDOWS\system32\ansi.sys
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Abby Sale
LOGONSERVER=\\MURGATROID
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=c:;C:\Program Files\Antenna\XSLFormatterV41;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Sybase\SQL Anywhere 9;C:\Program Files\Sybase\SQL Anywhere 9\win32;C:\Program Files\Sybase\Shared\Sybase Central 4.3;c:\utils
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ABBYSA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ABBYSA~1\LOCALS~1\Temp
USERDOMAIN=MURGATROID
USERNAME=Abby Sale
USERPROFILE=C:\Documents and Settings\Abby Sale
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Abby Sale (admin)
tinker (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\INTERNET\Lavasoft\AD-AWA~1\UNWISE.EXE C:\INTERNET\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Atheros Wireless LAN MiniPCI card Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\Setup.exe" -l0x9
BCL easyPDF SDK 4.2 --> MsiExec.exe /I{5A0BF4DD-2C81-4AA3-8B5B-814D090D67E7}
Boldon James MasterKeyPlus --> MsiExec.exe /I{E52A3C66-A4AF-4168-9C65-9B60F5EDECDD}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
E-Z Mail --> C:\WINDOWS\uninst.exe -fC:\FTCS\DeIsL2.isu
eRoom 7 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\eRoom 7\Uninst.isu" -c"C:\Program Files\eRoom 7\eRClientUninstall.dll"
Estate Tax Analysis --> C:\PROGRA~1\Impact\NEWYOR~1\ETA\UNWISE.EXE C:\PROGRA~1\Impact\NEWYOR~1\ETA\INSTALL.LOG
Field Technology Contact System --> C:\WINDOWS\EzUninst.exe FTCSDeInstallKey
Field Technology Contact System Workstation - NYL --> MsiExec.exe /I{DBC7F984-25E0-4657-8D78-70AE08356CE5}
Field Technology Desktop --> MsiExec.exe /I{2FC18CE6-4712-4B11-8F3E-842CD21956E3}
Field Technology Illustration System --> C:\Program Files\InstallShield Installation Information\{8AD4DD32-5F5F-450F-BE78-9E692D4A6A76}\setup.exe -runfromtemp -l0x0409
Forté Agent --> C:\INTERNET\Agent\UNWISE.EXE C:\INTERNET\Agent\INSTALL.LOG
Golden Rule Individual Health 10.4 --> MsiExec.exe /I{D8D84D53-3B12-4FBC-815C-99C657BA91C9}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Hard Disk Recovery Utilities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Hard Disk Recovery Utilities\Uninst.isu"
HijackThis 2.0.2 --> "C:\Internet\HijackThis\HijackThis.exe" /uninstall
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
Individual Medical v2.4 --> MsiExec.exe /I{899FD494-29A2-4B72-96A5-B12C0131E569}
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD for Toshiba --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Maxtor OneTouch --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{231F68F4-70E4-41A6-BEDA-7E7934169B54} /l1033
Media Video Codec v1.6 --> C:\Program Files\MediaVideoCodec\Uninstall.exe
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Netscape Browser (remove only) --> "C:\Internet\Netscape\Netscape Browser\NSUninst.exe"
Qualified Plan Distribution Analysis --> C:\PROGRA~1\Impact\NEWYOR~1\QPDA\UNWISE.EXE C:\PROGRA~1\Impact\NEWYOR~1\QPDA\INSTALL.LOG
Quick Estate Planner --> MsiExec.exe /I{83A51E2B-882F-44C2-B02D-A0FF97F0FAAA}
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio Burn Engine --> MsiExec.exe /X{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}
SecureDoc Disk Encryption --> MsiExec.exe /I{8C780E40-E8A3-4C74-84A6-5FB9B1AFB459}
SigmaTel AC97 Audio Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SunGard Expert Solutions NYL Path 4.40.006 --> C:\PROGRA~1\UNINST~1\Safari\440~1.006\UNWISE.EXE C:\PROGRA~1\UNINST~1\Safari\440~1.006\Install.log
Sybase SQL Anywhere 9 Personal Server --> "C:\Program Files\InstallShield Installation Information\{AE88EB3E-75EA-4484-8296-7D1446248A4F}\Setup.exe" -runfromtemp -l0x0009 -uninst -removeonly
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
TOSHIBA Access --> C:\WINDOWS\TOSHIB~2\UNWISE.EXE C:\WINDOWS\TOSHIB~2\INSTALL.LOG
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Display Devices Change Utility --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TDspBtn.inf,DefaultUninstall,5
TOSHIBA Fax Extension --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AC200C3-A4C8-401C-A5A8-202BE888B165}\setup.exe"
TOSHIBA Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA Mobile Extension3 for Windows XP V3.65.00.XP --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME3\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME3\uninstx.dll"
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe"
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F69B66A8-61C9-424C-AFA1-7EC6093AC5AD}\setup.exe"
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
TOSHIBA TouchPad On/Off Utility V2.05.00 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TouchED\Uninst.isu" -c"C:\Program Files\TOSHIBA\TouchED\tpedinst.dll"
TOSHIBA Utilities --> tutildel.exe
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
USB Storage Adapter FX (MXO) --> MXOun.exe MXOFX
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Wealth Distribution Analysis --> C:\PROGRA~1\Impact\NEWYOR~1\WDA\UNWISE.EXE C:\PROGRA~1\Impact\NEWYOR~1\WDA\INSTALL.LOG
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\WinZip\WINZIP32.EXE" /uninstall
XSL Formatter V4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0393EDA7-888A-4FF4-800F-2984CEA1ECCA}\Setup.exe" -l0x9 uninst


-- Application Event Log -------------------------------------------------------

Event Record #/Type1315 / Error
Event Submitted/Written: 01/04/2008 08:21:48 AM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Zlob in File: C:\Downloads\VideoAccessCodecInstall-1.exe by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.

Event Record #/Type1307 / Error
Event Submitted/Written: 01/03/2008 05:23:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application netscape.exe, version 8.1.2.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.
Processing media-specific event for [netscape.exe!ws!]

Event Record #/Type1298 / Error
Event Submitted/Written: 01/03/2008 03:12:09 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application netscape.exe, version 8.1.2.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1297 / Error
Event Submitted/Written: 01/03/2008 03:12:09 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application netscape.exe, version 8.1.2.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1273 / Error
Event Submitted/Written: 01/03/2008 02:06:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application netscape.exe, version 8.1.2.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6080 / Error
Event Submitted/Written: 01/05/2008 00:04:53 PM
Event ID/Source: 10009 / DCOM
Event Description:
DCOM was unable to communicate with the computer NOMAD using any of the configured
protocols.

Event Record #/Type6079 / Error
Event Submitted/Written: 01/05/2008 11:56:33 AM
Event ID/Source: 10009 / DCOM
Event Description:
DCOM was unable to communicate with the computer NOMAD using any of the configured
protocols.

Event Record #/Type6005 / Warning
Event Submitted/Written: 01/04/2008 09:32:06 PM / 01/04/2008 09:32:07 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5994 / Error
Event Submitted/Written: 01/04/2008 09:17:16 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

Event Record #/Type5992 / Error
Event Submitted/Written: 01/04/2008 06:29:39 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 000E3547EF29. The following error
occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-01-05 22:51:02 ------------


Out of curiosity, did it run my HijackThis or did it include a copy of its own?
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
If you had HijackThis on your PC then it ran that.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Rootkit Search on the left change it to Yes
  • Under Additional Scans check the box beside Reg - Disabled MS Config Items.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.
  • 0

#6
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK, I'll do all that shortly.

THanks for your continuing interest.

BTW, while I was at it, I ran SpyBot. It said it found Zlob and Smitfraud & a 4 other lesser things like doubleclick. It claimed to have fixed them. I take it it was being optimistic?

I must say I'm disillusioned with the world since I run Ad-Watch and Symantec live-time and was bathed in smugness.
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes it was being optimistic

Spybot and pretty much all scanners can't remove this infection.

The tools in my previous post will though.
  • 0

#8
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok.

SmitfraudFix run & log follows. My desktop Theme was changed to 'none' (ergo I'm not infected?) but neither the theme nor the actual wallpaper.bmp were actually removed. It's my name, BTW...I reckon it's my computer & should say me instead of Microsoft.

I wasn't sure about your next direction...whether to stop at this point (which seemed the more conservative thing so I did) and post the log or whether to go on with WinPFind35U.exe (which I didn't).

--

SmitFraudFix v2.274

Scan done at 17:31:51.60, Sun 01/06/2008
Run from C:\Documents and Settings\Abby Sale\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{21A9C25E-88EB-41DD-9FF1-F5FA8F4D8685}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS1\Services\Tcpip\..\{21A9C25E-88EB-41DD-9FF1-F5FA8F4D8685}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS3\Services\Tcpip\..\{21A9C25E-88EB-41DD-9FF1-F5FA8F4D8685}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Leave WinPFind3 and run this instead

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#10
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
There was only main.txt:

Deckard's System Scanner v20071014.68
Run by Abby Sale on 2008-01-06 19:23:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Abby Sale.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:36 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Documents and Settings\Abby Sale\Desktop\dss.exe
C:\Internet\HIJACK~1\ABBYSA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: BDEX System - {C2DE4340-CB68-450F-90CD-9BE1A26739D7} - C:\WINDOWS\domnftwmnf.dll
O3 - Toolbar: The emlkdvo - {47906C8A-7A72-45A8-AA59-0CEC20BD3B36} - C:\WINDOWS\emlkdvo.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StartSecurDoc] C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
O4 - HKLM\..\Run: [AWMON] "C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-20 Startup: ConfigureBJMK1.lnk = C:\Program Files\Boldon James\Messaging and Directory\MasterKey\configurebjmk1.exe (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Outlook 2000.lnk = C:\Program Files\Microsoft Office\Office\Outlook.exe
O4 - Startup: TODAYME (autoexec.nt).PIF = C:\Almanac\TODAYME\TODAYME.BAT
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\INTERNET\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newy.../FTWebUtils.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193761944346
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Desktop Manager 5.7.712.12266 (GoogleDesktopManager-121207-085209) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 9026 bytes

-- Files created between 2007-12-06 and 2008-01-06 -----------------------------

2008-01-06 17:30:17 3420 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-05 19:25:03 0 dr-h----- C:\Documents and Settings\Abby Sale\Recent
2008-01-03 22:41:51 0 --a------ C:\Documents and Settings\Abby Sale\LOG
2008-01-03 15:33:56 583 ---h----- C:\fc2tree.dat
2008-01-03 15:31:41 0 d-------- C:\Pictures
2008-01-03 12:13:03 0 d-------- C:\0Backup
2008-01-03 07:54:16 0 d-------- C:\WINDOWS\pss
2008-01-01 12:34:31 0 d-------- C:\Program Files\Common Files\xing shared
2008-01-01 11:29:52 6 --a------ C:\x.bat
2007-12-28 09:39:28 0 d-------- C:\JEWISH
2007-12-28 08:40:35 0 d-------- C:\WINDOWS\Downloaded Installations
2007-12-23 20:51:43 0 d-------- C:\WINDOWS\Sun
2007-12-22 23:42:28 0 d-------- C:\Program Files\Trillian
2007-12-22 14:34:41 0 d-------- C:\Program Files\MediaVideoCodec
2007-12-22 14:33:52 77824 --a------ C:\WINDOWS\fvkwdrt.exe
2007-12-22 14:33:52 278528 --a------ C:\WINDOWS\domnftwmnf.dll <Not Verified; ; domnftwmnf>
2007-12-22 14:33:52 217088 --a------ C:\WINDOWS\alxvdvm.dll <Not Verified; ; alxvdvm>
2007-12-21 04:20:24 0 d-------- C:\00
2007-12-19 17:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-12-18 08:31:28 0 d-------- C:\MUSIC
2007-12-17 15:29:54 102364 -----n--- C:\WINDOWS\hpqins13.dat
2007-12-16 20:27:38 0 d-------- C:\Program Files\CCleaner
2007-12-16 19:07:34 1283 --a------ C:\Deltemp.bat
2007-12-16 19:07:34 5124 --a------ C:\Del_Temp_Folders.bat
2007-12-15 20:43:40 0 d-------- C:\Program Files\Dantz
2007-12-15 19:53:43 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-15 16:52:55 0 d-------- C:\Program Files\Maxtor
2007-12-15 16:34:28 0 d-------- C:\Program Files\AlotNotes
2007-12-15 12:48:51 0 d-------- C:\WINDOWS\Icons
2007-12-15 12:48:51 0 d-------- C:\WINDOWS\Iconmgr
2007-12-15 12:37:04 0 d-------- C:\Program Files\Google
2007-12-15 10:55:14 0 d-------- C:\Program Files\Common Files\HP
2007-12-15 10:33:22 0 d-------- C:\Program Files\Hewlett-Packard
2007-12-15 10:27:33 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2007-12-15 10:27:33 69454 --a------ C:\WINDOWS\hpoins05.dat
2007-12-15 10:14:28 0 d-------- C:\WINDOWS\FontsTc
2007-12-15 10:14:19 0 d-------- C:\WINDOWS\FontsFS-from_Fontsmart
2007-12-15 10:14:15 0 d-------- C:\WINDOWS\FontsAb
2007-12-15 10:14:02 0 d-------- C:\WINDOWS\FONTS_UN
2007-12-15 10:09:39 0 d-------- C:\Viewers
2007-12-15 10:02:25 0 d-------- C:\Almanac
2007-12-14 23:13:38 0 d-------- C:\Tech Stuff
2007-12-14 23:06:56 0 d-------- C:\Skating
2007-12-14 23:06:35 0 d-------- C:\Raleigh
2007-12-14 23:05:15 0 d-------- C:\Purchases
2007-12-14 22:14:47 0 d-------- C:\temp
2007-12-14 22:12:30 0 d-------- C:\Medical - Our
2007-12-14 21:28:25 0 d-------- C:\Tasks (not scheduled)
2007-12-14 17:25:57 0 d-------- C:\Music-New Downloads
2007-12-14 17:24:09 0 d-------- C:\)Changed files
2007-12-14 17:16:32 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-12-14 17:16:32 0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-12-14 17:14:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-14 17:02:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-14 16:54:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 16:53:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-14 16:53:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-14 16:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Retrospect
2007-12-14 16:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-14 16:51:46 28672 --a------ C:\Documents and Settings\Abby Sale\atwbxdet.dll <Not Verified; ; atwbxdet Module>
2007-12-14 16:45:25 10 --a------ C:\Documents and Settings\Abby Sale\usb002
2007-12-14 16:45:25 10 --a------ C:\Documents and Settings\Abby Sale\usb
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.jpi_cache
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.java
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.GalleryRemote
2007-12-14 16:45:22 630784 --a------ C:\Documents and Settings\Abby Sale\GoToAssist_chat2way__317_en.exe <Not Verified; Citrix Online; GoToAssist>
2007-12-14 16:45:22 630784 --a------ C:\Documents and Settings\Abby Sale\chatlnk.exe <Not Verified; Citrix Online; GoToAssist>
2007-12-14 15:56:12 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-14 15:24:29 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-14 15:24:29 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-14 15:24:29 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2007-12-14 15:24:29 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2007-12-14 15:24:29 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2007-12-14 15:24:29 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2007-12-14 15:22:12 0 d-------- C:\Program Files\HP
2007-12-13 17:12:33 0 d-------- C:\GRULE
2007-12-13 15:04:10 0 d-------- C:\Utils
2007-12-13 14:37:31 0 d-------- C:\Program Files\Common Files\BCL Technologies
2007-12-13 14:37:31 0 d-------- C:\Program Files\BCL Technologies
2007-12-13 14:37:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 12:44:09 0 d-------- C:\Downloads
2007-12-13 11:17:56 0 d-------- C:\Documents and Settings\All Users\Templates
2007-12-12 21:08:44 0 d-------- C:\Documents and Settings\tinker\Application Data\Intuit
2007-12-07 23:40:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-07 23:40:00 1359 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-12-07 23:30:48 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-12-07 23:22:38 0 d-------- C:\Documents and Settings\tinker\Application Data\Lavasoft
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\InterVideo
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\InterTrust
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\Identities
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\Adobe
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\SendTo
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\Recent
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\PrintHood
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\NetHood
2007-12-07 23:21:41 0 dr------- C:\Documents and Settings\tinker\My Documents
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\Local Settings
2007-12-07 23:21:41 0 dr------- C:\Documents and Settings\tinker\Favorites
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Desktop
2007-12-07 23:21:41 0 d---s---- C:\Documents and Settings\tinker\Cookies
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\Application Data
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\toshiba
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\Symantec
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\Sun
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\New York Life
2007-12-07 23:21:41 0 d---s---- C:\Documents and Settings\tinker\Application Data\Microsoft
2007-12-07 23:21:40 0 d-------- C:\Documents and Settings\tinker\WINDOWS
2007-12-07 23:21:40 0 d--h----- C:\Documents and Settings\tinker\Templates
2007-12-07 23:21:40 0 dr------- C:\Documents and Settings\tinker\Start Menu
2007-12-07 23:21:40 1572864 --ah----- C:\Documents and Settings\tinker\NTUSER.DAT
2007-12-07 22:20:16 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Macromedia
2007-12-07 22:20:12 3597 --a------ C:\WINDOWS\mozver.dat
2007-12-07 22:12:20 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-07 22:06:40 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Forte
2007-12-07 21:27:04 0 dr------- C:\Documents and Settings\Abby Sale\Favorites
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Real
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Printer Info Cache
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Nvu
2007-12-07 21:26:27 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Learn2.com
2007-12-07 21:26:26 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\InstallShield
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Image Zone Express
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Hewlett-Packard
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\GTek
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Google
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\eRoom
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Apple Computer
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Paltalk
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\IndividualMedical
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Help
2007-12-07 21:26:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Uniblue
2007-12-07 21:26:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\RegClean
2007-12-07 13:34:06 0 d-------- C:\Trbck


-- Find3M Report ---------------------------------------------------------------

2008-01-04 13:15:18 0 d-------- C:\Program Files\ltmoh
2008-01-04 08:11:01 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Adobe
2008-01-01 12:34:31 0 d-------- C:\Program Files\Common Files
2008-01-01 12:34:27 0 d-------- C:\Program Files\Common Files\Real
2007-12-15 19:55:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 19:54:27 0 d-------- C:\Program Files\Symantec
2007-12-15 16:53:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-07 23:32:01 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\AdobeUM
2007-12-07 23:32:00 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Intuit
2007-12-07 23:31:54 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Mozilla
2007-12-07 23:31:52 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\toshiba
2007-12-07 22:49:12 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Netscape
2007-12-07 13:32:05 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Lavasoft
2007-11-14 17:36:43 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Template
2007-11-13 11:23:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Sonic


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2DE4340-CB68-450F-90CD-9BE1A26739D7}]
12/22/2007 12:57 PM 278528 --a------ C:\WINDOWS\domnftwmnf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/26/2004 09:03 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/26/2004 09:03 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [08/03/2003 06:01 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/30/2003 06:46 PM]
"AGRSMMSG"="AGRSMMSG.exe" [02/20/2004 05:00 PM C:\WINDOWS\agrsmmsg.exe]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [06/28/2004 07:24 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 10:28 PM C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [06/01/2004 10:43 PM C:\WINDOWS\system32\TPSMain.exe]
"TFNF5"="TFNF5.exe" [12/02/2003 04:15 PM C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [03/02/2004 03:45 PM]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [01/21/2003 08:00 PM]
"NDSTray.exe"="NDSTray.exe" []
"TFncKy"="TFncKy.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [03/25/2004 05:36 PM]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [05/26/2004 03:04 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [07/20/2004 03:04 AM]
"StartSecurDoc"="C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe" [06/01/2006 11:55 AM]
"@"="" []
"AWMON"="C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [09/16/2004 04:15 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/29/2004 04:44 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/12/2004 03:18 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 05:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:\INSTALL.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51fe75d1-96c4-11dc-8621-000e7be50164}]
AutoRun\command- E:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-01-06 19:24:05 ------------
  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: BDEX System - {C2DE4340-CB68-450F-90CD-9BE1A26739D7} - C:\WINDOWS\domnftwmnf.dll
O3 - Toolbar: The emlkdvo - {47906C8A-7A72-45A8-AA59-0CEC20BD3B36} - C:\WINDOWS\emlkdvo.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\x.bat
    C:\Program Files\MediaVideoCodec
    C:\WINDOWS\fvkwdrt.exe
    C:\WINDOWS\domnftwmnf.dll
    C:\WINDOWS\alxvdvm.dll


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.




Reboot and post a new DSS log
  • 0

#12
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok.

1. Good - HJT worked nominally

2. Log below. I think all the cited files are included. It did not close properly, though. Windows told me it closed unexpectedly after running but before actulaay ending. Log file was where it was expected. (BUT, the x.bat was my own I made many years ago. It just has one line - says "exit" - you know, so I don't have to go to all the trouble of typing the extra "xit" to get out of dos shell. I still like dos even though it's harder & harder for me to convince my computer to use it. I'll do whatever you say, though.)
================

C:\x.bat moved successfully.
C:\Program Files\MediaVideoCodec moved successfully.
C:\WINDOWS\fvkwdrt.exe moved successfully.
File/Folder C:\WINDOWS\domnftwmnf.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\alxvdvm.dll
C:\WINDOWS\alxvdvm.dll NOT unregistered.
C:\WINDOWS\alxvdvm.dll moved successfully.

Created on 01/07/2008 14:46:16
=======================

Again, only the single DSS text file.

Deckard's System Scanner v20071014.68
Run by Abby Sale on 2008-01-07 14:52:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Abby Sale.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:21 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Deckard\System Scanner\dss.exe
C:\Internet\HIJACK~1\ABBYSA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StartSecurDoc] C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
O4 - HKLM\..\Run: [AWMON] "C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-20 Startup: ConfigureBJMK1.lnk = C:\Program Files\Boldon James\Messaging and Directory\MasterKey\configurebjmk1.exe (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Outlook 2000.lnk = C:\Program Files\Microsoft Office\Office\Outlook.exe
O4 - Startup: TODAYME (autoexec.nt).PIF = C:\Almanac\TODAYME\TODAYME.BAT
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\INTERNET\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newy.../FTWebUtils.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193761944346
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Desktop Manager 5.7.712.12266 (GoogleDesktopManager-121207-085209) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 8908 bytes

-- Files created between 2007-12-07 and 2008-01-07 -----------------------------

2008-01-06 17:30:17 3420 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-05 19:25:03 0 dr-h----- C:\Documents and Settings\Abby Sale\Recent
2008-01-03 22:41:51 0 --a------ C:\Documents and Settings\Abby Sale\LOG
2008-01-03 15:33:56 583 ---h----- C:\fc2tree.dat
2008-01-03 15:31:41 0 d-------- C:\Pictures
2008-01-03 12:13:03 0 d-------- C:\0Backup
2008-01-03 07:54:16 0 d-------- C:\WINDOWS\pss
2008-01-01 12:34:31 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-28 09:39:28 0 d-------- C:\JEWISH
2007-12-28 08:40:35 0 d-------- C:\WINDOWS\Downloaded Installations
2007-12-23 20:51:43 0 d-------- C:\WINDOWS\Sun
2007-12-22 23:42:28 0 d-------- C:\Program Files\Trillian
2007-12-21 04:20:24 0 d-------- C:\00
2007-12-19 17:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-12-18 08:31:28 0 d-------- C:\MUSIC
2007-12-17 15:29:54 102364 -----n--- C:\WINDOWS\hpqins13.dat
2007-12-16 20:27:38 0 d-------- C:\Program Files\CCleaner
2007-12-16 19:07:34 1283 --a------ C:\Deltemp.bat
2007-12-16 19:07:34 5124 --a------ C:\Del_Temp_Folders.bat
2007-12-15 20:43:40 0 d-------- C:\Program Files\Dantz
2007-12-15 19:53:43 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-15 16:52:55 0 d-------- C:\Program Files\Maxtor
2007-12-15 16:34:28 0 d-------- C:\Program Files\AlotNotes
2007-12-15 12:48:51 0 d-------- C:\WINDOWS\Icons
2007-12-15 12:48:51 0 d-------- C:\WINDOWS\Iconmgr
2007-12-15 12:37:04 0 d-------- C:\Program Files\Google
2007-12-15 10:55:14 0 d-------- C:\Program Files\Common Files\HP
2007-12-15 10:33:22 0 d-------- C:\Program Files\Hewlett-Packard
2007-12-15 10:27:33 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2007-12-15 10:27:33 69454 --a------ C:\WINDOWS\hpoins05.dat
2007-12-15 10:14:28 0 d-------- C:\WINDOWS\FontsTc
2007-12-15 10:14:19 0 d-------- C:\WINDOWS\FontsFS-from_Fontsmart
2007-12-15 10:14:15 0 d-------- C:\WINDOWS\FontsAb
2007-12-15 10:14:02 0 d-------- C:\WINDOWS\FONTS_UN
2007-12-15 10:09:39 0 d-------- C:\Viewers
2007-12-15 10:02:25 0 d-------- C:\Almanac
2007-12-14 23:13:38 0 d-------- C:\Tech Stuff
2007-12-14 23:06:56 0 d-------- C:\Skating
2007-12-14 23:06:35 0 d-------- C:\Raleigh
2007-12-14 23:05:15 0 d-------- C:\Purchases
2007-12-14 22:14:47 0 d-------- C:\temp
2007-12-14 22:12:30 0 d-------- C:\Medical - Our
2007-12-14 21:28:25 0 d-------- C:\Tasks (not scheduled)
2007-12-14 17:25:57 0 d-------- C:\Music-New Downloads
2007-12-14 17:24:09 0 d-------- C:\)Changed files
2007-12-14 17:16:32 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-12-14 17:16:32 0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-12-14 17:14:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-14 17:02:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-14 16:54:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 16:53:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-14 16:53:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-14 16:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Retrospect
2007-12-14 16:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-14 16:51:46 28672 --a------ C:\Documents and Settings\Abby Sale\atwbxdet.dll <Not Verified; ; atwbxdet Module>
2007-12-14 16:45:25 10 --a------ C:\Documents and Settings\Abby Sale\usb002
2007-12-14 16:45:25 10 --a------ C:\Documents and Settings\Abby Sale\usb
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.jpi_cache
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.java
2007-12-14 16:45:25 0 d-------- C:\Documents and Settings\Abby Sale\.GalleryRemote
2007-12-14 16:45:22 630784 --a------ C:\Documents and Settings\Abby Sale\GoToAssist_chat2way__317_en.exe <Not Verified; Citrix Online; GoToAssist>
2007-12-14 16:45:22 630784 --a------ C:\Documents and Settings\Abby Sale\chatlnk.exe <Not Verified; Citrix Online; GoToAssist>
2007-12-14 15:56:12 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-14 15:24:29 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-14 15:24:29 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-14 15:24:29 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2007-12-14 15:24:29 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2007-12-14 15:24:29 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2007-12-14 15:24:29 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2007-12-14 15:22:12 0 d-------- C:\Program Files\HP
2007-12-13 17:12:33 0 d-------- C:\GRULE
2007-12-13 15:04:10 0 d-------- C:\Utils
2007-12-13 14:37:31 0 d-------- C:\Program Files\Common Files\BCL Technologies
2007-12-13 14:37:31 0 d-------- C:\Program Files\BCL Technologies
2007-12-13 14:37:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 12:44:09 0 d-------- C:\Downloads
2007-12-13 11:17:56 0 d-------- C:\Documents and Settings\All Users\Templates
2007-12-12 21:08:44 0 d-------- C:\Documents and Settings\tinker\Application Data\Intuit
2007-12-07 23:40:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-07 23:40:00 1359 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-12-07 23:30:48 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-12-07 23:22:38 0 d-------- C:\Documents and Settings\tinker\Application Data\Lavasoft
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\InterVideo
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\InterTrust
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\Identities
2007-12-07 23:21:42 0 d-------- C:\Documents and Settings\tinker\Application Data\Adobe
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\SendTo
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\Recent
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\PrintHood
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\NetHood
2007-12-07 23:21:41 0 dr------- C:\Documents and Settings\tinker\My Documents
2007-12-07 23:21:41 0 d--h----- C:\Documents and Settings\tinker\Local Settings
2007-12-07 23:21:41 0 dr------- C:\Documents and Settings\tinker\Favorites
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Desktop
2007-12-07 23:21:41 0 d---s---- C:\Documents and Settings\tinker\Cookies
2007-12-07 23:21:41 0 dr-h----- C:\Documents and Settings\tinker\Application Data
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\toshiba
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\Symantec
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\Sun
2007-12-07 23:21:41 0 d-------- C:\Documents and Settings\tinker\Application Data\New York Life
2007-12-07 23:21:41 0 d---s---- C:\Documents and Settings\tinker\Application Data\Microsoft
2007-12-07 23:21:40 0 d-------- C:\Documents and Settings\tinker\WINDOWS
2007-12-07 23:21:40 0 d--h----- C:\Documents and Settings\tinker\Templates
2007-12-07 23:21:40 0 dr------- C:\Documents and Settings\tinker\Start Menu
2007-12-07 23:21:40 1572864 --ah----- C:\Documents and Settings\tinker\NTUSER.DAT
2007-12-07 22:20:16 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Macromedia
2007-12-07 22:20:12 3597 --a------ C:\WINDOWS\mozver.dat
2007-12-07 22:12:20 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-07 22:06:40 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Forte
2007-12-07 21:27:04 0 dr------- C:\Documents and Settings\Abby Sale\Favorites
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Real
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Printer Info Cache
2007-12-07 21:26:42 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Nvu
2007-12-07 21:26:27 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Learn2.com
2007-12-07 21:26:26 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\InstallShield
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Image Zone Express
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Hewlett-Packard
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\GTek
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Google
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\eRoom
2007-12-07 21:26:25 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Apple Computer
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Paltalk
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\IndividualMedical
2007-12-07 21:26:24 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Help
2007-12-07 21:26:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Uniblue
2007-12-07 21:26:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\RegClean
2007-12-07 13:34:06 0 d-------- C:\Trbck


-- Find3M Report ---------------------------------------------------------------

2008-01-04 13:15:18 0 d-------- C:\Program Files\ltmoh
2008-01-04 08:11:01 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Adobe
2008-01-01 12:34:31 0 d-------- C:\Program Files\Common Files
2008-01-01 12:34:27 0 d-------- C:\Program Files\Common Files\Real
2007-12-15 19:55:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 19:54:27 0 d-------- C:\Program Files\Symantec
2007-12-15 16:53:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-07 23:32:01 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\AdobeUM
2007-12-07 23:32:00 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Intuit
2007-12-07 23:31:54 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Mozilla
2007-12-07 23:31:52 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\toshiba
2007-12-07 22:49:12 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Netscape
2007-12-07 13:32:05 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Lavasoft
2007-11-14 17:36:43 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Template
2007-11-13 11:23:23 0 d-------- C:\Documents and Settings\Abby Sale\Application Data\Sonic


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/26/2004 09:03 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/26/2004 09:03 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [08/03/2003 06:01 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/30/2003 06:46 PM]
"AGRSMMSG"="AGRSMMSG.exe" [02/20/2004 05:00 PM C:\WINDOWS\agrsmmsg.exe]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [06/28/2004 07:24 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 10:28 PM C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [06/01/2004 10:43 PM C:\WINDOWS\system32\TPSMain.exe]
"TFNF5"="TFNF5.exe" [12/02/2003 04:15 PM C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [03/02/2004 03:45 PM]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [01/21/2003 08:00 PM]
"NDSTray.exe"="NDSTray.exe" []
"TFncKy"="TFncKy.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [03/25/2004 05:36 PM]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [05/26/2004 03:04 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [07/20/2004 03:04 AM]
"StartSecurDoc"="C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe" [06/01/2006 11:55 AM]
"@"="" []
"AWMON"="C:\INTERNET\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [09/16/2004 04:15 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/29/2004 04:44 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/12/2004 03:18 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 05:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:\INSTALL.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51fe75d1-96c4-11dc-8621-000e7be50164}]
AutoRun\command- E:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-01-07 14:52:45 ------------
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

(BUT, the x.bat was my own I made many years ago.

Oh sorry about that, it has the same name as some malware so I thought it was bad ! If you look in the folder C:\OTMoveIt, it should be there if you want to restore it.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Also tell me how your PC is running
  • 0

#14
fjchild

fjchild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
:-) It took a while...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2008 at 09:45 PM

Application Version : 3.9.1008

Core Rules Database Version : 3375
Trace Rules Database Version: 1369

Scan type : Complete Scan
Total Scan Time : 04:33:43

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 10104
Registry threats detected : 9
File items scanned : 254770
File threats detected : 16

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}\InprocServer32
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}\InprocServer32#ThreadingModel
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}\ProgID
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}\Programmable
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}\TypeLib
HKCR\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}\VersionIndependentProgID
C:\WINDOWS\EMLKDVO.DLL

Adware.Tracking Cookie
C:\DOCUME~1\ABBYSA~1\LOCALS~1\Temp\Cookies\abby [email protected][2].txt
C:\DOCUME~1\ABBYSA~1\LOCALS~1\Temp\Cookies\abby [email protected][1].txt
C:\DOCUME~1\ABBYSA~1\LOCALS~1\Temp\Cookies\abby [email protected][2].txt
C:\DOCUME~1\ABBYSA~1\LOCALS~1\Temp\Cookies\abby [email protected][2].txt
C:\Documents and Settings\Abby Sale\Local Settings\Temp\Cookies\abby [email protected][2].txt
C:\Documents and Settings\Abby Sale\Local Settings\Temp\Cookies\abby [email protected][2].txt
C:\Documents and Settings\Abby Sale\Local Settings\Temp\Cookies\abby [email protected][1].txt

Trojan.Net-MSV/VPS-Variant
C:\INTERNET\HIJACKTHIS\BACKUPS\BACKUP-20080107-144214-276.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8757DFC-B13B-4D50-96A8-B02FC8E57CC9}\RP43\A0030212.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8757DFC-B13B-4D50-96A8-B02FC8E57CC9}\RP56\A0040410.DLL

Trojan.Unclassified/EMLKDVO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8757DFC-B13B-4D50-96A8-B02FC8E57CC9}\RP43\A0030210.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8757DFC-B13B-4D50-96A8-B02FC8E57CC9}\RP56\A0040298.DLL

Uncategorized Application
C:\UTILS\SED\SED.EXE
E:\TOSHIBA TECRA 10-21-07\---UTILS\----UTILS\SED\SED.EXE

Trojan.Net-ALX/NMC
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\ALXVDVM.DLL


That
Uncategorized Application
C:\UTILS\SED\SED.EXE
E:\TOSHIBA TECRA 10-21-07\---UTILS\----UTILS\SED\SED.EXE

is a very old dos graphic editor. I unchecked it.

Also tell me how your PC is running


Fine, thank you.

Understand, I never actually had any problem except periodically the verdamte doubleclick & fastclick. And sometimes Netscape closes unexpectedly.

I just saw this zlob thingy and it seemed odd.

There was one other odd thing. I haven't been able to set the home/default page in IE. It remains toshibadirect.com no matter what I do. I usually use Netscape so I didn't think much of it until SUPERAntiSpyware offered to control the default. I entered the page I've used in the past but on sevderal tries (& just now) SUPERAntiSpyware could not make the change. I don't know if it's related or just Toshiba funning with me.

Edited by fjchild, 07 January 2008 - 10:17 PM.

  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

I haven't been able to set the home/default page in IE. It remains toshibadirect.com no matter what I do.

Let me know if this fixes it


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Then go into Internet Explorer and set whatever home page you want. Reboot your PC and see if that works.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP