Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ANTIVIRUSXP08 [RESOLVED]

Started by susan spencer , Jun 29 2008 09:56 PM

This topic is locked

#1
susan spencer

Posted 29 June 2008 - 09:56 PM

Member

Member
33 posts

Hello. I was able to temporarily arrest this virus by getting to system restore thru msconfig. The desktop was flashing very bright blue and warnings of registry changes and warnings of infection alerts were popping up one after another. I got off the internet immediately. If I didn't know to do that, it basically disallows your manuevering your computer. After that, I ran several scans but only AVG found virus. Luckily I had AVG as others did not have a clue such as Spybot, Defender, and AdAware. Even the clock was changed. Today I saw on this site all the posts, so realized that it was pretty widespread. What was rather surprising was how diligent I have been on updating and scanning, etc. and still got onto my system. Anyway, ran Deckard's and Hijack This and posted below. I really would appreciate feedback on if my system still is affected or not. Thank you

for your help!Deckard's System Scanner v20071014.68Run by 007 on 2008-06-29 14:15:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
112: 2008-06-29 21:15:38 UTC - RP414 - Deckard's System Scanner Restore Point
111: 2008-06-29 06:12:42 UTC - RP413 - Software Distribution Service 3.0
110: 2008-06-29 02:24:05 UTC - RP412 - Restore Operation
109: 2008-06-28 16:32:38 UTC - RP411 - System Checkpoint
108: 2008-06-27 09:52:40 UTC - RP410 - System Checkpoint

-- First Restore Point --
1: 2008-04-01 02:43:14 UTC - RP303 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-29 14:17:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\TouchPad\TPTray.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SM1bg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Toshiba\Touch and Launch\PadExe.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\agrsmmsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Toshiba\Accessibility\FnKeyHook.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Google\ggviewer81-19.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\007\Local Settings\Temporary Internet Files\Content.IE5\83SUFCYF\dss[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: https://update.microsoft.com (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123994580265
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182142679812
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.micros...ntent/opuc4.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) - http://java.sun.com/...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: YGBSPPTF - Unknown owner - C:\DOCUME~1\007\LOCALS~1\Temp\YGBSPPTF.exe
O24 - Desktop Component 0: - file:///C:/DOCUME~1/007/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 10751 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SerTVOutCtlr (TOSHIBA Controls Driver -EPIOMngr) - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys <Not Verified; TOSHIBA; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S1 StickyMesger - c:\program files\toshiba\accessibility\stickymesger.sys (file missing)
S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver>
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 Reflection TimeSync - "c:\program files\reflection\rtsserv.exe" <Not Verified; WRQ, Inc.; Reflection TimeSync>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe

S3 YGBSPPTF - c:\docume~1\007\locals~1\temp\ygbspptf.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-29 14:03:21 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2005-08-13 12:09:55 258 -----n--- C:\WINDOWS\Tasks\Registration reminder 3.job

-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-24 20:52:13 8445952 --a------ C:\Documents and Settings\007\ntuser.dat

-- Find3M Report ---------------------------------------------------------------

2008-06-28 19:38:06 0 d-------- C:\Program Files\SpywareBlaster
2008-05-29 21:02:55 0 d-------- C:\Program Files\Real
2008-05-23 19:29:11 0 d-------- C:\Program Files\Messenger
2008-05-23 19:21:30 0 d-------- C:\Program Files\Windows NT
2008-05-23 19:21:24 0 d-------- C:\Program Files\Movie Maker
2008-05-23 19:02:46 0 d-------- C:\Program Files\Windows SteadyState
2008-05-10 11:49:05 0 d-------- C:\Program Files\Java
2008-05-08 20:02:52 0 d-------- C:\Program Files\Google
2008-05-08 20:02:52 0 d-------- C:\Documents and Settings\007\Application Data\Google
2008-05-01 19:34:02 0 d-------- C:\Program Files\AVG
2008-04-13 17:12:36 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomingHook"="ZoomingHook.exe" [04/30/2004 11:03 PM C:\WINDOWS\system32\ZoomingHook.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [04/05/2005 04:25 PM]
"TPSMain"="TPSMain.exe" [12/28/2004 04:02 PM C:\WINDOWS\system32\TPSMain.exe]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [11/29/2004 09:06 PM]
"TFncKy"="TFncKy.exe" []
"TCtryIOHook"="TCtrlIOHook.exe" [05/01/2004 02:03 PM C:\WINDOWS\system32\TCtrlIOHook.exe]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [02/25/2005 03:59 PM]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [04/15/2005 04:51 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/23/2005 02:49 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [03/17/2005 04:37 PM]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [09/07/2004 02:03 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/15/2004 11:27 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/01/2004 06:03 PM]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [04/20/2005 08:38 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/01/2004 05:59 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [01/14/2005 01:05 AM]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [04/28/2005 08:08 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/23/2004 10:40 PM]
"AGRSMMSG"="AGRSMMSG.exe" [04/12/2005 04:17 PM C:\WINDOWS\agrsmmsg.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [06/03/2002 11:38 AM]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [02/22/2005 01:51 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 08:20 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 04:18 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 12:32 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [5/23/2005 1:39:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [04/26/2005 03:26 PM 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 10/15/2004 11:27 AM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8792 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-06-29 14:18:25 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.86GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 502.42 MiB / 130.54 MiB
Pagefile Memory (total/avail): 1226.88 MiB / 717.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.67 MiB

C: is Fixed (NTFS) - 92.97 GiB total, 23.11 GiB free.
D: is CDROM (No Media)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1032GAX - 92.97 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 92.97 GiB - C:

\\.\PHYSICALDRIVE1 - LEXAR JUMPDRIVE SPORT USB Device - 117.66 MiB - 1 partition
\PARTITION0 - 16-bit FAT - 123.48 MiB - G:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\007\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOSHIBA-USER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
GETMODEL=Satellite M55
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\007
LOGONSERVER=\\TOSHIBA-USER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\AVG\AVG8
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\007\LOCALS~1\Temp
TMP=C:\DOCUME~1\007\LOCALS~1\Temp
USERDOMAIN=TOSHIBA-USER
USERNAME=007
USERPROFILE=C:\Documents and Settings\007
VERNUM=PSM50U-02Q01K6
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

007 (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
ArcSoft PhotoBase 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}\setup.exe" -l0x9 -uninst
ArcSoft PhotoStudio 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}\setup.exe" -l0x9 -uninst
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA561482-C49D-4687-A61C-96236C1688F0}\Setup.exe" -l0x9
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\setup.exe" -l0x9 anything
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Google Deskbar --> regsvr32 /u /s "C:\PROGRA~1\Google\GGTASK~1.DLL"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}\setup\hpzscr01.exe -datfile hposcr09.dat
HP Print Diagnostic Utility --> MsiExec.exe /I{1619669F-516F-4E60-9B6F-837EFE21307A}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Manual CanoScan LiDE 50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A2C726E9-C3A0-4850-82C7-5D01FE0E4EB8}\setup.exe" -l0x9
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel Add-in for SQL Server Analysis Services --> MsiExec.exe /I{75E8EA7A-A2C1-4AEF-A2B9-E2F74C0C0298}
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{90840409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint 2003 Template Creation Wizard --> MsiExec.exe /I{39B1915D-3CBA-42F8-8A58-2AB5587BF863}
Microsoft Office PowerPoint 2003 Template Pack 3 --> MsiExec.exe /I{90AD0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Personal Folders Backup --> MsiExec.exe /X{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\007\Application Data\Move Networks\ie_bin\Uninst.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9 AddRemoveCPRun
Notebook Maximizer --> C:\WINDOWS\iun6002.exe "C:\Program Files\Notebook Maximizer\irunin.ini"
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OmniPage SE --> MsiExec.exe /I{6249C22D-E6A8-407B-BA8B-40298848ED94}
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
PasswordTools --> C:\Program Files\PasswordTools\unsetup.exe /u
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Reflection for HP with NS/VT 9.0.3 --> MsiExec.exe /I{0E8949A1-CBBA-4AF6-B209-1C060164755E}
Roxio Burn Engine --> MsiExec.exe /X{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}
sat_screensaver_30mb --> C:\WINDOWS\sat_screensaver_30mb.scr /U
SD Secure Module --> MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA} /l1033
TOSHIBA Accessibility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3A57482F-BEBC-47E4-ADA1-6302403C7E50} /l1033
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA Controls --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5BCA8D15-BCB6-421E-9654-238B43456A4F} /l1033
TOSHIBA Fn-esse --> C:\WINDOWS\UnInst32.exe Fn-esse.UNI
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7900D3A6-A9E8-4954-ACCB-AB15867978BF} /l1033
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE} /l1033
Toshiba Registration and Metamail Trust Architecture --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE3F89C0-42D5-11D5-A40A-00105AC8331A}\Setup.exe" -l0x9
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe"
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe" /uninstall
TOSHIBA Zooming Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{02EED746-8C5A-43C8-BB3D-D29C8B363A4D} /l1033
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{80977342-27E8-4FF7-8B6A-D8D89461DA7F} /l1033
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 -->

-- Application Event Log -------------------------------------------------------

Event Record #/Type23748 / Warning
Event Submitted/Written: 06/29/2008 01:58:53 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type23743 / Warning
Event Submitted/Written: 06/29/2008 01:54:12 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type23738 / Warning
Event Submitted/Written: 06/28/2008 07:24:42 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type23737 / Error
Event Submitted/Written: 06/28/2008 07:12:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rhcvkkj0erbr.exe, version 0.0.0.0, faulting module rhcvkkj0erbr.exe, version 0.0.0.0, fault address 0x00044019.
Processing media-specific event for [rhcvkkj0erbr.exe!ws!]

Event Record #/Type23736 / Error
Event Submitted/Written: 06/28/2008 07:09:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rhcvkkj0erbr.exe, version 0.0.0.0, faulting module rhcvkkj0erbr.exe, version 0.0.0.0, fault address 0x00044019.
Processing media-specific event for [rhcvkkj0erbr.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type151381 / Error
Event Submitted/Written: 06/27/2008 10:35:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Upload Manager service failed to start due to the following error:
%%1079

Event Record #/Type151091 / Error
Event Submitted/Written: 06/27/2008 08:06:32 AM
Event ID/Source: 2505 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{0B39D138-880D-41DC-821A-907A52A6B1D6} because another computer on the network has the same name. The server could not start.

Event Record #/Type149543 / Error
Event Submitted/Written: 06/27/2008 07:21:45 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 172.16.1.33 on the
Network Card with network address 0012F0C00FDF.

Event Record #/Type149542 / Warning
Event Submitted/Written: 06/27/2008 07:21:45 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012F0C00FDF. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type149442 / Error
Event Submitted/Written: 06/23/2008 11:28:02 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Upload Manager service failed to start due to the following error:
%%1079

-- End of Deckard's System Scanner: finished at 2008-06-29 14:18:25 ------------

TREND MICRO HIJACK THIS LOG 062908

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:39 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\ggviewer81-19.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 255.255.00
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\M

#2
greyknight17

Posted 30 June 2008 - 07:02 PM

Malware Expert

Visiting Consultant
16,560 posts

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O23 - Service: YGBSPPTF - Unknown owner - C:\DOCUME~1\007\LOCALS~1\Temp\YGBSPPTF.exe
O24 - Desktop Component 0: - file:///C:/DOCUME~1/007/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

#3
susan spencer

Posted 30 June 2008 - 09:18 PM

Member

Topic Starter
Member
33 posts

Greyknight17:
Thank you for your response. I have posted combofix log below. PS Since I posted have had 20 plus Sybot S& D warnings of malicious websites and CWS.smartsearch.z. Thank you for your assistance!

ComboFix 08-06-20.4 - 007 2008-06-30 20:04:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.182 [GMT -7:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\J1Hmjc.syz
C:\WINDOWS\system32\QWI0Ro.syz

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-29 14:57 . 2008-06-29 15:01 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 14:56 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-29 14:56 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-29 14:56 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-29 14:56 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-29 14:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-29 14:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-29 14:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-29 14:55 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-29 14:55 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-29 14:15 . 2008-06-29 14:15 <DIR> d-------- C:\Deckard
2008-06-10 22:43 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 01:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-30 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 04:02 --------- d-----w C:\Program Files\Real
2008-05-24 02:02 --------- d-----w C:\Program Files\Windows SteadyState
2008-05-10 18:49 --------- d-----w C:\Program Files\Java
2008-05-09 03:02 --------- d-----w C:\Program Files\Google
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 02:34 96,520 ------w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-02 02:34 75,272 ------w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-02 02:34 10,520 ------w C:\WINDOWS\system32\avgrsstx.dll
2008-05-02 02:34 --------- d-----w C:\Program Files\AVG
2008-05-02 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2007-12-27 00:06 1,658 ------w C:\Documents and Settings\007\Application Data\wklnhst.dat
2007-07-31 20:06 622,928 ------w C:\Documents and Settings\Spybot - Search & Destroy\Tools.dll
2007-05-23 20:13 693,848 ------w C:\Documents and Settings\Spybot - Search & Destroy\advcheck.dll
2005-08-14 02:34 12,635 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.dat
2005-08-14 02:33 649,378 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.exe
2005-05-31 08:04 853,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 08:04 47,256 ------w C:\Documents and Settings\Spybot - Search & Destroy\blindman.exe
2005-05-31 08:04 417,408 ------w C:\Documents and Settings\Spybot - Search & Destroy\Update.exe
2005-05-31 08:04 4,393,096 ------w C:\Documents and Settings\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 08:04 28,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\aports.dll
2005-05-31 08:04 22,528 ------w C:\Documents and Settings\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 08:04 15,872 ------w C:\Documents and Settings\Spybot - Search & Destroy\delphimm.dll
2005-05-31 08:04 139,776 ------w C:\Documents and Settings\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 08:04 122,368 ------w C:\Documents and Settings\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 08:04 1,415,824 ------w C:\Documents and Settings\Spybot - Search & Destroy\TeaTimer.exe
2003-08-27 21:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomingHook"="ZoomingHook.exe" [2004-04-30 23:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 21:06 53248]
"TFncKy"="TFncKy.exe" []
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 14:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 15:59 65536]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 14:49 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 18:03 155648]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 20:38 28672]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 17:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 20:08 675840]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 13:51 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 13:39:00 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [2005-04-26 15:26 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-01 19:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-01 19:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-01 19:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-01 19:34]
S3 EHW;EHW;C:\DOCUME~1\007\LOCALS~1\Temp\EHW.exe []
S4 YGBSPPTF;YGBSPPTF;C:\DOCUME~1\007\LOCALS~1\Temp\YGBSPPTF.exe []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 02:58:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-08-13 19:09:55 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 20:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 20:09:32
ComboFix-quarantined-files.txt 2008-07-01 03:09:27

Pre-Run: 24,639,442,944 bytes free
Post-Run: 24,635,252,736 bytes free

144 --- E O F --- 2008-06-22 04:37:37

#4
greyknight17

Posted 30 June 2008 - 09:22 PM

Malware Expert

Visiting Consultant
16,560 posts

Download CWShredder at http://www.intermute...r_download.html and run it. Click on the I Agree button. Click on Fix and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan. When it's done, click on Next and then Exit.

Download and install SUPERAntiSpyware at http://www.superanti...ANTISPYWAREFREE

- Run SUPERAntiSpyware and click the Check for Updates button.
- Once the update has finished, click the Scan your Computer button.
- Click on Perform Complete Scan and then click Next.
- SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
- Make sure that they all have a check next to them, and then click Next.
- Click Finish and you will be taken back to the main interface.
- It could be possible that it will ask you to reboot your computer in order to delete some files.
- I'll need a log afterwards of what has been found.
- To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
- Please post the results of the SUPERAntiSpyware log file in your next reply.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

KILLALL::
Driver::
EHW
YGBSPPTF

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?

#5
susan spencer

Posted 30 June 2008 - 11:44 PM

Member

Topic Starter
Member
33 posts

Greyknight17:
Ran CW Shredder-nothing found
Downloaded and ran Superantispyware;Spybot S&D came up before update:Detected an important registry entry changed. I selected Denied. Also, winlog on notifiers value added !SA SWIN LOGON. Ran scan. Had hard time dragging CFScript.txt into combofix.exe as it kept asking if I was wanting to run it and that it was mispelt! "appears to be incorrectly misspelt". So not sure it got in scan. I selected OK. Tried also Xing out of window-nothing worked. Then got two warnings while trying to drag file that registry changed. I selected OK twice and hope that wasn't horrible at this point as I didn't want that to be the reason it wouldn't run. Log below. Hopefully I included logs and did not duplicate one. Thank you for your help!
ComboFix 08-06-20.4 - 007 2008-06-30 22:18:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT -7:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 21:01 . 2008-06-30 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Documents and Settings\007\Application Data\SUPERAntiSpyware.com
2008-06-29 14:57 . 2008-06-29 15:01 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 14:56 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-29 14:56 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-29 14:56 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-29 14:56 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-29 14:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-29 14:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-29 14:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-29 14:55 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-29 14:55 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-29 14:15 . 2008-06-29 14:15 <DIR> d-------- C:\Deckard
2008-06-10 22:43 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 03:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 01:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-30 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 04:02 --------- d-----w C:\Program Files\Real
2008-05-24 02:02 --------- d-----w C:\Program Files\Windows SteadyState
2008-05-10 18:49 --------- d-----w C:\Program Files\Java
2008-05-09 03:02 --------- d-----w C:\Program Files\Google
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 02:34 96,520 ------w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-02 02:34 75,272 ------w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-02 02:34 10,520 ------w C:\WINDOWS\system32\avgrsstx.dll
2008-05-02 02:34 --------- d-----w C:\Program Files\AVG
2008-05-02 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2007-12-27 00:06 1,658 ------w C:\Documents and Settings\007\Application Data\wklnhst.dat
2007-07-31 20:06 622,928 ------w C:\Documents and Settings\Spybot - Search & Destroy\Tools.dll
2007-05-23 20:13 693,848 ------w C:\Documents and Settings\Spybot - Search & Destroy\advcheck.dll
2005-08-14 02:34 12,635 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.dat
2005-08-14 02:33 649,378 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.exe
2005-05-31 08:04 853,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 08:04 47,256 ------w C:\Documents and Settings\Spybot - Search & Destroy\blindman.exe
2005-05-31 08:04 417,408 ------w C:\Documents and Settings\Spybot - Search & Destroy\Update.exe
2005-05-31 08:04 4,393,096 ------w C:\Documents and Settings\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 08:04 28,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\aports.dll
2005-05-31 08:04 22,528 ------w C:\Documents and Settings\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 08:04 15,872 ------w C:\Documents and Settings\Spybot - Search & Destroy\delphimm.dll
2005-05-31 08:04 139,776 ------w C:\Documents and Settings\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 08:04 122,368 ------w C:\Documents and Settings\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 08:04 1,415,824 ------w C:\Documents and Settings\Spybot - Search & Destroy\TeaTimer.exe
2003-08-27 21:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_20.09.07.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 02:54:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 05:02:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomingHook"="ZoomingHook.exe" [2004-04-30 23:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 21:06 53248]
"TFncKy"="TFncKy.exe" []
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 14:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 15:59 65536]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 14:49 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 18:03 155648]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 20:38 28672]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 17:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 20:08 675840]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 13:51 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 13:39:00 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [2005-04-26 15:26 45056]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-01 19:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-01 19:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-01 19:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-01 19:34]
S3 EHW;EHW;C:\DOCUME~1\007\LOCALS~1\Temp\EHW.exe []
S4 YGBSPPTF;YGBSPPTF;C:\DOCUME~1\007\LOCALS~1\Temp\YGBSPPTF.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 05:05:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-08-13 19:09:55 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 22:23:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 22:24:35
ComboFix-quarantined-files.txt 2008-07-01 05:24:28
ComboFix2.txt 2008-07-01 03:09:33

Pre-Run: 24,558,452,736 bytes free
Post-Run: 24,555,388,928 bytes free

148 --- E O F --- 2008-06-22 04:37:37

#6
greyknight17

Posted 01 July 2008 - 06:42 PM

Malware Expert

Visiting Consultant
16,560 posts

Disable Spybot's TeaTimer protection. It's interfering with the fixes. To do this go to Spybot->Mode->Advanced Mode. Then click on Tools->Resident and uncheck the option for Resident TeaTimer. Try running the steps again.

Did SUPERAntiSpyware find anything?

#7
susan spencer

Posted 01 July 2008 - 08:26 PM

Member

Topic Starter
Member
33 posts

Hello,
Spybot S & D with both Resident fields unchecked will not run combofix. Same response of being mispelt.
SuperAntispyware found the following and quarantined. Please let me know what needs to be done. Thank you.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/30/2008 at 09:55 PM

Application Version : 4.15.1000

Core Rules Database Version : 3494
Trace Rules Database Version: 1485

Scan type : Complete Scan
Total Scan Time : 00:51:55

Memory items scanned : 486
Memory threats detected : 0
Registry items scanned : 6083
Registry threats detected : 0
File items scanned : 30816
File threats detected : 1

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6B96539B-CC03-4380-BCB2-4E715303BB07}\RP412\A0033427.SCR

Edited by susan spencer, 01 July 2008 - 08:29 PM.

#8
greyknight17

Posted 02 July 2008 - 06:27 PM

Malware Expert

Visiting Consultant
16,560 posts

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

See if that helps. Run Combofix again. If that doesn't do the trick, uninstall Spybot and try to run combofix again. If you still can't run it, delete Combofix and then download it again. This time, save it as CFsusan spencer.exe instead of combofix.exe. Try running it now.

#9
susan spencer

Posted 02 July 2008 - 06:43 PM

Member

Topic Starter
Member
33 posts

Greyknight17:
Thank you for your email. Before I begin, did you see email sent to you with update on Spybot S & D allowing Combofix? Do you still suggust following latest email just sent? Please advise. Thank you.

#10
greyknight17

Posted 02 July 2008 - 06:56 PM

Malware Expert

Visiting Consultant
16,560 posts

Must have overlooked that....if you can allow it, leave it alone. Let it run...

#11
susan spencer

Posted 02 July 2008 - 07:21 PM

Member

Topic Starter
Member
33 posts

From your post, I understood to let Spybot run without Register checked. I have therefore posted log done last night. Please advise. Thank you.

ComboFix 08-06-30.2 - 007 2008-07-01 22:01:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.152 [GMT -7:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\007\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-06-30 21:01 . 2008-06-30 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Documents and Settings\007\Application Data\SUPERAntiSpyware.com
2008-06-29 14:57 . 2008-06-29 15:01 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 14:56 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-29 14:56 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-29 14:56 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-29 14:56 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-29 14:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-29 14:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-29 14:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-29 14:55 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-29 14:55 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-29 14:15 . 2008-06-29 14:15 <DIR> d-------- C:\Deckard
2008-06-10 22:43 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 03:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 01:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-30 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 04:02 --------- d-----w C:\Program Files\Real
2008-05-24 02:02 --------- d-----w C:\Program Files\Windows SteadyState
2008-05-10 18:49 --------- d-----w C:\Program Files\Java
2008-05-09 03:02 --------- d-----w C:\Program Files\Google
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 02:34 96,520 ------w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-02 02:34 75,272 ------w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-02 02:34 10,520 ------w C:\WINDOWS\system32\avgrsstx.dll
2008-05-02 02:34 --------- d-----w C:\Program Files\AVG
2008-05-02 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2007-12-27 00:06 1,658 ------w C:\Documents and Settings\007\Application Data\wklnhst.dat
2007-07-31 20:06 622,928 ------w C:\Documents and Settings\Spybot - Search & Destroy\Tools.dll
2007-05-23 20:13 693,848 ------w C:\Documents and Settings\Spybot - Search & Destroy\advcheck.dll
2005-08-14 02:34 12,635 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.dat
2005-08-14 02:33 649,378 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.exe
2005-05-31 08:04 853,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 08:04 47,256 ------w C:\Documents and Settings\Spybot - Search & Destroy\blindman.exe
2005-05-31 08:04 417,408 ------w C:\Documents and Settings\Spybot - Search & Destroy\Update.exe
2005-05-31 08:04 4,393,096 ------w C:\Documents and Settings\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 08:04 28,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\aports.dll
2005-05-31 08:04 22,528 ------w C:\Documents and Settings\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 08:04 15,872 ------w C:\Documents and Settings\Spybot - Search & Destroy\delphimm.dll
2005-05-31 08:04 139,776 ------w C:\Documents and Settings\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 08:04 122,368 ------w C:\Documents and Settings\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 08:04 1,415,824 ------w C:\Documents and Settings\Spybot - Search & Destroy\TeaTimer.exe
2003-08-27 21:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_20.09.07.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 02:54:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 14:41:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 21:06 53248]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 15:59 65536]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 14:49 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 18:03 155648]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 20:38 28672]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 17:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 20:08 675840]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 13:51 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"ZoomingHook"="ZoomingHook.exe" [2004-04-30 23:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 14:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 13:39:00 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll" [2005-04-26 15:26 45056]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-01 19:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-01 19:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-01 19:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-01 19:34]
S3 EHW;EHW;C:\DOCUME~1\007\LOCALS~1\Temp\EHW.exe []
S4 YGBSPPTF;YGBSPPTF;C:\DOCUME~1\007\LOCALS~1\Temp\YGBSPPTF.exe []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 14:44:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-08-13 19:09:55 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TFncKy - TFncKy.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-= - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 22:05:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-01 22:07:52
ComboFix-quarantined-files.txt 2008-07-02 05:07:42
ComboFix2.txt 2008-07-01 05:24:36
ComboFix3.txt 2008-07-01 03:09:33

Pre-Run: 24,541,155,328 bytes free
Post-Run: 24,571,580,416 bytes free

154 --- E O F --- 2008-06-22 04:37:37

#12
greyknight17

Posted 04 July 2008 - 01:04 PM

Malware Expert

Visiting Consultant
16,560 posts

Did Spybot asked you if you want to allow some changes take effect? Disable Spybot's TeaTimer protection as it may interfere with the fixes. To do this go to Spybot->Mode->Advanced Mode. Then click on Tools->Resident and uncheck the option for Resident TeaTimer. Drag the CFScript.txt file into Combofix again and post the new log here.

#13
susan spencer

Posted 04 July 2008 - 02:51 PM

Member

Topic Starter
Member
33 posts

Greyknight17:
Thank you for your email. Yes, Spybot asked if I wanted to allow changes. I just tried your instruction for unchecking Teatimer only and it would not work. I went back and unchecked Resident which unchecked both strings and it ran. I have log attached below. For some reason my wireless connection is continuously cutting out during this time. ComboFix 08-06-30.2 - 007 2008-07-04 13:41:33.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.119 [GMT -7:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\007\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-06-30 21:01 . 2008-06-30 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Documents and Settings\007\Application Data\SUPERAntiSpyware.com
2008-06-29 14:57 . 2008-06-29 15:01 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 14:56 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-29 14:56 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-29 14:56 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-29 14:56 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-29 14:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-29 14:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-29 14:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-29 14:55 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-29 14:55 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-29 14:15 . 2008-06-29 14:15 <DIR> d-------- C:\Deckard
2008-06-10 22:43 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 16:34 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 16:34 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 16:34 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 03:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 01:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-30 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 04:02 --------- d-----w C:\Program Files\Real
2008-05-24 02:02 --------- d-----w C:\Program Files\Windows SteadyState
2008-05-10 18:49 --------- d-----w C:\Program Files\Java
2008-05-09 03:02 --------- d-----w C:\Program Files\Google
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2007-12-27 00:06 1,658 ------w C:\Documents and Settings\007\Application Data\wklnhst.dat
2007-07-31 20:06 622,928 ------w C:\Documents and Settings\Spybot - Search & Destroy\Tools.dll
2007-05-23 20:13 693,848 ------w C:\Documents and Settings\Spybot - Search & Destroy\advcheck.dll
2005-08-14 02:34 12,635 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.dat
2005-08-14 02:33 649,378 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.exe
2005-05-31 08:04 853,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 08:04 47,256 ------w C:\Documents and Settings\Spybot - Search & Destroy\blindman.exe
2005-05-31 08:04 417,408 ------w C:\Documents and Settings\Spybot - Search & Destroy\Update.exe
2005-05-31 08:04 4,393,096 ------w C:\Documents and Settings\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 08:04 28,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\aports.dll
2005-05-31 08:04 22,528 ------w C:\Documents and Settings\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 08:04 15,872 ------w C:\Documents and Settings\Spybot - Search & Destroy\delphimm.dll
2005-05-31 08:04 139,776 ------w C:\Documents and Settings\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 08:04 122,368 ------w C:\Documents and Settings\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 08:04 1,415,824 ------w C:\Documents and Settings\Spybot - Search & Destroy\TeaTimer.exe
2003-08-27 21:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_20.09.07.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 02:54:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 00:49:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-02 02:34:39 26,184 ------w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-07-03 16:34:10 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 21:06 53248]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 15:59 65536]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 14:49 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 18:03 155648]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 20:38 28672]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 17:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 20:08 675840]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 13:51 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"ZoomingHook"="ZoomingHook.exe" [2004-04-30 23:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 14:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 13:39:00 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll" [2005-04-26 15:26 45056]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 09:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 09:34]
S3 EHW;EHW;C:\DOCUME~1\007\LOCALS~1\Temp\EHW.exe []
S4 YGBSPPTF;YGBSPPTF;C:\DOCUME~1\007\LOCALS~1\Temp\YGBSPPTF.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-07-04 00:52:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-08-13 19:09:55 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-= - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 13:44:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-07-04 13:46:05
ComboFix-quarantined-files.txt 2008-07-04 20:45:56
ComboFix2.txt 2008-07-04 20:39:42
ComboFix3.txt 2008-07-02 05:07:53
ComboFix4.txt 2008-07-01 05:24:36
ComboFix5.txt 2008-07-01 03:09:33

Pre-Run: 24,444,624,896 bytes free
Post-Run: 24,429,428,736 bytes free

155 --- E O F --- 2008-07-04 17:17:16

#14
greyknight17

Posted 05 July 2008 - 05:13 PM

Malware Expert

Visiting Consultant
16,560 posts

Download The Avenger at http://swandog46.gee...r2/download.php and save it to your Desktop. Unzip/extract the file contents. Double click on avenger.exe to run it. Click OK to agree. Copy all of the text in the below textbox by highlighting it and then pressing Ctrl + C.

Files to delete:
C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426
Folders to delete:
C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426
Drivers to delete:
EHW
YGBSPPTF

Go back to the avenger window and click on the third button on top (Paste Script from Clipboard).

- Click the Execute button.
- You will be asked Are you sure you want to execute the current script?
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
- Click Yes.
- Your PC will now be rebooted.
- Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
- Post this log, along with a new HijackThis log in your next reply.

Run Combofix by double clicking on it and post a new log here.

What problems are still remaining now (if any)?

#15
susan spencer

Posted 05 July 2008 - 09:07 PM

Member

Topic Starter
Member
33 posts

Hello. Thank you for your help. Here are the logs. I hope that infection has cleared. Would appreciated knowing:
1. If you feel infection has cleared or not?
2. As result of last few days getting continuous Internet Explorer cannot display webpage-loses wireless connection. Does this have to do with a setting change or result of virus? Many times I check wireless connection on system and it is not disabled yet IE cannot display webpage. There are times that it is disabled but not always.
3. System will surge like it is running a scan. I will check Task Mgr. and software not running. Don't know what this relates to.
4. Is it possible to display a system's error log or logs to know where glitch might be?
5. I do not have recovery console installed that has come up over and again during these scans? Is this something that needs to be installed?

Here are logs:

ComboFix 08-06-30.2 - 007 2008-07-05 19:39:02.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191 [GMT -7:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-06-30 21:01 . 2008-06-30 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 21:00 . 2008-06-30 21:00 <DIR> d-------- C:\Documents and Settings\007\Application Data\SUPERAntiSpyware.com
2008-06-29 14:57 . 2008-06-29 15:01 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 14:56 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-29 14:56 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-29 14:56 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-29 14:56 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-29 14:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-29 14:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-29 14:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-29 14:55 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-29 14:55 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-29 14:15 . 2008-06-29 14:15 <DIR> d-------- C:\Deckard
2008-06-10 22:43 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 16:34 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 16:34 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 16:34 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 03:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 01:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-30 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 04:02 --------- d-----w C:\Program Files\Real
2008-05-24 02:02 --------- d-----w C:\Program Files\Windows SteadyState
2008-05-10 18:49 --------- d-----w C:\Program Files\Java
2008-05-09 03:02 --------- d-----w C:\Program Files\Google
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2007-12-27 00:06 1,658 ------w C:\Documents and Settings\007\Application Data\wklnhst.dat
2007-07-31 20:06 622,928 ------w C:\Documents and Settings\Spybot - Search & Destroy\Tools.dll
2007-05-23 20:13 693,848 ------w C:\Documents and Settings\Spybot - Search & Destroy\advcheck.dll
2005-08-14 02:34 12,635 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.dat
2005-08-14 02:33 649,378 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.exe
2005-05-31 08:04 853,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 08:04 47,256 ------w C:\Documents and Settings\Spybot - Search & Destroy\blindman.exe
2005-05-31 08:04 417,408 ------w C:\Documents and Settings\Spybot - Search & Destroy\Update.exe
2005-05-31 08:04 4,393,096 ------w C:\Documents and Settings\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 08:04 28,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\aports.dll
2005-05-31 08:04 22,528 ------w C:\Documents and Settings\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 08:04 15,872 ------w C:\Documents and Settings\Spybot - Search & Destroy\delphimm.dll
2005-05-31 08:04 139,776 ------w C:\Documents and Settings\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 08:04 122,368 ------w C:\Documents and Settings\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 08:04 1,415,824 ------w C:\Documents and Settings\Spybot - Search & Destroy\TeaTimer.exe
2003-08-27 21:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_20.09.07.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 02:54:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-06 02:26:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-02 02:34:39 26,184 ------w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-07-03 16:34:10 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 21:06 53248]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 15:59 65536]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 14:49 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 18:03 155648]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 20:38 28672]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 17:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 20:08 675840]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 13:51 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"ZoomingHook"="ZoomingHook.exe" [2004-04-30 23:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 14:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 13:39:00 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll" [2005-04-26 15:26 45056]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 09:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 09:34]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-06 02:30:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-08-13 19:09:55 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-= - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 19:43:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...
New Combofix log:
scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-05 19:45:32
ComboFix-quarantined-files.txt 2008-07-06 02:45:21
ComboFix2.txt 2008-07-04 20:46:07
ComboFix3.txt 2008-07-04 20:39:42
ComboFix4.txt 2008-07-02 05:07:53
ComboFix5.txt 2008-07-01 05:24:36

Pre-Run: 24,312,287,232 bytes free
Post-Run: 24,443,232,256 bytes free

151 --- E O F --- 2008-07-04 17:17:16

Avenger:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file "C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426" not found!
Deletion of file "C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426" not found!
Deletion of folder "C:\WINDOWS\TEMP\TMP000000EC8C6847FF11E53426" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "EHW" deleted successfully.
Driver "YGBSPPTF" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:56:42 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Google\ggviewer81-19.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 255.255.00
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123994580265
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182142679812
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 8714 bytes