Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware problems... [RESOLVED]


  • This topic is locked This topic is locked

#1
Xenu

Xenu

    New Member

  • Member
  • Pip
  • 7 posts
So I'm working on a customer's computer, which is infected like mad with all kinds of bad things. I feel like I've gotten most of it out, with the cost of some insignificant programs that I can replace, but I've hit a few snags.

There's something persistant that I can't find, that keeps showing popups, and now Spybot S&D doesn't load..the updater works but the actual program doesn't really load at all.

I've made a hijack this log, and hopefully with your help I can get to the bottom of this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:58 AM, on 7/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [bcfb23bc] rundll32.exe "C:\WINDOWS\System32\koffnkfp.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BMbfc81020] Rundll32.exe "C:\WINDOWS\System32\uoqsotec.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB3174] command /c del "C:\Program Files\Zango\bin\10.0.370.0\arrow.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD213] cmd /c del "C:\Program Files\Zango\bin\10.0.370.0\arrow.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6547] command /c del "C:\Program Files\Zango\bin\10.0.370.0\copyright.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3708] cmd /c del "C:\Program Files\Zango\bin\10.0.370.0\copyright.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4446] command /c del "C:\Program Files\Zango\bin\10.0.370.0\link.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5353] cmd /c del "C:\Program Files\Zango\bin\10.0.370.0\link.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7395] command /c del "C:\Program Files\Zango\bin\10.0.370.0\firefox\extensions\components\npclntax.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7074] cmd /c del "C:\Program Files\Zango\bin\10.0.370.0\firefox\extensions\components\npclntax.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB532] command /c del "C:\Program Files\Outerinfo\Terms.rtf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6611] cmd /c del "C:\Program Files\Outerinfo\Terms.rtf"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3116] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD34] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5220] command /c del "C:\Program Files\Outerinfo\FF\components\FF.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6507] cmd /c del "C:\Program Files\Outerinfo\FF\components\FF.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9821] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1833] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5818] command /c del "C:\Program Files\Zango\bin\10.0.370.0\OEAddOn.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7031] cmd /c del "C:\Program Files\Zango\bin\10.0.370.0\OEAddOn.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9506] command /c del "C:\Program Files\Zango\bin\10.0.370.0\ZangoSA.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6169] cmd /c del "C:\Program Files\Zango\bin\10.0.370.0\ZangoSA.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2815] command /c del "C:\WINDOWS\system32\pmkhi.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1197] cmd /c del "C:\WINDOWS\system32\pmkhi.dll"
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21cb1fc920b791492606/netzip/RdxIE601.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat,C:\WINDOWS\System32\iasnap32.dll
O20 - Winlogon Notify: bcfb2313372 - C:\WINDOWS\System32\iasnap32.dll
O20 - Winlogon Notify: gebbyaw - gebbyaw.dll (file missing)
O20 - Winlogon Notify: __c00BAD43 - C:\WINDOWS\System32\__c00BAD43.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7790 bytes

If you can tell me what looks suspicious in here, and why Spybot decided to give up on life, I'd be extremely gracious.

Edited by Xenu, 21 July 2008 - 12:51 AM.

  • 0

Advertisements


#2
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu and welcome at Geekstogo,

Before we start I would like to know what you mean with

So I'm working on a customer's computer


Do you own/are you working in a computershop?
  • 0

#3
Xenu

Xenu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Hello Xenu and welcome at Geekstogo,

Before we start I would like to know what you mean with

So I'm working on a customer's computer


Do you own/are you working in a computershop?


What I'd like to know is what this has to do with anything, she's paying me to fix her computer, and she's not a close friend, so what would that make her?

I don't work for anyone.

Anyway so at one point it DID have SpyShredder, along with Virtumonde/Vundo, and some other stuff. I think Virtumonde is still lurking around because the laptop rapidly produces popups when you put it online...I did it for about a minute and it downloaded Braviax into the thing.

Right now I'm trying to boot into a different OS (Thumb Drive Linux) and do a scan from there, as Avast said there was a bunch of files it couldn't mess with because they were password protected. (not system files, it looked like a bunch of stuff that shouldn't be there.) The problem is this laptop is so old it doesn't support usb drive booting.

Any suggestions?
  • 0

#4
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu,

What I'd like to know is what this has to do with anything


In the past we had people who had a full time paid job of repairing computers. And asked for help with many different computers. In other words: they let us help them to get paid, while we didn't get paid.

What you said however makes me assume you will not our services like that. Sorry I had to ask about it, but I really don't like my services being used like discribed above.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Thunderbird1988

Edited by Thunderbird1988, 22 July 2008 - 03:29 AM.

  • 0

#5
Xenu

Xenu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I see, no usually I can clear things myself, but this is just so...hooked in that I can't find it.

I've managed to reduce it to just popups, but I can't figure out what is causing them.

Also, I've actually run both SDFix and Combofix because I had a remnant of Braviax inside of it apparently.

So, I already have a hijackthis log for it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:02 AM, on 7/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1216704750444&h=71a388861658c10741dae1de83ba0be9/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O20 - Winlogon Notify: bcfb2313372 - C:\WINDOWS\System32\iasnap32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5725 bytes

As far as I can see, all the stuf that looks strange happens to be toshiba utilities.
  • 0

#6
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu,

Can you post the two logs? Especially the Combofix will contain information I will probably need.
  • 0

#7
Xenu

Xenu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sure no problem, I will say that I ran Combofix twice to see if anything was lurking, I probably shouldn't have done that...but it didn't hurt the computer the first time, and apparently didn't catch anything the second time.

First Combofix log:
ComboFix 08-07-21.1 - xxx 2008-07-22  3:10:31.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.211 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mary Forehand\Application Data\WNSXS~1
C:\Documents and Settings\Mary Forehand\Application Data\WNSXS~1\W?nSxS\
C:\Program Files\mcroso~1
C:\Program Files\RcvSystem
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\pfknffok.ini
C:\xcrashdump.dat

.
(((((((((((((((((((((((((   Files Created from 2008-06-22 to 2008-07-22  )))))))))))))))))))))))))))))))
.

2008-07-22 02:43 . 2008-07-22 02:43	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-07-22 02:42 . 2008-07-22 02:42	<DIR>	d--------	C:\SDFix
2008-07-22 01:33 . 2008-06-10 02:32	73,728	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-07-22 01:04 . 2008-07-22 01:08	1,374	--a------	C:\WINDOWS\imsins.BAK
2008-07-22 00:35 . 2008-06-13 07:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-22 00:35 . 2008-05-08 10:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-22 00:33 . 2008-07-22 00:33	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 00:25 . 2008-07-22 00:25	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-21 04:26 . 2008-07-21 04:26	<DIR>	d--------	C:\WINDOWS\system32\scripting
2008-07-21 04:23 . 2008-07-21 04:27	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-07-21 04:19 . 2006-12-29 00:31	19,569	--a------	C:\WINDOWS\[u]0[/u]02648_.tmp
2008-07-21 04:15 . 2008-07-21 04:15	<DIR>	d--------	C:\WINDOWS\EHome
2008-07-21 04:00 . 2008-07-22 01:08	<DIR>	d--h-----	C:\WINDOWS\$hf_mig$
2008-07-21 04:00 . 2007-08-10 20:46	26,488	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-07-21 03:57 . 2008-07-21 03:57	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-07-21 03:57 . 2008-07-22 01:27	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 11:53 . 2008-07-21 07:07	<DIR>	d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 10:20 . 2008-07-20 10:20	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-20 09:49 . 2008-07-20 09:49	250	--a------	C:\WINDOWS\MicroSoft.vbs
2008-07-20 06:59 . 2008-07-20 06:59	<DIR>	d--------	C:\Program Files\CCleaner
2008-07-20 03:24 . 2008-07-20 03:24	<DIR>	d--------	C:\Program Files\Alwil Software
2008-07-20 03:24 . 2003-03-18 16:20	1,060,864	--a------	C:\WINDOWS\system32\MFC71.dll
2008-07-20 03:23 . 2008-07-20 03:23	110,419	--a------	C:\WINDOWS\BMbfc81020.xml
2008-07-20 02:56 . 2008-07-20 02:57	811	--a------	C:\WINDOWS\wininit.ini
2008-07-20 02:36 . 2008-07-20 02:36	122,880	--a------	C:\WINDOWS\system32\iasnap32.dll
2008-07-20 02:31 . 2003-11-20 20:28	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\WINDOWS
2008-07-20 02:31 . 2003-11-20 21:32	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\toshiba
2008-07-20 02:31 . 2003-11-20 21:34	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\Symantec
2008-07-20 02:31 . 2003-11-21 14:25	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\InterVideo
2008-07-20 02:31 . 2003-11-20 20:59	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\InterTrust
2008-07-20 02:31 . 2003-11-20 21:52	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\Drag'n Drop CD+DVD
2008-07-20 02:31 . 2008-07-22 00:25	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 05:33	---------	d-----w	C:\Program Files\Java
2008-07-20 10:35	---------	d-----w	C:\Program Files\QuickTime
2008-07-20 10:34	---------	d-----w	C:\Program Files\ltmoh
2008-07-20 10:31	---------	d-----w	C:\Program Files\Apoint2K
2008-06-20 11:51	361,600	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40	138,496	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08	225,856	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2007-12-08 15:08	56,912	----a-w	C:\Documents and Settings\xxx\g2mdlhlpx.exe
2006-07-09 05:36	774,144	----a-w	C:\Program Files\RngInterstitial.dll
.
[code]<pre>
----a-w			63,712 2008-07-20 07:00:35  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			39,792 2008-07-20 07:00:37  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   159,744 2008-07-20 07:00:13  C:\Program Files\Apoint2K\Apoint .exe
----a-w		 1,380,352 2008-07-20 07:00:36  C:\Program Files\B's CLiP\Win2K\BSCLIP .exe
----a-w		   180,269 2008-07-20 07:00:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   172,032 2008-07-20 07:00:10  C:\Program Files\ltmoh\Ltmoh .exe
----a-w		 1,511,453 2008-07-20 07:00:57  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,019,904 2008-07-20 07:00:20  C:\Program Files\Toshiba\PadTouch\PadExe .exe
----a-w			65,536 2008-07-20 07:00:39  C:\Program Files\Toshiba\TOSCDSPD\toscdspd .exe
----a-w		   126,976 2008-07-20 07:00:16  C:\Program Files\Toshiba\TouchED\TouchED .Exe
----a-w		   159,744 2008-07-20 07:00:27  C:\TOSHIBA\Ivp\ISM\pinger .exe
----a-w		   258,048 2008-07-20 07:00:06  C:\WINDOWS\system32\[u]0[/u]0THotkey .exe
----a-w			13,312 2008-07-20 06:36:46  C:\WINDOWS\system32\ctfmon .exe
----a-w		   114,688 2008-07-20 07:00:06  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-07-20 07:00:06  C:\WINDOWS\system32\igfxtray .exe
</pre>


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 15:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 20:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"NDSTray.exe"="NDSTray.exe" [N/A]
"TPSMain"="TPSMain.exe" [2003-11-20 01:15 278528 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [N/A]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 17:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 20:58:56 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcfb2313372]
2008-07-20 02:36 122880 C:\WINDOWS\system32\iasnap32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\iasnap32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 05:07]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 15:50]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 -: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 -: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 03:14:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\iasnap32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\System32\iasnap32.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\iasnap32.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\System32\iasnap32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-22  3:17:13 - machine was rebooted [Mary Forehand]
ComboFix-quarantined-files.txt  2008-07-22 07:17:07

Pre-Run: 52,154,101,760 bytes free
Post-Run: 52,074,602,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /forceresetreg /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

175	--- E O F ---	2008-07-22 05:18:05

Second Combofix log

ComboFix 08-07-21.1 - xxx 2008-07-22  3:41:18.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.253 [GMT -4:00]
Running from: E:\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2008-06-22 to 2008-07-22  )))))))))))))))))))))))))))))))
.

2008-07-22 02:43 . 2008-07-22 02:43	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-07-22 02:42 . 2008-07-22 02:42	<DIR>	d--------	C:\SDFix
2008-07-22 01:33 . 2008-06-10 02:32	73,728	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-07-22 01:04 . 2008-07-22 01:08	1,374	--a------	C:\WINDOWS\imsins.BAK
2008-07-22 00:35 . 2008-06-13 07:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-22 00:35 . 2008-05-08 10:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-22 00:33 . 2008-07-22 00:33	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 00:25 . 2008-07-22 00:25	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-21 04:26 . 2008-07-21 04:26	<DIR>	d--------	C:\WINDOWS\system32\scripting
2008-07-21 04:23 . 2008-07-21 04:27	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-07-21 04:19 . 2006-12-29 00:31	19,569	--a------	C:\WINDOWS\[u]0[/u]02648_.tmp
2008-07-21 04:15 . 2008-07-21 04:15	<DIR>	d--------	C:\WINDOWS\EHome
2008-07-21 04:00 . 2008-07-22 01:08	<DIR>	d--h-----	C:\WINDOWS\$hf_mig$
2008-07-21 04:00 . 2007-08-10 20:46	26,488	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-07-21 03:57 . 2008-07-21 03:57	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-07-21 03:57 . 2008-07-22 01:27	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 11:53 . 2008-07-21 07:07	<DIR>	d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 10:20 . 2008-07-20 10:20	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-20 09:49 . 2008-07-20 09:49	250	--a------	C:\WINDOWS\MicroSoft.vbs
2008-07-20 06:59 . 2008-07-20 06:59	<DIR>	d--------	C:\Program Files\CCleaner
2008-07-20 03:24 . 2008-07-20 03:24	<DIR>	d--------	C:\Program Files\Alwil Software
2008-07-20 03:24 . 2003-03-18 16:20	1,060,864	--a------	C:\WINDOWS\system32\MFC71.dll
2008-07-20 03:23 . 2008-07-20 03:23	110,419	--a------	C:\WINDOWS\BMbfc81020.xml
2008-07-20 02:56 . 2008-07-20 02:57	811	--a------	C:\WINDOWS\wininit.ini
2008-07-20 02:36 . 2008-07-20 02:36	122,880	--a------	C:\WINDOWS\system32\iasnap32.dll
2008-07-20 02:31 . 2003-11-20 20:28	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\WINDOWS
2008-07-20 02:31 . 2003-11-20 21:32	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\toshiba
2008-07-20 02:31 . 2003-11-20 21:34	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\Symantec
2008-07-20 02:31 . 2003-11-21 14:25	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\InterVideo
2008-07-20 02:31 . 2003-11-20 20:59	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\InterTrust
2008-07-20 02:31 . 2003-11-20 21:52	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\Drag'n Drop CD+DVD
2008-07-20 02:31 . 2008-07-22 00:25	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 05:33	---------	d-----w	C:\Program Files\Java
2008-07-20 10:35	---------	d-----w	C:\Program Files\QuickTime
2008-07-20 10:34	---------	d-----w	C:\Program Files\ltmoh
2008-07-20 10:31	---------	d-----w	C:\Program Files\Apoint2K
2008-07-20 07:00	258,048	----a-w	C:\WINDOWS\system32\[u]0[/u]0THotkey .exe
2008-07-20 07:00	155,648	----a-w	C:\WINDOWS\system32\igfxtray .exe
2008-07-20 07:00	114,688	----a-w	C:\WINDOWS\system32\hkcmd .exe
2008-07-20 06:36	13,312	----a-w	C:\WINDOWS\system32\ctfmon .exe
2008-06-20 17:46	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51	361,600	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40	138,496	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08	225,856	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-05-09 10:53	90,112	----a-w	C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53	430,080	----a-w	C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53	180,224	----a-w	C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53	172,032	----a-w	C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24	155,648	----a-w	C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07	135,168	----a-w	C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12	1,288,192	----a-w	C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2007-12-08 15:08	56,912	----a-w	C:\Documents and Settings\Mary Forehand\g2mdlhlpx.exe
2006-07-09 05:36	774,144	----a-w	C:\Program Files\RngInterstitial.dll
.
[code]<pre>
----a-w			63,712 2008-07-20 07:00:35  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			39,792 2008-07-20 07:00:37  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   159,744 2008-07-20 07:00:13  C:\Program Files\Apoint2K\Apoint .exe
----a-w		 1,380,352 2008-07-20 07:00:36  C:\Program Files\B's CLiP\Win2K\BSCLIP .exe
----a-w		   180,269 2008-07-20 07:00:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   172,032 2008-07-20 07:00:10  C:\Program Files\ltmoh\Ltmoh .exe
----a-w		 1,511,453 2008-07-20 07:00:57  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,019,904 2008-07-20 07:00:20  C:\Program Files\Toshiba\PadTouch\PadExe .exe
----a-w			65,536 2008-07-20 07:00:39  C:\Program Files\Toshiba\TOSCDSPD\toscdspd .exe
----a-w		   126,976 2008-07-20 07:00:16  C:\Program Files\Toshiba\TouchED\TouchED .Exe
----a-w		   159,744 2008-07-20 07:00:27  C:\TOSHIBA\Ivp\ISM\pinger .exe
----a-w		   258,048 2008-07-20 07:00:06  C:\WINDOWS\system32\[u]0[/u]0THotkey .exe
----a-w			13,312 2008-07-20 06:36:46  C:\WINDOWS\system32\ctfmon .exe
----a-w		   114,688 2008-07-20 07:00:06  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-07-20 07:00:06  C:\WINDOWS\system32\igfxtray .exe
</pre>


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 15:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 20:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"NDSTray.exe"="NDSTray.exe" [N/A]
"TPSMain"="TPSMain.exe" [2003-11-20 01:15 278528 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [N/A]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 17:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 20:58:56 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcfb2313372]
2008-07-20 02:36 122880 C:\WINDOWS\system32\iasnap32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\iasnap32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 05:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 15:50]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 -: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 -: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 03:43:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\iasnap32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\System32\iasnap32.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\System32\iasnap32.dll
.
Completion time: 2008-07-22  3:44:20
ComboFix-quarantined-files.txt  2008-07-22 07:44:16
ComboFix2.txt  2008-07-22 07:17:14

Pre-Run: 52,143,599,616 bytes free
Post-Run: 52,133,670,912 bytes free

146	--- E O F ---	2008-07-22 05:18:05

SDFix
[b]SDFix: Version 1.207 [/b]
Run by Administrator on Tue 07/22/2008 at 02:48 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]: 

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:
 


								 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 02:54:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000053
"TracesSuccessful"=dword:00000003

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Mon 11 Aug 2003		49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Mon 11 Aug 2003		36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Mon 11 Aug 2003		40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Mon 11 Aug 2003	   233,553 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Mon  7 Jul 2008	 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon  7 Jul 2008	 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon  7 Jul 2008	 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 15 May 2003		43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 21 Jul 2008	   477,936 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\BIT12.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT3B.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\109fef93c24da62cf8f31668d6ba9060\BIT30.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1d8773e3b9bba05290b442f31de09a2e\BIT17.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1e0d5826a4592cc6d08a9c51de1deab1\BIT18.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT2E.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\BIT22.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\BIT23.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32cc777251e695000c46eaf909a80b37\BIT15.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c38a7a4e067a1ed\BIT1D.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33dda7a9fdd16ad3949443f62d248f25\BIT2B.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT31.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86c37dbd177bef9d\BIT35.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\52b72a8354f3c8a72b1aee0b2a11d368\BIT1F.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\52d0bad96d671744fec5c77caa4cdf4d\BITA.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\BIT37.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\587d85e782ae94381c309d8add64e1a0\BIT14.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\63be32bacbd73459f1f4fbd657823ecc\BIT28.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\65cd5bd54188e653414d6e2035b6edfb\BIT2C.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\694301dbfd149d8645046cbc0b1067e8\BIT4B.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\837a8691e43011f909e4b3e192fe1437\BIT32.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8b20f1a9610d239c2680847de8fa139a\BIT36.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a099dfb7d5d88247579330743c8014f3\BIT27.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a1958c12079db3dbba3db562fc08c81b\BIT38.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4a9ccd1806461c53ce89bdd6f4591bf\BIT2F.tmp"
Mon 21 Jul 2008	   153,872 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\BIT47.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\adc42e4e6905251cac80b18a8dccd42a\BIT3A.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\BIT13.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\BIT16.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b4b20917c986769c3ff7ff42e8c8d15a\BIT25.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BIT3D.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\BIT24.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20fc1765c1d2a8e6c26cf77036ce48f\BIT39.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3c3121982c8a4d0c1605cfbcb9bb7c8\BIT34.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\BIT9.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edc9e523d8678897d85b5ee0ef1bbf7a\BIT3C.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef67f26bf9f0471f\BIT2D.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b488590ef3c1f3bbfd68\BIT29.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\BIT19.tmp"
Mon 21 Jul 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT26.tmp"
Mon 11 Aug 2003	   111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"

[b]Finished![/b]

As well as a hijackthis log from before all of this was done (I had done some things after that HJT in the OP)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:02 AM, on 7/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1216704750444&h=71a388861658c10741dae1de83ba0be9/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O20 - Winlogon Notify: bcfb2313372 - C:\WINDOWS\System32\iasnap32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5725 bytes

Sorry for the long post, but that's all the logs that have been done.
  • 0

#8
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu,

. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\002648_.tmp
C:\WINDOWS\system32\MFC71.dll
C:\WINDOWS\BMbfc81020.xml
C:\WINDOWS\system32\iasnap32.dll


RENV::

----a-w			63,712 2008-07-20 07:00:35  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			39,792 2008-07-20 07:00:37  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   159,744 2008-07-20 07:00:13  C:\Program Files\Apoint2K\Apoint .exe
----a-w		 1,380,352 2008-07-20 07:00:36  C:\Program Files\B's CLiP\Win2K\BSCLIP .exe
----a-w		   180,269 2008-07-20 07:00:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   172,032 2008-07-20 07:00:10  C:\Program Files\ltmoh\Ltmoh .exe
----a-w		 1,511,453 2008-07-20 07:00:57  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,019,904 2008-07-20 07:00:20  C:\Program Files\Toshiba\PadTouch\PadExe .exe
----a-w			65,536 2008-07-20 07:00:39  C:\Program Files\Toshiba\TOSCDSPD\toscdspd .exe
----a-w		   126,976 2008-07-20 07:00:16  C:\Program Files\Toshiba\TouchED\TouchED .Exe
----a-w		   159,744 2008-07-20 07:00:27  C:\TOSHIBA\Ivp\ISM\pinger .exe
----a-w		   258,048 2008-07-20 07:00:06  C:\WINDOWS\system32\00THotkey .exe
----a-w			13,312 2008-07-20 06:36:46  C:\WINDOWS\system32\ctfmon .exe
----a-w		   114,688 2008-07-20 07:00:06  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-07-20 07:00:06  C:\WINDOWS\system32\igfxtray .exe

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcfb2313372]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Thunderbird1988

Edited by Thunderbird1988, 22 July 2008 - 02:37 PM.

  • 0

#9
Xenu

Xenu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I think I've wiped the infection, it deleted some more stuff, including that peculiar iasnap32.dll file that doesn't match up with a normal XP install.

Combofix Log
ComboFix 08-07-21.1 - Mary Forehand 2008-07-22 16:57:26.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.246 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
 * Created a new restore point

FILE ::
C:\WINDOWS\[u]0[/u]02648_.tmp
C:\WINDOWS\BMbfc81020.xml
C:\WINDOWS\system32\iasnap32.dll
C:\WINDOWS\system32\MFC71.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\[u]0[/u]02648_.tmp
C:\WINDOWS\BMbfc81020.xml
C:\WINDOWS\system32\iasnap32.dll
C:\WINDOWS\system32\MFC71.dll

.
(((((((((((((((((((((((((   Files Created from 2008-06-22 to 2008-07-22  )))))))))))))))))))))))))))))))
.

2008-07-22 02:43 . 2008-07-22 02:43	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-07-22 02:42 . 2008-07-22 02:42	<DIR>	d--------	C:\SDFix
2008-07-22 01:33 . 2008-06-10 02:32	73,728	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-07-22 00:35 . 2008-06-13 07:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-22 00:35 . 2008-05-08 10:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-22 00:33 . 2008-07-22 00:33	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 00:25 . 2008-07-22 00:25	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-21 04:26 . 2008-07-21 04:26	<DIR>	d--------	C:\WINDOWS\system32\scripting
2008-07-21 04:23 . 2008-07-21 04:27	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-07-21 04:15 . 2008-07-21 04:15	<DIR>	d--------	C:\WINDOWS\EHome
2008-07-21 04:00 . 2008-07-22 01:08	<DIR>	d--h-----	C:\WINDOWS\$hf_mig$
2008-07-21 04:00 . 2007-08-10 20:46	26,488	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-07-21 03:57 . 2008-07-21 03:57	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-07-21 03:57 . 2008-07-22 04:14	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 11:53 . 2008-07-21 07:07	<DIR>	d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 10:20 . 2008-07-20 10:20	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-20 09:49 . 2008-07-20 09:49	250	--a------	C:\WINDOWS\MicroSoft.vbs
2008-07-20 06:59 . 2008-07-20 06:59	<DIR>	d--------	C:\Program Files\CCleaner
2008-07-20 03:24 . 2008-07-20 03:24	<DIR>	d--------	C:\Program Files\Alwil Software
2008-07-20 02:56 . 2008-07-20 02:57	811	--a------	C:\WINDOWS\wininit.ini
2008-07-20 02:31 . 2003-11-20 20:28	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\WINDOWS
2008-07-20 02:31 . 2003-11-20 21:32	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\toshiba
2008-07-20 02:31 . 2003-11-20 21:34	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\Symantec
2008-07-20 02:31 . 2003-11-21 14:25	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\InterVideo
2008-07-20 02:31 . 2003-11-20 20:59	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\InterTrust
2008-07-20 02:31 . 2003-11-20 21:52	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN\Application Data\Drag'n Drop CD+DVD
2008-07-20 02:31 . 2008-07-22 00:25	<DIR>	d--------	C:\Documents and Settings\Administrator.MARYELLEN

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 20:57	---------	d-----w	C:\Program Files\ltmoh
2008-07-22 20:57	---------	d-----w	C:\Program Files\Apoint2K
2008-07-22 05:33	---------	d-----w	C:\Program Files\Java
2008-07-20 10:35	---------	d-----w	C:\Program Files\QuickTime
2008-06-20 11:51	361,600	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40	138,496	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08	225,856	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2007-12-08 15:08	56,912	----a-w	C:\Documents and Settings\Mary Forehand\g2mdlhlpx.exe
2006-07-09 05:36	774,144	----a-w	C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((   [email protected]_ 3.16.51.42   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-20 06:36:46	13,312	----a-w	C:\WINDOWS\LastGood.Tmp\system32\ctfmon.exe
+ 2008-07-20 07:00:06	258,048	----a-w	C:\WINDOWS\system32\[u]0[/u]0THotkey.exe
+ 2008-04-14 09:42:18	15,360	----a-w	C:\WINDOWS\system32\ctfmon.exe
+ 2008-04-14 09:42:18	15,360	-c--a-w	C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-07-20 07:00:06	114,688	----a-w	C:\WINDOWS\system32\hkcmd.exe
+ 2008-07-20 07:00:06	155,648	----a-w	C:\WINDOWS\system32\igfxtray.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 15:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 20:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-11-20 01:15 278528 C:\WINDOWS\system32\TPSMain.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 17:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 20:58:56 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 05:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 15:50]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NDSTray.exe - NDSTray.exe
HKLM-Run-TFncKy - TFncKy.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 17:01:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-22 17:03:50 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-22 21:03:46
ComboFix2.txt  2008-07-22 07:44:21
ComboFix3.txt  2008-07-22 07:17:14

Pre-Run: 52,119,957,504 bytes free
Post-Run: 52,108,345,344 bytes free

126	--- E O F ---	2008-07-22 05:18:05

Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:45 PM, on 7/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1216704750444&h=71a388861658c10741dae1de83ba0be9/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5698 bytes

  • 0

#10
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu,

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Thunderbird1988
  • 0

#11
Xenu

Xenu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Well, Didn't find anything but one thing, which I promptly found and deleted.

Here's the Log file though:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Wednesday, July 23, 2008
 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Wednesday, July 23, 2008 10:32:37
 Records in database: 996706
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	C:\
	D:\

Scan statistics:
	Files scanned: 46675
	Threat name: 1
	Infected objects: 1
	Suspicious objects: 0
	Duration of the scan: 00:56:30


File name / Threat name / Threats count
C:\WINDOWS\Downloaded Program Files\WebfettiInitialSetup1.0.0.15-3.exe	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aw	1

The selected area was scanned.

  • 0

#12
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu,

The logs seem to be clean. How is it running?

Thunderbird1988
  • 0

#13
Xenu

Xenu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
It's running great, avast wiped out a bunch of the toshiba software saying it was infected, so I've gotta go around doing a little damage control...but the operating system seems to be running fine.

Thanks for the help, this thing was messed up bad.

Just a quick question...did you learn how to deal with this stuff by hanging around these boards? like the Combofix scrips and stuff, as well as reading up on the hijackthis logs? Because I wouldn't mind being able to look at stuff myself and see what's wrong.
  • 0

#14
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Xenu,

Just a quick question...did you learn how to deal with this stuff by hanging around these boards? like the Combofix scrips and stuff, as well as reading up on the hijackthis logs? Because I wouldn't mind being able to look at stuff myself and see what's wrong.


Well actually, Geekstogo has is own "malware university" named GeekU. There I have learned most thing about malware I know now. If you would like to join, please read this topic.



Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety


Thunderbird1988
  • 0

#15
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP