Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Multiple problems... [RESOLVED]

Started by Lola712 , Jul 04 2005 01:51 AM

  • This topic is locked This topic is locked

#1
Lola712
Posted 04 July 2005 - 01:51 AM

Lola712

    Member

  • Member
  • PipPip
  • 21 posts
My laptop has been playing up the past few weeks. It's been acting kinda weird. I'm computer illiterate so I'd appreciate any help I can get! ;)

Firstly, when I turn on the comp, Windows doesn't setup properly. It kinda freezes and then when I try to restart it through Task Manager, it says there's error with the setup of explorer.exe. After ending the program it restarts properly.

Also, I can't seem to change my desktop wallpaper now. The Display-Desktop selections have been grayed out. I read some advice from other forums and they tell me it's spyware.

My German friend recently downloaded AntiVir Guard (unfortunately it's the German version!) for me, and it's been going alittle crazy. It keeps popping up with warnings, usually about the TR/Agent.DB.

I've run Spybot, AdAware, a2-free scanner and HijackThis.

Spybot: Same problem everytime.
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1005918099-2721185907-3207641511-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2005-05-11 Includes\PUPS.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi


AdAware:
There were no critical objects this time. I have the logfile if needed.


a2-scan
I also have the logfile if needed. It found alot of Malware. And the AntiVir warnings stopped after I fixed the problems the scan found.


HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:09:39 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVirPersonal\AVGUARD.EXE
C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\00THotkey.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\AntiVirPersonal\AVGNT.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\a2 Free\a2start.exe
C:\Program Files\a2 Free\a2scan.exe
C:\DOCUME~1\LINGCH~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
C:\Program Files\AntiVirPersonal\GUARDGUI.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R3 - URLSearchHook: (no name) - {0EC1ECF5-1F3A-00B9-FAF6-E9F4809EF3AD} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Hot Fix - {C95E5924-06C9-49F5-AB4B-5A5DE9DF8D86} - blank (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ToshibaHotKeys] c:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [sload] "C:\WINDOWS\sload.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AntiVirPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [SysSupport] SysEntry.exe
O4 - HKCU\..\Run: [InpriseMon] cmon14.exe
O4 - HKCU\..\Run: [atl_helper] bnui.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117729510299
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66CBDBC5-8B2F-4005-9904-C334AF03C458}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVirPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


If any can help, please do! Thanks. :tazz:
  • 0

Advertisements

#2
Michelle
Posted 06 July 2005 - 12:36 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!

Let's see if we can try to get your system cleaned up a little bit before I analyze the log :tazz:

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
  • 0

#3
Lola712
Posted 06 July 2005 - 12:52 PM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks so much for your reply! :tazz:

I am running the scan now.
  • 0

#4
Lola712
Posted 06 July 2005 - 01:04 PM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, here are the results:

Started Scanning
Internet Cookies
Found 'com.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'adultfriendfinder.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Internet URL Shortcuts
Files and Directories
Found 'np.tmp' in 'C:\Documents and Settings\All Users\Application Data\Kazaa Lite\db'
Found '' in 'C:\Program Files\AdTools Service'
Found 'Info.txt' in 'C:\Program Files\AdTools Service'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Checking for 'C:\Documents and Settings\All Users\Application Data\Kazaa Lite\db\np.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\Kazaa Lite\db\np.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\Kazaa Lite\db\np.tmp'
Checking for 'C:\Program Files\AdTools Service' in shortcut areas.
Checking for 'C:\Program Files\AdTools Service' in startup areas.
Cleaning 'C:\Program Files\AdTools Service'
Checking for 'C:\Program Files\AdTools Service\Info.txt' in shortcut areas.
Checking for 'C:\Program Files\AdTools Service\Info.txt' in startup areas.
Cleaning 'C:\Program Files\AdTools Service\Info.txt'
Checking for 'C:\Program Files\AdTools Service\Info.txt' in shortcut areas.
Checking for 'C:\Program Files\AdTools Service\Info.txt' in startup areas.
Cleaning 'C:\Program Files\AdTools Service\Info.txt'
[SCANMODS] The file 'C:\Program Files\AdTools Service\Info.txt' was not found. Most likely already cleaned by another scanner module.
Finished Cleaning
  • 0

#5
Michelle
Posted 06 July 2005 - 01:07 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Post a new HiJackThis log for me :tazz:
  • 0

#6
Lola712
Posted 06 July 2005 - 01:11 PM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay. Here we go:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:31 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVirPersonal\AVGUARD.EXE
C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVirPersonal\AVGNT.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R3 - URLSearchHook: (no name) - {0EC1ECF5-1F3A-00B9-FAF6-E9F4809EF3AD} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Hot Fix - {C95E5924-06C9-49F5-AB4B-5A5DE9DF8D86} - blank (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ToshibaHotKeys] c:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [sload] "C:\WINDOWS\sload.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AntiVirPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [SysSupport] SysEntry.exe
O4 - HKCU\..\Run: [InpriseMon] cmon14.exe
O4 - HKCU\..\Run: [atl_helper] bnui.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117729510299
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66CBDBC5-8B2F-4005-9904-C334AF03C458}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVirPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#7
Michelle
Posted 06 July 2005 - 01:17 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You need to remove Antivir or Norton. You do not want both on your system because it will slow your system down and does not protect it better. More than one anti-virus program is definitely not recommended.

Please do this for me:

Download and install CleanUp!
Set the program up as follows:
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Please download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
  • Now open Ewido Security Suite.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log into this topic.
  • 0

#8
Lola712
Posted 06 July 2005 - 02:47 PM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks again for your help. The scans found alot of infections!

Ewido results:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:30:57 PM, 7/6/2005
+ Report-Checksum: BA8443E4

+ Scan result:

HKU\S-1-5-21-1005918099-2721185907-3207641511-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1005918099-2721185907-3207641511-1006\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1005918099-2721185907-3207641511-1006\Software\WareOut\FirstRun -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1005918099-2721185907-3207641511-1006\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1005918099-2721185907-3207641511-1006\Software\WareOut\Registration -> TrojanDownloader.Wareout : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP10\A0000720.exe -> Spyware.HelpExpress : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003349.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003351.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003412.exe -> Worm.Prex.d : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003413.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003448.exe -> Spyware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003449.exe -> Spyware.HelpExpress : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003450.exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003451.exe -> TrojanDownloader.Dyfuca.de : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003460.exe -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003461.exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003462.exe -> TrojanDownloader.Dyfuca.de : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003463.exe -> Worm.Prex.d : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP17\A0003467.exe -> TrojanDownloader.Wintool.f : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP25\A0005130.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP25\A0005135.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP29\A0005345.dll -> TrojanDownloader.Dyfuca.dt : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP31\A0005415.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0005538.dll -> TrojanProxy.Small.bk : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0005546.exe -> Trojan.Agent.dv : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0006552.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0006561.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0006563.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0007563.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP32\A0007604.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007608.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007620.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007629.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007633.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007634.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007642.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007646.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007650.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007654.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007660.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007663.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007671.dll -> Spyware.Visiter : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007672.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007674.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007683.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007685.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007690.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007695.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007700.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007737.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007742.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007749.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007752.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007757.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007762.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP33\A0007767.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008148.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008176.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008179.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008184.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008189.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008190.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008191.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008194.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008199.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008204.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008209.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008214.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0008220.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0009215.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0010215.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0011214.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0011219.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0011224.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0011229.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0012224.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0013224.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0014224.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0015224.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP34\A0015269.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP35\A0015280.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP35\A0015285.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP35\A0015287.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP35\A0015293.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP35\A0015294.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP35\A0015299.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP37\A0015321.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP37\A0015341.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP53\A0015733.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP54\A0015797.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP54\A0015799.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP54\A0015807.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP56\A0015866.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP56\A0015867.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP56\A0015935.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP56\A0015946.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP56\A0015947.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP56\A0015955.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP6\A0000137.exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP69\A0017957.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP69\A0018059.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP7\A0000426.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP7\A0000488.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018079.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018099.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018100.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018101.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018102.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018108.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018123.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018129.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018137.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018142.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018147.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018173.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP70\A0018179.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP71\A0018188.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP71\A0018195.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP71\A0018202.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP71\A0018207.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018221.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018296.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018301.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018306.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018311.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018316.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018321.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP72\A0018322.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP73\A0018346.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP73\A0018351.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP73\A0018356.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP74\A0018407.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP76\A0020522.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP76\A0020534.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP76\A0020540.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP77\A0020554.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP77\A0020555.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP77\A0020556.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP78\A0020562.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP78\A0022570.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP78\A0022580.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP78\A0022581.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP78\A0022597.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP79\A0022621.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP79\A0022624.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP79\A0022645.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP79\A0022646.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP80\A0022654.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP80\A0022655.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP80\A0022656.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP80\A0022657.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0022676.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0022677.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0022678.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0022679.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0022686.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024705.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024708.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024713.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024717.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024721.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024728.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024729.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024730.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024731.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0024900.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\System Volume Information\_restore{E79AE979-DA07-45B0-A865-BFCAD8292C86}\RP81\A0025034.exe -> Trojan.DNSChanger.q : Cleaned with backup
C:\WINDOWS\system32\drv2cltr.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\WINDOWS\system32\ntfsnlpa.exe -> Spyware.Msnagent : Cleaned with backup


::Report End


ActiveScan: The scan came up clean. No viruses found.


New HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:44:55 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\AntiVirPersonal\AVGUARD.EXE
C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVirPersonal\AVGNT.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R3 - URLSearchHook: (no name) - {0EC1ECF5-1F3A-00B9-FAF6-E9F4809EF3AD} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Internet Explorer Hot Fix - {C95E5924-06C9-49F5-AB4B-5A5DE9DF8D86} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ToshibaHotKeys] c:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [sload] "C:\WINDOWS\sload.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AntiVirPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [SysSupport] SysEntry.exe
O4 - HKCU\..\Run: [InpriseMon] cmon14.exe
O4 - HKCU\..\Run: [atl_helper] bnui.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117729510299
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66CBDBC5-8B2F-4005-9904-C334AF03C458}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVirPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
Michelle
Posted 06 July 2005 - 03:56 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I will review your log and be back as soon as possible!
  • 0

#10
Michelle
Posted 06 July 2005 - 04:52 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Set your system to SHOW HIDDEN FILES

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R3 - URLSearchHook: (no name) - {0EC1ECF5-1F3A-00B9-FAF6-E9F4809EF3AD} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Internet Explorer Hot Fix - {C95E5924-06C9-49F5-AB4B-5A5DE9DF8D86} - blank (file missing)

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [SysSupport] SysEntry.exe
O4 - HKCU\..\Run: [InpriseMon] cmon14.exe
O4 - HKCU\..\Run: [atl_helper] bnui.exe

O9 - Extra button: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {510A645B-D7FC-454D-8FCE-8B3CE6409FD6} - (no file) (HKCU)

O15 - Trusted Zone: *.sxload.com

Using Windows Explorer, delete the following files/folders (in bold), if found:

C:\Program Files\WareOut <whole folder

Please let me know if you don't find any of these files and which ones including location - if you find them, delete them!:
C:\Windows\SysEntry.exe
C:\Windows\System32\cmon14.exe
C:\Windows\cmon14.exe
C:\Windows\bnui.exe
C:\Windows\System32\bnui.exe

Please download the Microsoft Malware Removal Tool

Install it, then run it, delete all it finds, and let me know if it found anything!
  • 0

Advertisements

#11
Lola712
Posted 07 July 2005 - 01:51 AM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I've fixed all the things on HijackThis.

I've also deleted the whole folder of WareOut.

I didn't find any of the other files you listed.

I installed the Malware Removal Tool and it came up clean.

Many thanks for your help! :tazz:

Is there anything else I should do?
  • 0

#12
Michelle
Posted 07 July 2005 - 02:10 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Copy everything in the code box below and paste it into notepad. Go to "File > Save As..." then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixwin.reg on your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC]

Double-click fixwin.reg on your desktop and when it asks if you want to merge with the registry click YES.

Then open HiJackThis. Click on "Open Misc Tools Section", click "Open Uninstall Manager" look down the list for "WareOut". If it's there, click to highlight it, then click "Delete This Entry". Then rescan with HiJackThis and post the new log for me :tazz:
  • 0

#13
Lola712
Posted 07 July 2005 - 02:24 AM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Didn't find WareOut in HiJackThis.

This is the new log: :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:48 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\AntiVirPersonal\AVGUARD.EXE
C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVirPersonal\AVGNT.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ToshibaHotKeys] c:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [sload] "C:\WINDOWS\sload.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AntiVirPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117729510299
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66CBDBC5-8B2F-4005-9904-C334AF03C458}: NameServer = 69.50.176.198,195.225.176.153
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVirPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AntiVirPersonal\AVWUPSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#14
Lola712
Posted 07 July 2005 - 02:26 AM

Lola712

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
My AntiVir Guard is still detecting Trojan attacks (namely TR/Agent.DB), although the number of attacks has decreased significantly.
  • 0

#15
Michelle
Posted 07 July 2005 - 02:31 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Is your firewall enabled? Go to Start > Run type:

firewall.cpl

Click OK. Let me know if it's on or if any of the options are greyed out.

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP