Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

One crippled little laptop, possible problem SSQRO.DLL & Avenue Me


  • Please log in to reply

#1
deeplennon

deeplennon

    New Member

  • Member
  • Pip
  • 6 posts
So I've got a bad case of malfunctioning laptop as of three days ago.

Symptoms are pop up adds in new tabs in Firefox, that will open Firefox to appear even when the browser is not running. Loss of I.E. address bar (you can use the open command to goto a page) including a wacky new toolbar that also installs another toolbar after a short time of use.

I've ran several virus and spyware cleaners and have managed to remove some trojans and spyware but two (maybe more) problems remain:

1) ssqro.dll (tried multiple ways to delete and kill, including killbox, vundofix, on and on)
2) Avenue Media's (DyFuCA) Internet Optimizer software, no spyware removal program has yet to be able to delete it, nor have I been able to manually remove it from my registry.

Also my Windows Firewall has been turned off and I can't turn back on as the option is now grayed out with the message "For your security, some settings are controlled by group policy" at the top. Very very weird and troubling.

Here's the log... The first R1 entry always come back after removal, and looks like some obvious viciousness.

Thanks if you can help.

Logfile of HijackThis v1.99.1
Scan saved at 3:39:33 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pongo\Desktop\spyware [bleep]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jlmcusxzv...iu/qeiYtNU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqro.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Remote Safe] C:\DOCUME~1\Pongo\APPLIC~1\GLUEFL~1\eq 32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131829831250
O20 - Winlogon Notify: ssqro - C:\WINDOWS\system32\ssqro.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\i2nmlc511f.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Edited by deeplennon, 13 November 2005 - 12:54 AM.

  • 0

Advertisements


#2
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINDOWS\system32\ssqro.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\orqss.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jlmcusxzv...iu/qeiYtNU.html
    O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqro.dll
    O4 - HKCU\..\Run: [Remote Safe] C:\DOCUME~1\Pongo\APPLIC~1\GLUEFL~1\eq 32.exe
    O20 - Winlogon Notify: ssqro - C:\WINDOWS\system32\ssqro.dll


  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Danny :tazz:
  • 0

#3
deeplennon

deeplennon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for helping me. Hopefully with your help I can get this little beast working properly again. I'm writing to you from an uninfected PC with the Laptop beside me.

I perused this forum and other forums the two days before I posted and have used all the programs you've mentioned (in safe mode), but I'll try for the ol'' 5th time is a charm trick and see what we come up with. Maybe the logs will reveal the problem.

ActiveScan would not load past the "Select a device to scan..." page on either the laptop or this completely seperate PC in firefox or IE. It seems to either be down or buggy.

Here is the VundoFix log file, obviously, it couldn't delete ssqro.dll, following the advise of other threads I have tried to stop it from running in all the processes that it's active in with Killbox and another program that I can't remember. I had the same results after doing that.

VundoFix V2.15 by Atri

--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ssqro.dll

The second filepath entered was C:\WINDOWS\system32\orqss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 848 'explorer.exe'
Killing PID 848 'explorer.exe'

Killing PID 712 'rundll32.exe'
Killing PID 712 'rundll32.exe'

Killing PID 228 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\ssqro.dll.
C:\WINDOWS\system32\orqss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Here is the latest Hijack this log, it is probably worthwile to note that neither O4 - HKCU\..\Run: [Remote Safe] C:\DOCUME~1\Pongo\APPLIC~1\GLUEFL~1\eq 32.exe, or R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jlmcusxzv...iu/qeiYtNU.html
showed up in the Hijack this scan that was run after using vundofix. The only entries that you requested me to fix that showed up at that time were the two relating to ssqro.dll. I noticed on one thread the only way someone fixed this ssqro problem was to change the permissions on the .dll so that nothing could access it, a quarantine effectively, I stumbled upon the expanded permissions for the file once but can't seem to get to them again. If you could help me do this I'd be appreciative. I understand that this would not be a complete fix but based on similar threads I've read my situation may not be completely fixable.

Logfile of HijackThis v1.99.1
Scan saved at 1:06:26 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Pongo\Desktop\spyware [bleep]\HijackThis.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jlmcusxzv...iu/qeiYtNU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ssqro.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Remote Safe] C:\DOCUME~1\Pongo\APPLIC~1\GLUEFL~1\eq 32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131829831250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\enp8l17u1.dll
O20 - Winlogon Notify: ssqro - C:\WINDOWS\system32\ssqro.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

I await your next instruction, thanks. It is also probably worthwile to note that I still can't turn on my firewall , the option is still grayed out with the warning on the top of the page saying "For your security, some settings are controlled by Group Policy."

Edited by deeplennon, 16 November 2005 - 03:16 PM.

  • 0

#4
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Please retry VundoFix in an Administrator account.

Post back with a new log.

Danny :tazz:
  • 0

#5
deeplennon

deeplennon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I was logged on as 'Administrator'.

I await your reply.
  • 0

#6
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\ssqro.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes"
when it asks you to reboot. Reboot into Normal Mode

8) Download Findlop by Metallica. Unzip it to your desktop.

Double click findlop.bat. It will open a notepad file.

Copy the content of that file and paste it here in your reply.

Thanks,

Danny :tazz:
  • 0

#7
deeplennon

deeplennon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
When I clicked the execute button in killbox with 'Delete on Reboot' checked it did nothing. No program response at all.

I then did the 'standard file kill' option and it was actually able to delete the file (which is surprising because I have tried this in the past). Possibly because I changed all the permission on the file earlier messing around on my own?

I then removed the two ssqro.dll related lines in hijack this.

All the same pop ups are still occuring in firefox, so I assume that there is still some spyware messing things up.. though it appears the ssqro.dll Vundo trojan is now gone. Upon running SpyBot entries for "DyFuCA.InternetOptimizer" & "ISearchTech.SideFind" come up (both related to Avenue Media). Neither could be fixed by the program.

I was able to use killbox to delete "eq 32.exe" and a few other nasty looking exe files in it's directory. After clearing these out the two weird toolbars no longer appeared in IE and s far as I can tell IE is now complelely normal.

Here is a fresh hijack this log, I still can't turn on the Firewall.

Logfile of HijackThis v1.99.1
Scan saved at 12:25:31 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Pongo\Desktop\spyware [bleep]\HijackThis.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131829831250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\g6lm0g31e6.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Edited by deeplennon, 17 November 2005 - 11:35 AM.

  • 0

#8
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply, as well as a new HijackThis log.
Danny :tazz:
  • 0

#9
deeplennon

deeplennon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Firefox pop-ups have now stopped. I still can't turn on the firewall - though I assume that would be a Windows XP SP2 issue. SpySweeper is pretty awesome, is it the best one out there to buy?


Spysweeper Log:

********
11:01 AM: | Start of Session, Thursday, November 17, 2005 |
11:01 AM: Spy Sweeper started
11:01 AM: Sweep initiated using definitions version 573
11:01 AM: Starting Memory Sweep
11:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:02 AM: Found Adware: icannnews
11:02 AM: Detected running threat: C:\WINDOWS\system32\ir0ml5d11.dll (ID = 83)
11:03 AM: Detected running threat: C:\WINDOWS\system32\weadmoe.dll (ID = 83)
11:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05 AM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
11:05 AM: Memory Sweep Complete, Elapsed Time: 00:03:34
11:05 AM: Starting Registry Sweep
11:05 AM: Found Adware: effective-i toolbar
11:05 AM: HKLM\software\effective-i\ (22 subtraces) (ID = 125658)
11:05 AM: Found Adware: internetoptimizer
11:05 AM: HKLM\software\avenue media\ (27 subtraces) (ID = 128888)
11:05 AM: Found Adware: maxifiles
11:05 AM: HKLM\software\classes\xbtb07618.xbtb07618.1\ (3 subtraces) (ID = 134854)
11:05 AM: HKLM\software\classes\xbtb07618.xbtb07618\ (5 subtraces) (ID = 134855)
11:05 AM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb07618.xbtb07618toolbar\ (2 subtraces) (ID = 134857)
11:05 AM: HKCR\xbtb07618.xbtb07618.1\ (3 subtraces) (ID = 134867)
11:05 AM: HKCR\xbtb07618.xbtb07618\ (5 subtraces) (ID = 134868)
11:05 AM: Found Adware: mirar webband
11:05 AM: HKCR\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135066)
11:05 AM: HKLM\software\classes\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135079)
11:05 AM: Found Adware: elitemediagroup-mediamotor
11:05 AM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 140032)
11:05 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 140081)
11:05 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 140082)
11:05 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 140083)
11:05 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 140084)
11:05 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 140085)
11:05 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 140086)
11:05 AM: HKLM\software\avenue media\internet optimizer\ (26 subtraces) (ID = 394594)
11:05 AM: Found Trojan Horse: trojan downloader popuppers
11:05 AM: HKCR\clsid\{62fba4e7-bd9e-4d8d-8fbb-3c32999cb7fc}\ (23 subtraces) (ID = 960709)
11:05 AM: HKCR\clsid\{a03323d3-f649-4f16-a6e4-4fc53f917a83}\ (10 subtraces) (ID = 960733)
11:05 AM: HKCR\typelib\{1942bebe-dce5-4148-868e-1250a2218b4c}\ (9 subtraces) (ID = 960748)
11:05 AM: HKLM\software\classes\clsid\{62fba4e7-bd9e-4d8d-8fbb-3c32999cb7fc}\ (23 subtraces) (ID = 960771)
11:05 AM: HKLM\software\classes\clsid\{a03323d3-f649-4f16-a6e4-4fc53f917a83}\ (10 subtraces) (ID = 960795)
11:05 AM: HKLM\software\classes\typelib\{1942bebe-dce5-4148-868e-1250a2218b4c}\ (9 subtraces) (ID = 960810)
11:05 AM: Found Adware: lopdotcom
11:05 AM: HKU\S-1-5-21-2169178071-3036124262-2297696099-1006\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287)
11:05 AM: HKU\S-1-5-21-2169178071-3036124262-2297696099-1006\software\microsoft\internet explorer\new windows\allow\ || searchweb2.com (ID = 130288)
11:05 AM: HKU\S-1-5-21-2169178071-3036124262-2297696099-1006\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289)
11:05 AM: HKU\S-1-5-21-2169178071-3036124262-2297696099-1006\software\microsoft\internet explorer\new windows\allow\ || www.searchweb2.com (ID = 130290)
11:06 AM: HKU\S-1-5-18\software\director\ || baseurl (ID = 980277)
11:06 AM: Registry Sweep Complete, Elapsed Time:00:00:59
11:06 AM: Starting Cookie Sweep
11:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:06 AM: Starting File Sweep
11:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:06 AM: c:\documents and settings\localservice\start menu\programs\ucmore - the search accelerator (3 subtraces) (ID = -2147481062)
11:06 AM: Found Trojan Horse: trojan downloader matcash
11:06 AM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
11:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07 AM: unstall.exe (ID = 133210)
11:07 AM: Found Adware: look2me
11:07 AM: akisynth_c.dll (ID = 163672)
11:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:08 AM: Found Adware: targetsaver
11:08 AM: vocabulary (ID = 78283)
11:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10 AM: class-barrel (ID = 78229)
11:10 AM: anti gram.exe (ID = 122)
11:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12 AM: close axis.exe (ID = 122)
11:12 AM: icont.exe (ID = 65739)
11:12 AM: iemonitor.ocx (ID = 186211)
11:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12 AM: autoit3.exe (ID = 185254)
11:12 AM: Found Adware: command
11:12 AM: mte3ndi6odoxng.exe (ID = 185985)
11:12 AM: Found Adware: apropos
11:12 AM: contextplus.exe (ID = 185940)
11:12 AM: mc-110-12-0000169.exe.tcf (ID = 184140)
11:12 AM: rule sign.exe (ID = 122)
11:12 AM: mc-110-12-0000169.exe.tcf (ID = 190798)
11:12 AM: mc-110-12-0000169.exe.tcf (ID = 190798)
11:12 AM: installer.exe (ID = 168558)
11:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:15 AM: ucmore tour.lnk (ID = 59855)
11:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:15 AM: how to uninstall.lnk (ID = 59838)
11:16 AM: File Sweep Complete, Elapsed Time: 00:09:52
11:16 AM: Full Sweep has completed. Elapsed time 00:14:37
11:16 AM: Traces Found: 276
11:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16 AM: Removal process initiated
11:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:17 AM: Quarantining All Traces: icannnews
11:17 AM: icannnews is in use. It will be removed on reboot.
11:17 AM: C:\WINDOWS\system32\ir0ml5d11.dll is in use. It will be removed on reboot.
11:17 AM: C:\WINDOWS\system32\weadmoe.dll is in use. It will be removed on reboot.
11:17 AM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
11:17 AM: Quarantining All Traces: look2me
11:17 AM: Quarantining All Traces: lopdotcom
11:17 AM: Quarantining All Traces: trojan downloader matcash
11:17 AM: Quarantining All Traces: apropos
11:17 AM: Quarantining All Traces: internetoptimizer
11:17 AM: Quarantining All Traces: maxifiles
11:17 AM: maxifiles is in use. It will be removed on reboot.
11:17 AM: mc-110-12-0000169.exe.tcf is in use. It will be removed on reboot.
11:17 AM: Quarantining All Traces: trojan downloader popuppers
11:17 AM: Quarantining All Traces: command
11:17 AM: Quarantining All Traces: effective-i toolbar
11:17 AM: Quarantining All Traces: elitemediagroup-mediamotor
11:18 AM: Quarantining All Traces: mirar webband
11:18 AM: Quarantining All Traces: targetsaver
11:20 AM: Preparing to restart your computer. Please wait...
11:20 AM: Removal process completed. Elapsed time 00:04:10
********
10:59 AM: | Start of Session, Thursday, November 17, 2005 |
10:59 AM: Spy Sweeper started
10:59 AM: Your spyware definitions have been updated.
11:01 AM: | End of Session, Thursday, November 17, 2005 |


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:03 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pongo\Desktop\spyware [bleep]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131829831250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Edited by deeplennon, 17 November 2005 - 01:32 PM.

  • 0

#10
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Which firewall are you using?

Also, Spysweeper is a really good program. And it is a great buy. Used with an Antivirus, and firewall, and the tools that I recommend, it will keep you /almost/ immune from all threats. (When I say almost, some new things can come through, but this is a great line of defense)

-----------------------

Hi,

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

Danny :tazz:
  • 0

#11
deeplennon

deeplennon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The generic Windows XP firewall.. Strangely the System Restore tab does not appear under the properties for My Computer on my laptop, though it does on the computer I'm writing to you from now.

Thank you for the links, I installed zone alarm and one of the virus programs, hopefully everything will be smooth in the future.

Thanks for the help, I'd say this case is closed.
  • 0

#12
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi dp. I am going to help Danny out some. Are you still having problems? If so, please post a new log and the problems you're experiencing and I'll take a look. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP