Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:49:51 AM, on 7/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\WINDOWS\system32\dla\DLACTRLW.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\IntouchAccelerator\PxUi.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.intouchmi.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe O4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe" O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\IntouchAccelerator\PxUi.exe" /Automation O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153929869562 O20 - AppInit_DLLs: iqoknnqy.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 5467 bytes COMBO FIX ComboFix 08-07-07.3 - Janet 2008-07-08 10:43:12.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.144 [GMT -4:00] Running from: C:\Documents and Settings\Janet\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMdb96b652.txt C:\WINDOWS\system32\biulkjxt.ini C:\WINDOWS\system32\cudvrggw.ini C:\WINDOWS\system32\cuyepjvi.ini C:\WINDOWS\system32\dredltgs.ini C:\WINDOWS\system32\eaojtudr.ini C:\WINDOWS\system32\fhihnrip.ini C:\WINDOWS\system32\fwymdlrh.ini C:\WINDOWS\system32\hywtttet.ini C:\WINDOWS\system32\ijlbwbhf.ini C:\WINDOWS\system32\iqoknnqy.dll C:\WINDOWS\system32\ldnkuvab.ini C:\WINDOWS\system32\mkipilno.ini C:\WINDOWS\system32\pumhmhta.ini C:\WINDOWS\system32\qfsuyxga.ini C:\WINDOWS\system32\rbteedlw.ini C:\WINDOWS\system32\trypergw.ini C:\WINDOWS\system32\tvplfjfc.ini C:\WINDOWS\system32\ugelpblr.ini C:\WINDOWS\system32\ujwubbhe.dll C:\WINDOWS\system32\umaebhjx.ini C:\WINDOWS\system32\vxmlgebc.ini C:\WINDOWS\system32\ymkurrjj.ini C:\xcrashdump.dat . ((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 ))))))))))))))))))))))))))))))) . 2008-07-03 12:16 . 2008-07-03 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-07-02 17:02 . 2008-07-02 17:02 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-07-02 14:41 . 2008-07-02 14:41 <DIR> d-------- C:\Program Files\CCleaner 2008-07-02 14:40 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-07-02 14:40 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-02 14:39 . 2008-07-02 14:39 2,568 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP 2008-07-02 12:55 . 2008-07-08 09:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-02 12:55 . 2008-07-02 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-25 14:40 . 2008-06-25 14:43 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-06-25 14:36 . 2008-04-14 02:53 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys 2008-06-25 14:35 . 2006-12-29 03:31 19,569 --a------ C:\WINDOWS\002751_.tmp 2008-06-25 14:30 . 2008-06-25 14:30 <DIR> d-------- C:\WINDOWS\EHome 2008-06-25 12:17 . 2008-07-02 14:42 <DIR> d-------- C:\Program Files\Common Files\Command Software 2008-06-25 12:16 . 2008-07-08 10:46 <DIR> d-------- C:\Program Files\IntouchAccelerator 2008-06-24 14:51 . 2008-06-24 14:51 <DIR> d-------- C:\Documents and Settings\Janet\Application Data\Malwarebytes 2008-06-24 14:47 . 2008-06-24 16:14 <DIR> d-------- C:\Program Files\Unlocker 2008-06-24 12:57 . 2008-07-02 18:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-24 12:57 . 2008-07-03 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-24 10:13 . 2006-03-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2008-06-24 10:13 . 2006-03-20 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba 2008-06-24 10:13 . 2006-03-20 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo 2008-06-24 10:13 . 2008-07-02 14:35 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-24 10:07 . 2008-06-24 10:07 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-17 17:17 . 2008-06-24 10:04 110,390 --a------ C:\WINDOWS\BMdb96b652.xml . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-02 20:10 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-24 20:13 --------- d-----w C:\Program Files\Lavasoft 2008-06-24 18:40 --------- d-----w C:\Program Files\TOSHIBA 2008-06-24 18:37 --------- d-----w C:\Program Files\Toshiba Games 2008-06-24 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-14 12:41 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll 2008-04-14 12:41 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll 2008-04-14 12:41 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll 2008-04-14 12:41 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll 2008-04-14 12:41 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll 2008-04-14 12:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll 2007-09-10 22:46 514 ----a-w C:\Documents and Settings\Janet\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 12:18 307200] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:42 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 01:05 344064] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-03-06 18:03 356352] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 20:03 82012] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 20:02 761948] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 02:06 1077322] "dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2005-10-06 09:20 122940] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 00:26 368706] "PxClient.exe"="C:\Program Files\IntouchAccelerator\PxUi.exe" [2006-10-30 19:09 1912832] "AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 00:29 88204 C:\WINDOWS\agrsmmsg.exe] "TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=iqoknnqy.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-14 08:42 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail] --a------ 2006-10-31 18:06 204843 C:\Program Files\IncrediMail\bin\IncMail.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger] --a------ 2005-03-17 21:37 151552 c:\TOSHIBA\IVP\ISM\pinger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2005-04-26 20:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD] --a------ 2004-12-30 04:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs] --a------ 2006-02-02 15:11 73728 C:\Program Files\TOSHIBA\Tvs\TvsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 2005-05-03 21:43 69632 C:\WINDOWS\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] --a------ 2005-12-09 18:49 15691264 C:\WINDOWS\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol] --a------ 2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Swupdtmr"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"= "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"= "C:\\Program Files\\IntouchAccelerator\\PxClient.exe"= . - - - - ORPHANS REMOVED - - - - HKLM-Run-NDSTray.exe - NDSTray.exe HKLM-Run-CFSServ.exe - CFSServ.exe MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe MSConfigStartUp-MCUpdateExe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe MSConfigStartUp-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe MSConfigStartUp-MSKAGENTEXE - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe MSConfigStartUp-MSKDetectorExe - C:\Program Files\McAfee\SpamKiller\MSKDetct.exe MSConfigStartUp-OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe MSConfigStartUp-VirusScan Online - c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe MSConfigStartUp-VSOCheckTask - c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe MSConfigStartUp-TFncKy - TFncKy.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-08 10:46:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\Program Files\IntouchAccelerator\Pxlsp.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\acs.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\imapi.exe . ************************************************************************** . Completion time: 2008-07-08 10:48:58 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-08 14:48:54 Pre-Run: 71,917,326,336 bytes free Post-Run: 71,816,044,544 bytes free 192 --- E O F --- 2008-06-25 18:57:42 There you go....thxs for the quick response....