Gala - Search problem

[Mike999]

Hello.

My son downloaded the Windows Defender trojan, which we got rid of using Malwarebytes. However, since then, the malware has hijacked our Google search redirecting us to the fake "Gala Search". Attempting to connect to Googlemail (Gmail) brings up a warning that the security certificate for the site is not valid. Malwarebytes reports no problems.

Below are the Malwarebytes and Hijack This logs. Any help in getting rid of this greatly appreciated.

Thanks

Malwarebytes' Anti-Malware 1.41

Database version: 2889

Windows 5.1.2600 Service Pack 3

02/10/2009 09:01:39

mbam-log-2009-10-02 (09-01-39).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 329958

Time elapsed: 1 hour(s), 27 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:42:16, on 02/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\WINDOWS\SkyTel.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\00THotkey.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\thpsrv.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\TEMP\sophos_autoupdate1.dir\alupdate.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.shareware-en.com/en/index.php?rvs=hompag

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.shareware-en.com/en/index.php?rvs=hompag

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shareware-en.com/en/index.php?rvs=hompag

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.embc.org.uk:80

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http:\\www.heymann.notts.sch.uk

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGam...S.cab109791.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234350086029

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heymann.com

O17 - HKLM\Software\..\Telephony: DomainName = heymann.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heymann.com

O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe

O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

--

End of file - 11131 bytes

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

After that, download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter gala as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

-screen317

[Mike999]

Thanks so much for your help.

Here is the ComboFix log:

ComboFix 09-10-01.05 - sawford 04/10/2009 12:45.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.199 [GMT 1:00]

Running from: E:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\ebling\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Titanium Antivirus 2004.lnk

c:\windows\system32\Ijl11.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))

.

2009-10-02 15:45 . 2009-10-02 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-10-02 15:45 . 2009-10-02 15:45 -------- d-----w- c:\documents and settings\sawford\Application Data\Office Genuine Advantage

2009-10-02 15:38 . 2009-10-02 15:38 -------- d-----w- c:\program files\Trend Micro

2009-10-02 08:22 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-02 08:22 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-02 08:22 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-02 08:22 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-02 08:22 . 2009-10-02 08:22 -------- d-----w- c:\program files\Avira

2009-10-02 08:22 . 2009-10-02 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-02 08:08 . 2009-10-02 08:08 0 ----a-w- c:\windows\nsreg.dat

2009-10-02 08:08 . 2009-10-02 08:08 -------- d-----w- c:\documents and settings\sawford\Local Settings\Application Data\Mozilla

2009-09-30 16:49 . 2009-09-30 16:49 -------- d-----w- c:\documents and settings\sawford\Application Data\Malwarebytes

2009-09-30 16:49 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-30 16:49 . 2009-09-30 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-30 16:48 . 2009-09-30 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-30 16:48 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-30 16:08 . 2009-09-30 19:04 -------- d-sh--w- c:\documents and settings\All Users\Application Data\04b9d6b

2009-09-09 14:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-06 18:31 . 2004-08-04 12:00 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe

2009-09-06 18:31 . 2004-08-04 12:00 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe

2009-09-06 18:31 . 2004-08-04 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll

2009-09-06 18:31 . 2004-08-04 12:00 6656 ----a-w- c:\windows\system32\c_is2022.dll

2009-09-05 13:29 . 2009-09-05 13:29 -------- d--h--w- c:\windows\PIF

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-10 16:56 . 2009-07-06 18:28 -------- d-----w- c:\documents and settings\sawford\Application Data\Spotify

2009-09-09 14:56 . 2008-06-03 14:43 46072 ----a-w- c:\documents and settings\sawford\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 16:24 . 2009-08-02 14:36 -------- d-----w- c:\program files\Celtx

2009-08-05 09:01 . 2006-06-06 09:54 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll

2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll

2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

2009-07-17 19:01 . 2006-06-06 09:54 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 09:08 . 2006-06-06 09:55 286720 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 68856]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="thpsrv" [X]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-06 155648]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-20 198160]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]

"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-04 88204]

"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]

"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]

"NDSTray.exe"="NDSTray.exe" [bU]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-09 16207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]

SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2008-4-3 7197992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 14:27 6144]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [15/06/2007 11:19 110848]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [15/06/2007 11:25 38528]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/10/2009 09:22 108289]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [28/05/2009 22:21 80936]

R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [01/10/2008 13:56 98304]

S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [22/01/2008 09:20 514859]

S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 14:49 35968]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [03/04/2008 03:14 1008936]

S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [03/04/2008 03:14 1209640]

S3 USBCamera;Icatch(VII) Still Camera Device;c:\windows\system32\drivers\Bulk536.sys [22/01/2008 09:20 11048]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [01/10/2008 13:57 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.shareware-en.com/en/index.php?rvs=hompag

uInternet Settings,ProxyServer = proxy.embc.org.uk:80

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\sawford\Application Data\Mozilla\Firefox\Profiles\aoyb820p.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-04 13:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]

"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3420)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Toshiba\ConfigFree\CFSvcs.exe

c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\program files\Sophos\Remote Management System\RouterNT.exe

c:\windows\system32\ThpSrv.exe

c:\windows\system32\ThpSrv.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\Toshiba\ConfigFree\NDSTray.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\SMART Technologies\SMART Board Drivers\Aware.exe

c:\program files\SMART Technologies\SMART Board Drivers\Marker.exe

c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe

.

**************************************************************************

.

Completion time: 2009-10-04 13:06 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-04 12:06

Pre-Run: 34,058,686,464 bytes free

Post-Run: 34,390,077,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

184 --- E O F --- 2009-10-02 14:49

The Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:09:00, on 04/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\WINDOWS\SkyTel.EXE

C:\WINDOWS\system32\00THotkey.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\thpsrv.exe

C:\WINDOWS\system32\TFNF5.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\TEMP\sophos_autoupdate1.dir\alupdate.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shareware-en.com/en/index.php?rvs=hompag

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.embc.org.uk:80

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http:\\www.heymann.notts.sch.uk

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGam...S.cab109791.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234350086029

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heymann.com

O17 - HKLM\Software\..\Telephony: DomainName = heymann.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heymann.com

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe

O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

--

End of file - 10638 bytes

And the Registry Search log:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman

[screen317]

Hi,

Before we continue, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=26563

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\Qoobox\Quarantine\c\documents and settings\ebling\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Titanium Antivirus 2004.lnk

Leave any comments, further information about this file, or contact information: ComboFix f/p

Let me know when you have done that.

-screen317

[Mike999]

Hello Chris - I have now submitted the file as requested. Thank you.

[screen317]

Hi and my apologies for the delay.

Thanks for submitting the file.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

REGISTRY::

[-HKEY_USERS\S-1-5-21-120603592-2347630591-1387382423-1005\Software\Microsoft\Internet Explorer\SearchScopes\{3CC3A4F6-624E-4796-A6B4-574AD4FB3ADB}]

KILLALL::

Dirlook::

c:\documents and settings\All Users\Application Data\04b9d6b

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

After that, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Mike999]

OK, here are the logs, as requested:

ComboFix 09-10-05.01 - sawford 06/10/2009 12:06.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.202 [GMT 1:00]

Running from: E:\ComboFix.exe

Command switches used :: E:\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))

.

2009-10-02 15:45 . 2009-10-02 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-10-02 15:45 . 2009-10-02 15:45 -------- d-----w- c:\documents and settings\sawford\Application Data\Office Genuine Advantage

2009-10-02 15:38 . 2009-10-02 15:38 -------- d-----w- c:\program files\Trend Micro

2009-10-02 08:22 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-02 08:22 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-02 08:22 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-02 08:22 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-02 08:22 . 2009-10-02 08:22 -------- d-----w- c:\program files\Avira

2009-10-02 08:22 . 2009-10-02 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-02 08:08 . 2009-10-02 08:08 0 ----a-w- c:\windows\nsreg.dat

2009-10-02 08:08 . 2009-10-02 08:08 -------- d-----w- c:\documents and settings\sawford\Local Settings\Application Data\Mozilla

2009-09-30 16:49 . 2009-09-30 16:49 -------- d-----w- c:\documents and settings\sawford\Application Data\Malwarebytes

2009-09-30 16:49 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-30 16:49 . 2009-09-30 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-30 16:48 . 2009-09-30 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-30 16:48 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-30 16:08 . 2009-09-30 19:04 -------- d-sh--w- c:\documents and settings\All Users\Application Data\04b9d6b

2009-09-09 14:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-06 18:31 . 2004-08-04 12:00 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe

2009-09-06 18:31 . 2004-08-04 12:00 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe

2009-09-06 18:31 . 2004-08-04 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll

2009-09-06 18:31 . 2004-08-04 12:00 6656 ----a-w- c:\windows\system32\c_is2022.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-10 16:56 . 2009-07-06 18:28 -------- d-----w- c:\documents and settings\sawford\Application Data\Spotify

2009-09-09 14:56 . 2008-06-03 14:43 46072 ----a-w- c:\documents and settings\sawford\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:01 . 2006-06-06 09:54 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll

2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll

2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

2009-07-17 19:01 . 2006-06-06 09:54 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 09:08 . 2006-06-06 09:55 286720 ----a-w- c:\windows\system32\wmpdxm.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\All Users\Application Data\04b9d6b ----

2009-09-30 16:09 . 2009-09-30 16:09 4286 ----a-w- c:\documents and settings\All Users\Application Data\04b9d6b\WPCD.ico

2009-09-30 16:09 . 2009-09-30 16:09 336 ----a-w- c:\documents and settings\All Users\Application Data\04b9d6b\5238.mof

2009-09-30 16:09 . 2008-06-26 14:49 2010 ----a-w- c:\documents and settings\All Users\Application Data\04b9d6b\BackUp\SMART Board Tools.lnk

2009-09-30 16:09 . 2009-07-22 18:23 723 ----a-w- c:\documents and settings\All Users\Application Data\04b9d6b\BackUp\AutoUpdate Monitor.lnk

2009-09-30 16:09 . 2009-09-30 16:09 11376 ----a-w- c:\documents and settings\All Users\Application Data\04b9d6b\WPCDSys\vd952342.bd

((((((((((((((((((((((((((((( SnapShot@2009-10-04_12.00.49 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-10-04 11:56 . 2007-06-29 10:15 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll

+ 2009-10-06 11:19 . 2007-06-29 10:15 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll

- 2009-10-04 11:56 . 2007-06-29 10:15 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll

+ 2009-10-06 11:19 . 2007-06-29 10:15 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll

- 2009-10-04 11:56 . 2007-06-29 10:15 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll

+ 2009-10-06 11:19 . 2007-06-29 10:15 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll

+ 2009-10-06 11:19 . 2008-04-15 15:22 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll

- 2009-10-04 11:56 . 2008-04-15 15:22 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll

+ 2009-10-06 11:19 . 2007-06-29 10:15 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll

- 2009-10-04 11:56 . 2007-06-29 10:15 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll

+ 2009-10-06 11:19 . 2007-06-29 10:15 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll

- 2009-10-04 11:56 . 2007-06-29 10:15 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll

- 2009-10-04 11:56 . 2009-07-22 18:21 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat

+ 2009-10-06 11:19 . 2009-07-22 18:21 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat

- 2009-10-04 11:56 . 2009-01-30 09:39 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll

+ 2009-10-06 11:19 . 2009-01-30 09:39 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll

- 2009-10-04 11:56 . 2006-11-16 10:51 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL

+ 2009-10-06 11:19 . 2006-11-16 10:51 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL

+ 2009-10-06 11:19 . 2006-11-16 10:51 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL

- 2009-10-04 11:56 . 2006-11-16 10:51 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL

- 2009-10-04 11:56 . 2007-06-29 10:15 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll

+ 2009-10-06 11:19 . 2007-06-29 10:15 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll

+ 2009-10-06 11:19 . 2009-01-30 09:39 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll

- 2009-10-04 11:56 . 2009-01-30 09:39 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll

+ 2009-10-06 11:19 . 2009-07-22 18:21 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll

- 2009-10-04 11:56 . 2009-07-22 18:21 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll

+ 2009-10-06 11:19 . 2009-07-01 19:10 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll

- 2009-10-04 11:56 . 2009-07-01 19:10 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll

+ 2009-10-06 11:19 . 2009-07-22 18:21 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe

- 2009-10-04 11:56 . 2009-07-22 18:21 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 68856]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="thpsrv" [X]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-06 155648]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-20 198160]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]

"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-04 88204]

"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]

"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]

"NDSTray.exe"="NDSTray.exe" [bU]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-09 16207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]

SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2008-4-3 7197992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 14:27 6144]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [15/06/2007 11:19 110848]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [15/06/2007 11:25 38528]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/10/2009 09:22 108289]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [28/05/2009 22:21 80936]

R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [01/10/2008 13:56 98304]

S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [22/01/2008 09:20 514859]

S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 14:49 35968]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [03/04/2008 03:14 1008936]

S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [03/04/2008 03:14 1209640]

S3 USBCamera;Icatch(VII) Still Camera Device;c:\windows\system32\drivers\Bulk536.sys [22/01/2008 09:20 11048]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [01/10/2008 13:57 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.shareware-en.com/en/index.php?rvs=hompag

uInternet Settings,ProxyServer = proxy.embc.org.uk:80

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\sawford\Application Data\Mozilla\Firefox\Profiles\aoyb820p.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-06 12:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]

"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3480)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Toshiba\ConfigFree\CFSvcs.exe

c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\program files\Sophos\Remote Management System\RouterNT.exe

c:\windows\system32\ThpSrv.exe

c:\windows\system32\ThpSrv.exe

c:\program files\Toshiba\ConfigFree\NDSTray.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\SMART Technologies\SMART Board Drivers\Aware.exe

c:\program files\SMART Technologies\SMART Board Drivers\Marker.exe

c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe

.

**************************************************************************

.

Completion time: 2009-10-06 12:27 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-06 11:27

ComboFix2.txt 2009-10-04 12:06

Pre-Run: 34,013,589,504 bytes free

Post-Run: 33,976,545,280 bytes free

213 --- E O F --- 2009-10-02 14:49

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:34:11, on 06/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\WINDOWS\SkyTel.EXE

C:\WINDOWS\system32\00THotkey.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\thpsrv.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\TEMP\sophos_autoupdate1.dir\alupdate.exe

C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shareware-en.com/en/index.php?rvs=hompag

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.embc.org.uk:80

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http:\\www.heymann.notts.sch.uk

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGam...S.cab109791.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234350086029

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heymann.com

O17 - HKLM\Software\..\Telephony: DomainName = heymann.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heymann.com

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe

O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

--

End of file - 10689 bytes

Scanning Report

Tuesday, October 6, 2009 12:47:55 - 13:51:41

Computer name: MOBILE-4

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

12 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Adtech (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 63507

System: 3483

Not scanned: 6

Actions:

Disinfected: 12

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

[screen317]

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

I notice that you are using more than one antivirus program (Avira and Sophos). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

While in Add or Remove Programs, uninstall the following program (if present):

Adobe Reader 7.0.7

Restart your computer.

Get the latest version of Adobe Reader.

Let me know what issues remain.

-screen317

[Mike999]

Chris, I think we are done - everything seems to be running smoothly and as it should be. Many thanks again.

[screen317]

Hi,

Glad to hear it.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[screen317]

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.