Sparky21 Posted July 7, 2008 ID:22072 Share Posted July 7, 2008 Malwarebytes' Anti-Malware 1.19Database version: 914Windows 5.1.2600 Service Pack 32:16:20 PM 7/3/2008mbam-log-7-3-2008 (14-16-20).txtScan type: Full Scan (C:\|)Objects scanned: 85919Time elapsed: 1 hour(s), 56 minute(s), 44 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:18:12 PM, on 7/7/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\Touch and Launch\PadExe.exeC:\WINDOWS\system32\dla\DLACTRLW.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\Program Files\IntouchAccelerator\PxUi.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\TOSHIBA\ConfigFree\CFXFER.exeC:\WINDOWS\regedit.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://members.intouchmi.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/searchR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.intouchmi.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: {224852cb-c5f8-c5e8-5f44-bb56ebb5d16e} - {e61d5bbe-65bb-44f5-8e5c-8f5cbc258422} - C:\WINDOWS\system32\iqoknnqy.dllO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exeO4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClientO4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\IntouchAccelerator\PxUi.exe" /AutomationO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstartO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153929869562O20 - AppInit_DLLs: iqoknnqy.dllO23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe--End of file - 6022 bytesI would run Panda but i need to have a link to download and then run on the computer because it is not hooked to the net at the moment....thxs for all help and i am willing to try just about anything....ps..i also ran spy bot and it doesnt pick up any infections... Link to post Share on other sites More sharing options...
1972vet Posted July 7, 2008 ID:22078 Share Posted July 7, 2008 Greetings Sparky21 and Welcome to the forums,I'm currently studying your log and will have some suggestions for you in a short while. Regards, Link to post Share on other sites More sharing options...
1972vet Posted July 7, 2008 ID:22079 Share Posted July 7, 2008 Please download combofix from This Webpage...and read through the instructions there for running the tool.***Important Note***Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.Once installed, a blue screen prompt should appear that reads as follows:The Recovery Console was successfully installed.When you see that screen, please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please post back the following on your next reply:C:\ComboFix.txtNew HijackThis log. Link to post Share on other sites More sharing options...
Sparky21 Posted July 8, 2008 Author ID:22199 Share Posted July 8, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:49:51 AM, on 7/8/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\Touch and Launch\PadExe.exeC:\WINDOWS\system32\dla\DLACTRLW.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\Program Files\IntouchAccelerator\PxUi.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\Program Files\TOSHIBA\ConfigFree\CFXFER.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.intouchmi.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exeO4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\IntouchAccelerator\PxUi.exe" /AutomationO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstartO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153929869562O20 - AppInit_DLLs: iqoknnqy.dllO23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe--End of file - 5467 bytesCOMBO FIXComboFix 08-07-07.3 - Janet 2008-07-08 10:43:12.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.144 [GMT -4:00]Running from: C:\Documents and Settings\Janet\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\BMdb96b652.txtC:\WINDOWS\system32\biulkjxt.iniC:\WINDOWS\system32\cudvrggw.iniC:\WINDOWS\system32\cuyepjvi.iniC:\WINDOWS\system32\dredltgs.iniC:\WINDOWS\system32\eaojtudr.iniC:\WINDOWS\system32\fhihnrip.iniC:\WINDOWS\system32\fwymdlrh.iniC:\WINDOWS\system32\hywtttet.iniC:\WINDOWS\system32\ijlbwbhf.iniC:\WINDOWS\system32\iqoknnqy.dllC:\WINDOWS\system32\ldnkuvab.iniC:\WINDOWS\system32\mkipilno.iniC:\WINDOWS\system32\pumhmhta.iniC:\WINDOWS\system32\qfsuyxga.iniC:\WINDOWS\system32\rbteedlw.iniC:\WINDOWS\system32\trypergw.iniC:\WINDOWS\system32\tvplfjfc.iniC:\WINDOWS\system32\ugelpblr.iniC:\WINDOWS\system32\ujwubbhe.dllC:\WINDOWS\system32\umaebhjx.iniC:\WINDOWS\system32\vxmlgebc.iniC:\WINDOWS\system32\ymkurrjj.iniC:\xcrashdump.dat.((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 ))))))))))))))))))))))))))))))).2008-07-03 12:16 . 2008-07-03 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-07-02 17:02 . 2008-07-02 17:02 <DIR> d-------- C:\Program Files\microsoft frontpage2008-07-02 14:41 . 2008-07-02 14:41 <DIR> d-------- C:\Program Files\CCleaner2008-07-02 14:40 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-07-02 14:40 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys2008-07-02 14:39 . 2008-07-02 14:39 2,568 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP2008-07-02 12:55 . 2008-07-08 09:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-07-02 12:55 . 2008-07-02 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-25 14:40 . 2008-06-25 14:43 <DIR> d-------- C:\WINDOWS\ServicePackFiles2008-06-25 14:36 . 2008-04-14 02:53 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys2008-06-25 14:35 . 2006-12-29 03:31 19,569 --a------ C:\WINDOWS\002751_.tmp2008-06-25 14:30 . 2008-06-25 14:30 <DIR> d-------- C:\WINDOWS\EHome2008-06-25 12:17 . 2008-07-02 14:42 <DIR> d-------- C:\Program Files\Common Files\Command Software2008-06-25 12:16 . 2008-07-08 10:46 <DIR> d-------- C:\Program Files\IntouchAccelerator2008-06-24 14:51 . 2008-06-24 14:51 <DIR> d-------- C:\Documents and Settings\Janet\Application Data\Malwarebytes2008-06-24 14:47 . 2008-06-24 16:14 <DIR> d-------- C:\Program Files\Unlocker2008-06-24 12:57 . 2008-07-02 18:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-06-24 12:57 . 2008-07-03 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-06-24 10:13 . 2006-03-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS2008-06-24 10:13 . 2006-03-20 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba2008-06-24 10:13 . 2006-03-20 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo2008-06-24 10:13 . 2008-07-02 14:35 <DIR> d-------- C:\Documents and Settings\Administrator2008-06-24 10:07 . 2008-06-24 10:07 <DIR> d-------- C:\Program Files\Trend Micro2008-06-17 17:17 . 2008-06-24 10:04 110,390 --a------ C:\WINDOWS\BMdb96b652.xml.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-02 20:10 --------- d-----w C:\Program Files\Windows Media Connect 22008-06-24 20:13 --------- d-----w C:\Program Files\Lavasoft2008-06-24 18:40 --------- d-----w C:\Program Files\TOSHIBA2008-06-24 18:37 --------- d-----w C:\Program Files\Toshiba Games2008-06-24 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft2008-04-14 12:41 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll2008-04-14 12:41 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll2008-04-14 12:41 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll2008-04-14 12:41 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll2008-04-14 12:41 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll2008-04-14 12:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll2007-09-10 22:46 514 ----a-w C:\Documents and Settings\Janet\Application Data\wklnhst.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 12:18 307200]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:42 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 01:05 344064]"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-03-06 18:03 356352]"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 20:03 82012]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 20:02 761948]"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 02:06 1077322]"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2005-10-06 09:20 122940]"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 00:26 368706]"PxClient.exe"="C:\Program Files\IntouchAccelerator\PxUi.exe" [2006-10-30 19:09 1912832]"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 00:29 88204 C:\WINDOWS\agrsmmsg.exe]"TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=iqoknnqy.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnkbackup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnkbackup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]--a------ 2008-04-14 08:42 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]--a------ 2006-10-31 18:06 204843 C:\Program Files\IncrediMail\bin\IncMail.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]--a------ 2005-03-17 21:37 151552 c:\TOSHIBA\IVP\ISM\pinger.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]--a------ 2005-04-26 20:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]--a------ 2004-12-30 04:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]--a------ 2006-02-02 15:11 73728 C:\Program Files\TOSHIBA\Tvs\TvsTray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]--a------ 2005-05-03 21:43 69632 C:\WINDOWS\Alcmtr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]--a------ 2005-12-09 18:49 15691264 C:\WINDOWS\RTHDCPL.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]--a------ 2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"Swupdtmr"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\IntouchAccelerator\\PxClient.exe"=.- - - - ORPHANS REMOVED - - - -HKLM-Run-NDSTray.exe - NDSTray.exeHKLM-Run-CFSServ.exe - CFSServ.exeMSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exeMSConfigStartUp-MCUpdateExe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exeMSConfigStartUp-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeMSConfigStartUp-MSKAGENTEXE - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exeMSConfigStartUp-MSKDetectorExe - C:\Program Files\McAfee\SpamKiller\MSKDetct.exeMSConfigStartUp-OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exeMSConfigStartUp-VirusScan Online - c:\PROGRA~1\mcafee.com\vso\mcvsshld.exeMSConfigStartUp-VSOCheckTask - c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exeMSConfigStartUp-TFncKy - TFncKy.exe**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-08 10:46:40Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\lsass.exe-> C:\Program Files\IntouchAccelerator\Pxlsp.dll.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\acs.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\Program Files\TOSHIBA\ConfigFree\CFXFER.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\imapi.exe.**************************************************************************.Completion time: 2008-07-08 10:48:58 - machine was rebootedComboFix-quarantined-files.txt 2008-07-08 14:48:54Pre-Run: 71,917,326,336 bytes freePost-Run: 71,816,044,544 bytes free192 --- E O F --- 2008-06-25 18:57:42There you go....thxs for the quick response.... Link to post Share on other sites More sharing options...
Sparky21 Posted July 8, 2008 Author ID:22235 Share Posted July 8, 2008 Well idk y but it seems to be gone now....thx for the help apparently combo did the trick will post back if it seems to return but after many reboots it has yet to show itself...thxs again vet Link to post Share on other sites More sharing options...
1972vet Posted July 8, 2008 ID:22244 Share Posted July 8, 2008 Oh we're not finished yet...I'll let you know when I see clean logs and will send you on your way at that time.Do you like your on board Command Software System's Antivirus application, and do you know how to use it? Just thought I'd ask as I don't see this software very often these days and when I do, most users didn't even know they had it or how to use it.I noticed that you had used the system's msconfig utility in an effort to remove ctfmon.exe from startup...which, as you can see from the log, is not the proper way to remove the language tool bar.To uninstall the Language Tool Bar, go to the "Regional and Language Options" icon in the Control Panel. Choose the Languages tab. Click on Details. On the Settings tab, click on the Language Bar button at the bottom. Uncheck the two checked items there and click "OK" then "Apply" and OK your way out. Close the Control Panel. Next you must unregister these two files:Msimtf.dll and Msctf.dll Click Start-->Run...then enter the following commands (one at a time) into the run box and click "OK":Regsvr32.exe /u msimtf.dllRegsvr32.exe /u Msctf.dllReboot the system to properly record the changes made to the hard disk. You should now notice that ctfmon.exe no longer starts when Windows starts.Please open a blank Notepad by clicking start-->runThen, in the run box type Notepad.exe and click "OK".Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exeCombofix will run again automatically. Please remember to post back the new log that will be generated. File::C:\WINDOWS\-0-02751_.tmpC:\WINDOWS\BMdb96b652.xmlRegistry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=-Next please run HijackThis again and check the box next to the following entries:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)Close all windows now (including this browser window)...leaving only the HijackThis application's window open, then click the Fix Checked button.Reboot and post back the combofix log and a fresh HijackThis log...also, please advise how the system behaves for you now. Thanks! Link to post Share on other sites More sharing options...
Sparky21 Posted July 8, 2008 Author ID:22250 Share Posted July 8, 2008 Did some of tht already.....sry i jumped ahead....thxs for the help...the system seems stable....everything runs great reinstalled java...if it returns or i have a problem i will post back....wht caused this problem in the first place???any ideas....i did some research and it mainly pointed toward java...but wht doesnt make sense is like u said to delete the entry for yahoo toll which was pointless but yahoo isnt associated when u download java it is the google toolbar...so my real question and concern is where did it come from???? Link to post Share on other sites More sharing options...
1972vet Posted July 9, 2008 ID:22277 Share Posted July 9, 2008 ...the system seems stable....everything runs great......wht caused this problem in the first place???any ideas....I have more than just ideas but we will get to that later. All things in their proper time. I'm happy to read that you have noticed such an improvement but I need to advise you that your system is still infected.Please finish up with the instructions I posted for you in my post #6 and post back the requested log so we can complete this cleanup process for you properly. Thanks! Link to post Share on other sites More sharing options...
JeanInMontana Posted July 12, 2008 ID:22637 Share Posted July 12, 2008 At the request of 1972vet I am closing this topic. Should you decide to continue and follow his instructions, PM any moderator and we can re-open for you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts