Jump to content

MS Juan....


Recommended Posts

Malwarebytes' Anti-Malware 1.19

Database version: 914

Windows 5.1.2600 Service Pack 3

2:16:20 PM 7/3/2008

mbam-log-7-3-2008 (14-16-20).txt

Scan type: Full Scan (C:\|)

Objects scanned: 85919

Time elapsed: 1 hour(s), 56 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:18:12 PM, on 7/7/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\WINDOWS\system32\dla\DLACTRLW.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\IntouchAccelerator\PxUi.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://members.intouchmi.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.intouchmi.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: {224852cb-c5f8-c5e8-5f44-bb56ebb5d16e} - {e61d5bbe-65bb-44f5-8e5c-8f5cbc258422} - C:\WINDOWS\system32\iqoknnqy.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"

O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe

O4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\IntouchAccelerator\PxUi.exe" /Automation

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153929869562

O20 - AppInit_DLLs: iqoknnqy.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--

End of file - 6022 bytes

I would run Panda but i need to have a link to download and then run on the computer because it is not hooked to the net at the moment....thxs for all help and i am willing to try just about anything....ps..i also ran spy bot and it doesnt pick up any infections...

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:49:51 AM, on 7/8/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\WINDOWS\system32\dla\DLACTRLW.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\IntouchAccelerator\PxUi.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.intouchmi.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"

O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe

O4 - HKLM\..\Run: [bJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"

O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\IntouchAccelerator\PxUi.exe" /Automation

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153929869562

O20 - AppInit_DLLs: iqoknnqy.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--

End of file - 5467 bytes

COMBO FIX

ComboFix 08-07-07.3 - Janet 2008-07-08 10:43:12.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.144 [GMT -4:00]

Running from: C:\Documents and Settings\Janet\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\BMdb96b652.txt

C:\WINDOWS\system32\biulkjxt.ini

C:\WINDOWS\system32\cudvrggw.ini

C:\WINDOWS\system32\cuyepjvi.ini

C:\WINDOWS\system32\dredltgs.ini

C:\WINDOWS\system32\eaojtudr.ini

C:\WINDOWS\system32\fhihnrip.ini

C:\WINDOWS\system32\fwymdlrh.ini

C:\WINDOWS\system32\hywtttet.ini

C:\WINDOWS\system32\ijlbwbhf.ini

C:\WINDOWS\system32\iqoknnqy.dll

C:\WINDOWS\system32\ldnkuvab.ini

C:\WINDOWS\system32\mkipilno.ini

C:\WINDOWS\system32\pumhmhta.ini

C:\WINDOWS\system32\qfsuyxga.ini

C:\WINDOWS\system32\rbteedlw.ini

C:\WINDOWS\system32\trypergw.ini

C:\WINDOWS\system32\tvplfjfc.ini

C:\WINDOWS\system32\ugelpblr.ini

C:\WINDOWS\system32\ujwubbhe.dll

C:\WINDOWS\system32\umaebhjx.ini

C:\WINDOWS\system32\vxmlgebc.ini

C:\WINDOWS\system32\ymkurrjj.ini

C:\xcrashdump.dat

.

((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))

.

2008-07-03 12:16 . 2008-07-03 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-07-02 17:02 . 2008-07-02 17:02 <DIR> d-------- C:\Program Files\microsoft frontpage

2008-07-02 14:41 . 2008-07-02 14:41 <DIR> d-------- C:\Program Files\CCleaner

2008-07-02 14:40 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-07-02 14:40 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-07-02 14:39 . 2008-07-02 14:39 2,568 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP

2008-07-02 12:55 . 2008-07-08 09:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-07-02 12:55 . 2008-07-02 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-25 14:40 . 2008-06-25 14:43 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-06-25 14:36 . 2008-04-14 02:53 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys

2008-06-25 14:35 . 2006-12-29 03:31 19,569 --a------ C:\WINDOWS\002751_.tmp

2008-06-25 14:30 . 2008-06-25 14:30 <DIR> d-------- C:\WINDOWS\EHome

2008-06-25 12:17 . 2008-07-02 14:42 <DIR> d-------- C:\Program Files\Common Files\Command Software

2008-06-25 12:16 . 2008-07-08 10:46 <DIR> d-------- C:\Program Files\IntouchAccelerator

2008-06-24 14:51 . 2008-06-24 14:51 <DIR> d-------- C:\Documents and Settings\Janet\Application Data\Malwarebytes

2008-06-24 14:47 . 2008-06-24 16:14 <DIR> d-------- C:\Program Files\Unlocker

2008-06-24 12:57 . 2008-07-02 18:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-06-24 12:57 . 2008-07-03 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-24 10:13 . 2006-03-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-06-24 10:13 . 2006-03-20 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba

2008-06-24 10:13 . 2006-03-20 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo

2008-06-24 10:13 . 2008-07-02 14:35 <DIR> d-------- C:\Documents and Settings\Administrator

2008-06-24 10:07 . 2008-06-24 10:07 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-17 17:17 . 2008-06-24 10:04 110,390 --a------ C:\WINDOWS\BMdb96b652.xml

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-02 20:10 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-06-24 20:13 --------- d-----w C:\Program Files\Lavasoft

2008-06-24 18:40 --------- d-----w C:\Program Files\TOSHIBA

2008-06-24 18:37 --------- d-----w C:\Program Files\Toshiba Games

2008-06-24 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-14 12:41 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll

2008-04-14 12:41 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll

2008-04-14 12:41 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll

2008-04-14 12:41 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll

2008-04-14 12:41 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll

2008-04-14 12:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll

2007-09-10 22:46 514 ----a-w C:\Documents and Settings\Janet\Application Data\wklnhst.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 12:18 307200]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 01:05 344064]

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-03-06 18:03 356352]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 20:03 82012]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 20:02 761948]

"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 02:06 1077322]

"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2005-10-06 09:20 122940]

"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 00:26 368706]

"PxClient.exe"="C:\Program Files\IntouchAccelerator\PxUi.exe" [2006-10-30 19:09 1912832]

"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 00:29 88204 C:\WINDOWS\agrsmmsg.exe]

"TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=iqoknnqy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk

backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-14 08:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]

--a------ 2006-10-31 18:06 204843 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]

--a------ 2005-03-17 21:37 151552 c:\TOSHIBA\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]

--a------ 2005-04-26 20:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

--a------ 2004-12-30 04:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]

--a------ 2006-02-02 15:11 73728 C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 21:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2005-12-09 18:49 15691264 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]

--a------ 2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Swupdtmr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=

"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=

"C:\\Program Files\\IntouchAccelerator\\PxClient.exe"=

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-NDSTray.exe - NDSTray.exe

HKLM-Run-CFSServ.exe - CFSServ.exe

MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe

MSConfigStartUp-MCUpdateExe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

MSConfigStartUp-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

MSConfigStartUp-MSKAGENTEXE - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

MSConfigStartUp-MSKDetectorExe - C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

MSConfigStartUp-OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe

MSConfigStartUp-VirusScan Online - c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

MSConfigStartUp-VSOCheckTask - c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

MSConfigStartUp-TFncKy - TFncKy.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-08 10:46:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\Program Files\IntouchAccelerator\Pxlsp.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2008-07-08 10:48:58 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-08 14:48:54

Pre-Run: 71,917,326,336 bytes free

Post-Run: 71,816,044,544 bytes free

192 --- E O F --- 2008-06-25 18:57:42

There you go....thxs for the quick response.... :)

Link to post
Share on other sites

Oh we're not finished yet...I'll let you know when I see clean logs and will send you on your way at that time.

Do you like your on board Command Software System's Antivirus application, and do you know how to use it? Just thought I'd ask as I don't see this software very often these days and when I do, most users didn't even know they had it or how to use it.

I noticed that you had used the system's msconfig utility in an effort to remove ctfmon.exe from startup...which, as you can see from the log, is not the proper way to remove the language tool bar.

To uninstall the Language Tool Bar, go to the "Regional and Language Options" icon in the Control Panel. Choose the Languages tab. Click on Details. On the Settings tab, click on the Language Bar button at the bottom. Uncheck the two checked items there and click "OK" then "Apply" and OK your way out. Close the Control Panel.

Next you must unregister these two files:

Msimtf.dll and Msctf.dll

Click Start-->Run...then enter the following commands (one at a time) into the run box and click "OK":

Regsvr32.exe /u msimtf.dll

Regsvr32.exe /u Msctf.dll

Reboot the system to properly record the changes made to the hard disk. You should now notice that ctfmon.exe no longer starts when Windows starts.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please remember to post back the new log that will be generated.

File::

C:\WINDOWS\-0-02751_.tmp

C:\WINDOWS\BMdb96b652.xml

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

Next please run HijackThis again and check the box next to the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all windows now (including this browser window)...leaving only the HijackThis application's window open, then click the Fix Checked button.

Reboot and post back the combofix log and a fresh HijackThis log...also, please advise how the system behaves for you now. Thanks!

Link to post
Share on other sites

Did some of tht already.....sry i jumped ahead....thxs for the help...the system seems stable....everything runs great reinstalled java...if it returns or i have a problem i will post back....wht caused this problem in the first place???any ideas....i did some research and it mainly pointed toward java...but wht doesnt make sense is like u said to delete the entry for yahoo toll which was pointless but yahoo isnt associated when u download java it is the google toolbar...so my real question and concern is where did it come from????

Link to post
Share on other sites

...the system seems stable....everything runs great...

...wht caused this problem in the first place???any ideas....

I have more than just ideas but we will get to that later. All things in their proper time. I'm happy to read that you have noticed such an improvement but I need to advise you that your system is still infected.

Please finish up with the instructions I posted for you in my post #6 and post back the requested log so we can complete this cleanup process for you properly. Thanks!

Link to post
Share on other sites

At the request of 1972vet I am closing this topic. Should you decide to continue and follow his instructions, PM any moderator and we can re-open for you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.