I have been having a lot of pop ups recently. I have scanned my computer using SpyNoMore, and Nod32. I have deleted every virus they both found. Here is my HijackThis log. I need someone who knows what they are doing. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 4:03:01 PM, on 7/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\a\Desktop\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - C:\WINDOWS\system32\urqpmli.dll (file missing) O2 - BHO: (no name) - {CE3469CB-B640-44F4-A929-F13F200A3443} - C:\WINDOWS\system32\ddayw.dll (file missing) O2 - BHO: (no name) - {E057435B-D8C6-49CA-996F-3D011043DAC2} - C:\WINDOWS\system32\ddcya.dll (file missing) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\kvdenwua.exe (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 6340 bytes Thanks, John
Hi John! You are using new Hijackthis. It's Beta and it's better to use Hijackthis v. 1.99.1. Please, download Hijackthis v.1.99.1 here. Once it is downloaded, extract the zip file to c:\hjt and navigate to the c:\hjt folder. Please, rename HijackThis.exe to Scanner.exe _____________________________ Please download VundoFix.exeto your desktop. * Double-click *VundoFix.exe* to run it. * Click the *Scan for Vundo* button. * Once it's done scanning, click the *Remove Vundo* button. * You will receive a prompt asking if you want to remove the files, click "YES" * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click *OK*. * Please post the contents of C:\*vundofix.txt* and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot. _____________________________ Navigate to the c:\hjt folder. Now double-click on Scanner.exe and when the window opens, put a checkmark in the box at the bottom that states Don't show this frame again when I start HijackThis. Please, clikc now "Do system scan and save a logfile" and copy and paste the contents of the notepad it opens as a reply to this post. Please send a fresh HijackThis log (scanner.exe) and Vundofix log.
Hi, thanks for your help. Here are the logs you asked for. HJT Log Logfile of HijackThis v1.99.1 Scan saved at 1:02:31 PM, on 7/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\internet explorer\iexplore.exe C:\HJT\Scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - C:\WINDOWS\system32\urqpmli.dll (file missing) O2 - BHO: (no name) - {CE3469CB-B640-44F4-A929-F13F200A3443} - C:\WINDOWS\system32\ddayw.dll (file missing) O2 - BHO: (no name) - {E057435B-D8C6-49CA-996F-3D011043DAC2} - C:\WINDOWS\system32\ddcya.dll (file missing) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\kvdenwua.exe (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Vundo Log VundoFix V6.5.4 Checking Java version... Java version is 1.5.0.11 Scan started at 1:00:46 PM 7/3/2007 Listing files found while scanning.... No infected files were found. Beginning removal... Thanks again, John.
Hi! 1. Go to Start->Run and type in notepad and hit OK. 2. Then copy and paste the content of the following codebox into Notepad: Code: sc stop DomainService sc delete DomainService del delete.bat 3. Save the file as "delete.bat". Make sure to save it with the quotation marks. 4. Double click delete.bat. _____________________ Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below: O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - C:\WINDOWS\system32\urqpmli.dll (file missing) O2 - BHO: (no name) - {CE3469CB-B640-44F4-A929-F13F200A3443} - C:\WINDOWS\system32\ddayw.dll (file missing) O2 - BHO: (no name) - {E057435B-D8C6-49CA-996F-3D011043DAC2} - C:\WINDOWS\system32\ddcya.dll (file missing) O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\kvdenwua.exe (file missing) Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. ____________________ Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. _____________________ Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present): C:\WINDOWS\system32\kvdenwua.exe _____________________ Please set your system to hide all hidden files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders. Check: Hide file extensions for known file types Check the Hide protected operating system files (recommended) option. Click Yes to confirm. ______________________ Panda ActiveScan - Once you are on the Panda site, click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Do NOT lose it! Please, send the Panda activescan report. ______________________ Please download Combofix to your desktop. Doubleclick combo.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. _________________________ Please, post a fresh HijackThis log, Panda activescan report and Combofix log.
When I do the Panda active scan, i get to about 38,000 files scanned, then my all of my internet browsers clsoe, including that. It has happened twice, at the same spot. Also When I try to run Combofix, I get this error message: "Some installation files are corrupt. Please download a fresh copy and retry the installation." Please advise, Thanks, John.
Hi John! Please, Jump over Panda activescan and combofix, try Deckard's System Scanner: Please download Deckard's System Scanner to your Desktop * Close all applications and windows. * Double-click on Dss.exe to run it, and follow the prompts. * The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt Please post Main.txt and Extra.txt
Alright, that worked. Here are the logs. Main.txt Deckard's System Scanner v20070611.50 Run by a on 2007-07-03 at 17:54:29 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- System Restore is disabled; attempting to re-enable...success. -- Last 1 Restore Point(s) -- 1: 2007-07-03 21:54:34 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as a.exe) --------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 5:56:02 PM, on 7/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Documents and Settings\a\Desktop\dss.exe C:\HJT\a.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- HijackThis Fixed Entries (C:\HJT\backups\) ---------------------------------- backup-20070703-151657-259 O2 - BHO: (no name) - {E057435B-D8C6-49CA-996F-3D011043DAC2} - C:\WINDOWS\system32\ddcya.dll (file missing) backup-20070703-151657-479 O2 - BHO: (no name) - {CE3469CB-B640-44F4-A929-F13F200A3443} - C:\WINDOWS\system32\ddayw.dll (file missing) backup-20070703-151657-562 O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - C:\WINDOWS\system32\urqpmli.dll (file missing) -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; > R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application> R1 SrvcEPECioctl - c:\windows\system32\drivers\ecioctl.sys R1 SrvcEPIOMngr - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application> R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application> R1 SrvcTPIOMngr - c:\windows\system32\drivers\tpiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application> R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10> R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol> R3 EPOWER (Compal E-POWER Driver) - c:\windows\system32\drivers\hkdrv.sys <Not Verified; Compal Electronic Inc.; EPOWER> S3 PavSRK.sys - c:\windows\system32\pavsrk.sys (file missing) S3 PavTPK.sys - c:\windows\system32\pavtpk.sys (file missing) S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe R2 CeEPwrSvc - c:\program files\toshiba\power management\ceepwrsvc.exe <Not Verified; COMPAL ELECTRONIC INC.; CeEPwrSvc Module> R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)> R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; > R2 LicCtrlService (LicCtrl Service) - c:\windows\runservice.exe -- Scheduled Tasks ------------------------------------------------------------- 2007-07-03 12:57:47 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2007-06-18 18:20:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-06-03 and 2007-07-03 ----------------------------- 2007-07-03 15:24:00 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-07-03 15:23:58 0 d-------- C:\WINDOWS\LastGood 2007-07-03 13:00:15 0 d-------- C:\HJT 2007-07-03 02:15:37 0 d---s---- C:\Documents and Settings\Guest\UserData 2007-07-01 15:46:20 0 d-------- C:\VundoFix Backups 2007-07-01 12:43:38 1236126 ---hs---- C:\WINDOWS\system32\aycdd.bak2 2007-06-30 23:48:44 0 d-------- C:\WINDOWS\pss 2007-06-30 23:47:34 0 d-------- C:\Program Files\SpyNoMore 2007-06-30 21:00:33 6369 ---hs---- C:\WINDOWS\system32\aycdd.bak1 2007-06-30 17:29:12 6369 ---hs---- C:\WINDOWS\system32\jjllm.bak1 2007-06-30 16:20:20 6369 ---hs---- C:\WINDOWS\system32\hhhkj.bak1 2007-06-29 23:02:52 0 d-------- C:\Program Files\Microsoft Sticky Notes 2007-06-29 11:14:21 1221311 ---hs---- C:\WINDOWS\system32\lnnmp.ini2 2007-06-28 20:46:27 0 d-------- C:\Documents and Settings\Guest\Contacts 2007-06-28 14:53:10 1217486 ---hs---- C:\WINDOWS\system32\lnnmp.bak2 2007-06-28 01:45:31 6409 ---hs---- C:\WINDOWS\system32\lnnmp.bak1 2007-06-28 00:34:54 0 d-------- C:\Downloads 2007-06-27 23:10:04 6369 ---hs---- C:\WINDOWS\system32\kjllm.bak1 2007-06-27 22:57:13 4672 --a------ C:\WINDOWS\system32\ygexvgos.exe 2007-06-27 22:54:28 1235597 ---hs---- C:\WINDOWS\system32\ayadd.bak2 2007-06-27 13:37:13 0 d-------- C:\Documents and Settings\Guest\Application Data\Macromedia 2007-06-27 13:28:06 6369 ---hs---- C:\WINDOWS\system32\ayadd.bak1 2007-06-27 13:24:21 0 d-------- C:\Documents and Settings\Guest\Application Data\Google 2007-06-27 13:03:43 0 d-------- C:\Documents and Settings\a\Application Data\Google 2007-06-27 13:03:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-06-27 12:29:28 0 d-------- C:\Documents and Settings\Guest\Application Data\InterTrust 2007-06-27 12:29:28 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities 2007-06-27 12:29:27 0 dr------- C:\Documents and Settings\Guest\Favorites 2007-06-27 12:29:27 0 d-------- C:\Documents and Settings\Guest\Desktop 2007-06-27 12:29:27 0 d---s---- C:\Documents and Settings\Guest\Cookies 2007-06-27 12:29:27 0 dr-h----- C:\Documents and Settings\Guest\Application Data 2007-06-27 12:29:27 0 d-------- C:\Documents and Settings\Guest\Application Data\toshiba 2007-06-27 12:29:27 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun 2007-06-27 12:29:27 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft 2007-06-27 12:29:26 0 dr------- C:\Documents and Settings\Guest\Start Menu 2007-06-27 12:29:26 0 dr-h----- C:\Documents and Settings\Guest\SendTo 2007-06-27 12:29:26 0 dr-h----- C:\Documents and Settings\Guest\Recent 2007-06-27 12:29:26 0 d--h----- C:\Documents and Settings\Guest\PrintHood 2007-06-27 12:29:26 0 d--h----- C:\Documents and Settings\Guest\NetHood 2007-06-27 12:29:26 0 dr------- C:\Documents and Settings\Guest\My Documents 2007-06-27 12:29:26 0 d--h----- C:\Documents and Settings\Guest\Local Settings 2007-06-27 12:29:25 0 d--h----- C:\Documents and Settings\Guest\Templates 2007-06-27 12:29:25 1048576 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT 2007-06-27 11:33:12 4672 --a------ C:\WINDOWS\system32\qtjkjlym.exe 2007-06-27 11:32:12 1236134 ---hs---- C:\WINDOWS\system32\ilnmp.bak2 2007-06-27 11:23:11 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System> 2007-06-27 11:18:47 0 d-------- C:\Program Files\nod32 2007-06-27 09:42:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Backup 2007-06-26 22:54:58 0 d-------- C:\Program Files\Common Files\Panda Software 2007-06-26 22:52:05 0 d-------- C:\WINDOWS\network diagnostic 2007-06-26 22:30:57 0 d-------- C:\Program Files\Windows Media Connect 2 2007-06-26 22:27:27 0 d-------- C:\Program Files\Windows Defender 2007-06-26 22:27:13 0 d-------- C:\WINDOWS\system32\drivers\UMDF 2007-06-26 22:22:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage 2007-06-26 13:37:10 0 d-------- C:\WINDOWS\system32\LogFiles 2007-06-20 13:10:18 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module> 2007-06-20 01:20:33 0 d-------- C:\Program Files\Common Files\Logitech -- Find3M Report --------------------------------------------------------------- 2007-07-03 12:54:49 825 --ahs---- C:\WINDOWS\system32\mmf.sys 2007-06-27 10:43:05 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-06-27 09:32:13 0 d-------- C:\Program Files\Norton AntiVirus 2007-06-27 09:31:00 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-15 08:01:24 0 d-------- C:\Program Files\QuickTime 2007-06-15 07:54:53 0 d-------- C:\Program Files\BitComet 2007-06-06 17:04:15 0 d-------- C:\Program Files\Java 2007-05-19 11:50:37 0 d-------- C:\Documents and Settings\a\Application Data\Media Player Classic 2007-05-08 16:03:37 0 d-------- C:\Program Files\VideoLAN 2007-05-08 15:59:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll <Not Verified; BitComet; BitComet BCTP Helper> 2007-04-30 23:57:50 1152 --a------ C:\WINDOWS\system32\windrv.sys 2007-04-30 23:34:13 3340 --a------ C:\WINDOWS\system32\tmp.reg 2007-04-28 13:28:34 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-04-24 16:56:53 2560 --a------ C:\WINDOWS\Runservice.exe 2007-04-24 16:56:53 48640 --a------ C:\WINDOWS\mmfs.dll -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe" "CeEPOWER"="C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe" "EzButton"="C:\\Program Files\\EzButton\\EzButton.EXE" "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe" "TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe" "NDSTray.exe"="NDSTray.exe" "PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe" "LtMoh"="C:\\\\Program Files\\\\ltmoh\\\\Ltmoh.exe" "LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\PDDriver\\LVCOMS.EXE" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE" "SNM"="C:\\Program Files\\SpyNoMore\\SNM.exe /startup" "combofix"="C:\\WINDOWS\\system32\\cmd.exe /c Combobatch.bat" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "combofix"="C:\\WINDOWS\\system32\\cmd.exe /c Combobatch.bat" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{A6807262-1D7A-44AB-947B-23B71E97915C}"="" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="HitwarePKLite" "hkey"="HKCU" "command"="C:\\Program Files\\Hitware Popup Killer Lite 3\\HitwarePKLite.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="cjaorovl" "hkey"="HKLM" "command"="rundll32.exe \"C:\\WINDOWS\\system32\\cjaorovl.dll\",forkonce" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- Hosts ----------------------------------------------------------------------- 127.0.0.1 bin.errorprotector.com ## added by CiD 127.0.0.1 br.errorsafe.com ## added by CiD 127.0.0.1 br.winantivirus.com ## added by CiD 127.0.0.1 br.winfixer.com ## added by CiD 127.0.0.1 cdn.drivecleaner.com ## added by CiD 127.0.0.1 cdn.errorsafe.com ## added by CiD 127.0.0.1 cdn.winsoftware.com ## added by CiD 127.0.0.1 de.errorsafe.com ## added by CiD 127.0.0.1 de.winantivirus.com ## added by CiD 127.0.0.1 download.cdn.drivecleaner.com ## added by CiD 1079 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2007-07-03 at 17:56:28 --------- Extra.txt Deckard's System Scanner v20070611.50 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Mobile Intel(R) Pentium(R) 4 CPU 3.33GHz CPU 1: Mobile Intel(R) Pentium(R) 4 CPU 3.33GHz Percentage of Memory in Use: 32% Physical Memory (total/avail): 894.98 MiB / 606.08 MiB Pagefile Memory (total/avail): 4920.67 MiB / 4627.35 MiB Virtual Memory (total/avail): 2047.88 MiB / 1970.45 MiB C: is Fixed (NTFS) - 55.89 GiB total, 40.91 GiB free. D: is CDROM (No Media) -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.) [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger" "C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\a\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=YOUR-1A024C0D58 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\a LOGONSERVER=\\YOUR-1A024C0D58 NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0401 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\a\LOCALS~1\Temp TMP=C:\DOCUME~1\a\LOCALS~1\Temp USERDOMAIN=YOUR-1A024C0D58 USERNAME=a USERPROFILE=C:\Documents and Settings\a windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- a (admin) Administrator (admin) Guest (guest) -- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5} Atheros Client Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}\setup.exe" -l0x9 ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean BitComet 0.87 --> C:\Program Files\BitComet\uninst.exe CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9 DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver Easy Button --> C:\WINDOWS\UnInst32.exe EzButton.UNI HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98} Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Sticky Notes --> MsiExec.exe /I{3B7A5007-3A87-4EB2-8BC3-B6814088CD3B} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL NOD32 FiX v2.1 --> "C:\Program Files\ESET\unins000.exe" Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328} Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE Realtek Fast Ethernet Adapter Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE Rhapsody Player Engine --> MsiExec.exe /I{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7} Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" SpyNoMore 2.66 --> C:\Program Files\SpyNoMore\uninst.exe TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9 TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D2A03D7A-5803-48DD-BA43-AAE5DED2CB19} /l1033 TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu" TOSHIBA Power Management Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{F16086C2-21CD-42CE-9EC8-2E5302D010B2} /l1033 TOSHIBA Software Modem --> Tosmreg -U TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9 TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9 Toshiba Tbiosdrv Driver --> C:\PROGRA~1\TOSHIBA\TOSHIB~2\UNWISE.EXE C:\PROGRA~1\TOSHIBA\TOSHIB~2\INSTALL.LOG Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe" TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{49188E15-9B2E-4913-9107-A5D01821AC68} /l1033 Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Live Messenger --> MsiExec.exe /I{FCE50DB8-C610-4C42-BE5C-193F46C6F812} Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- End of Deckard's System Scanner: finished at 2007-07-03 at 17:56:28 --------- Thanks, John.
Hi! Open Vundofix * Right click the list box (white box) in the main VundoFix window. * Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window. * In the Window: copy and paste next in the first field: C:\WINDOWS\system32\jjllm.* * Copy and paste next in the second field: C:\WINDOWS\system32\aycdd.* * Add this file too: C:\WINDOWS\system32\hhhkj.* * Click the “Add Files” button. * Click the "Close Window" button. * Please, open again "add more files" and add these files: C:\WINDOWS\system32\lnnmp.* C:\WINDOWS\system32\kjllm.* C:\WINDOWS\system32\ayadd.* * Please, click now again "add files" and "close windows" buttons... * And please, open one more time "add files" and add this file: C:\WINDOWS\system32\ilnmp.* * Please, click now again "add files" and "close windows" buttons... * Click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer, click OK. * Turn your computer back on. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. __________________ Download KillBox from the following link : http://www.bleepingcomputer.com/files/killbox.php Unzip the folder to your desktop. Start Killbox.exe Select the "Delete on Reboot" option. Click on the "All Files" button (!important!),which will then flash green. Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C: C:\WINDOWS\system32\ygexvgos.exe C:\WINDOWS\system32\qtjkjlym.exe Open 'file' in the killbox menu on top and choose Paste from clipboard You must use the file menu--pasting by right-clicking the mouse will only enter one file. Then press the button that looks like a red circle with a white X in it. Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes". Click OK at any Pending File Rename Operations prompts, let me know if there appear. If you don't get that message, reboot manually. Your computer should reboot now. _______________ Run again Deckard's system scanner. _______________ Please, post Vundofix log, a fresh HijackThis log and Deckard's.. Logs.
Vundo VundoFix V6.5.4 Checking Java version... Java version is 1.5.0.11 Scan started at 1:00:46 PM 7/3/2007 Listing files found while scanning.... No infected files were found. Beginning removal... Beginning removal... Performing Repairs to the registry. Done! Deckard's Deckard's System Scanner v20070611.50 Run by a on 2007-07-04 at 17:04:18 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as a.exe) --------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 5:04:20 PM, on 7/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\a\Desktop\dss.exe C:\DOCUME~1\a\Desktop\a.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- Files created between 2007-06-04 and 2007-07-04 ----------------------------- 2007-07-04 16:56:52 0 d-------- C:\!KillBox 2007-07-03 15:24:00 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-07-03 13:00:15 0 d-------- C:\HJT 2007-07-03 02:15:37 0 d---s---- C:\Documents and Settings\Guest\UserData 2007-07-01 15:46:20 0 d-------- C:\VundoFix Backups 2007-07-01 12:43:38 1236126 ---hs---- C:\WINDOWS\system32\aycdd.bak2 2007-06-30 23:48:44 0 d-------- C:\WINDOWS\pss 2007-06-30 23:47:34 0 d-------- C:\Program Files\SpyNoMore 2007-06-30 21:00:33 6369 ---hs---- C:\WINDOWS\system32\aycdd.bak1 2007-06-30 17:29:12 6369 ---hs---- C:\WINDOWS\system32\jjllm.bak1 2007-06-30 16:20:20 6369 ---hs---- C:\WINDOWS\system32\hhhkj.bak1 2007-06-29 23:02:52 0 d-------- C:\Program Files\Microsoft Sticky Notes 2007-06-29 11:14:21 1221311 ---hs---- C:\WINDOWS\system32\lnnmp.ini2 2007-06-28 20:46:27 0 d-------- C:\Documents and Settings\Guest\Contacts 2007-06-28 14:53:10 1217486 ---hs---- C:\WINDOWS\system32\lnnmp.bak2 2007-06-28 01:45:31 6409 ---hs---- C:\WINDOWS\system32\lnnmp.bak1 2007-06-28 00:34:54 0 d-------- C:\Downloads 2007-06-27 23:10:04 6369 ---hs---- C:\WINDOWS\system32\kjllm.bak1 2007-06-27 22:54:28 1235597 ---hs---- C:\WINDOWS\system32\ayadd.bak2 2007-06-27 13:37:13 0 d-------- C:\Documents and Settings\Guest\Application Data\Macromedia 2007-06-27 13:28:06 6369 ---hs---- C:\WINDOWS\system32\ayadd.bak1 2007-06-27 13:24:21 0 d-------- C:\Documents and Settings\Guest\Application Data\Google 2007-06-27 13:03:43 0 d-------- C:\Documents and Settings\a\Application Data\Google 2007-06-27 13:03:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-06-27 12:29:28 0 d-------- C:\Documents and Settings\Guest\Application Data\InterTrust 2007-06-27 12:29:28 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities 2007-06-27 12:29:27 0 dr------- C:\Documents and Settings\Guest\Favorites 2007-06-27 12:29:27 0 d-------- C:\Documents and Settings\Guest\Desktop 2007-06-27 12:29:27 0 d---s---- C:\Documents and Settings\Guest\Cookies 2007-06-27 12:29:27 0 dr-h----- C:\Documents and Settings\Guest\Application Data 2007-06-27 12:29:27 0 d-------- C:\Documents and Settings\Guest\Application Data\toshiba 2007-06-27 12:29:27 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun 2007-06-27 12:29:27 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft 2007-06-27 12:29:26 0 dr------- C:\Documents and Settings\Guest\Start Menu 2007-06-27 12:29:26 0 dr-h----- C:\Documents and Settings\Guest\SendTo 2007-06-27 12:29:26 0 dr-h----- C:\Documents and Settings\Guest\Recent 2007-06-27 12:29:26 0 d--h----- C:\Documents and Settings\Guest\PrintHood 2007-06-27 12:29:26 0 d--h----- C:\Documents and Settings\Guest\NetHood 2007-06-27 12:29:26 0 dr------- C:\Documents and Settings\Guest\My Documents 2007-06-27 12:29:26 0 d--h----- C:\Documents and Settings\Guest\Local Settings 2007-06-27 12:29:25 0 d--h----- C:\Documents and Settings\Guest\Templates 2007-06-27 12:29:25 1048576 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT 2007-06-27 11:32:12 1236134 ---hs---- C:\WINDOWS\system32\ilnmp.bak2 2007-06-27 11:23:11 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System> 2007-06-27 11:18:47 0 d-------- C:\Program Files\nod32 2007-06-27 09:42:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Backup 2007-06-26 22:54:58 0 d-------- C:\Program Files\Common Files\Panda Software 2007-06-26 22:52:05 0 d-------- C:\WINDOWS\network diagnostic 2007-06-26 22:30:57 0 d-------- C:\Program Files\Windows Media Connect 2 2007-06-26 22:27:27 0 d-------- C:\Program Files\Windows Defender 2007-06-26 22:27:13 0 d-------- C:\WINDOWS\system32\drivers\UMDF 2007-06-26 22:22:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage 2007-06-26 13:37:10 0 d-------- C:\WINDOWS\system32\LogFiles 2007-06-20 13:10:18 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module> 2007-06-20 01:20:33 0 d-------- C:\Program Files\Common Files\Logitech -- Find3M Report --------------------------------------------------------------- 2007-07-04 17:00:36 825 --ahs---- C:\WINDOWS\system32\mmf.sys 2007-06-27 10:43:05 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-06-27 09:32:13 0 d-------- C:\Program Files\Norton AntiVirus 2007-06-27 09:31:00 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-15 08:01:24 0 d-------- C:\Program Files\QuickTime 2007-06-15 07:54:53 0 d-------- C:\Program Files\BitComet 2007-06-06 17:04:15 0 d-------- C:\Program Files\Java 2007-05-19 11:50:37 0 d-------- C:\Documents and Settings\a\Application Data\Media Player Classic 2007-05-08 16:03:37 0 d-------- C:\Program Files\VideoLAN 2007-05-08 15:59:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll <Not Verified; BitComet; BitComet BCTP Helper> 2007-04-30 23:57:50 1152 --a------ C:\WINDOWS\system32\windrv.sys 2007-04-30 23:34:13 3340 --a------ C:\WINDOWS\system32\tmp.reg 2007-04-28 13:28:34 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-04-24 16:56:53 2560 --a------ C:\WINDOWS\Runservice.exe 2007-04-24 16:56:53 48640 --a------ C:\WINDOWS\mmfs.dll -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe" "CeEPOWER"="C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe" "EzButton"="C:\\Program Files\\EzButton\\EzButton.EXE" "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe" "TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe" "NDSTray.exe"="NDSTray.exe" "PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe" "LtMoh"="C:\\\\Program Files\\\\ltmoh\\\\Ltmoh.exe" "LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\PDDriver\\LVCOMS.EXE" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE" "SNM"="C:\\Program Files\\SpyNoMore\\SNM.exe /startup" "combofix"="C:\\WINDOWS\\system32\\cmd.exe /c Combobatch.bat" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{A6807262-1D7A-44AB-947B-23B71E97915C}"="" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="HitwarePKLite" "hkey"="HKCU" "command"="C:\\Program Files\\Hitware Popup Killer Lite 3\\HitwarePKLite.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="cjaorovl" "hkey"="HKLM" "command"="rundll32.exe \"C:\\WINDOWS\\system32\\cjaorovl.dll\",forkonce" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-07-04 at 17:04:38 --------- HiJackThis Logfile of HijackThis v1.99.1 Scan saved at 5:04:20 PM, on 7/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\a\Desktop\dss.exe C:\DOCUME~1\a\Desktop\a.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Thanks, John
Hi! Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. ____________ Reboot your computer in Safe Mode. * If the computer is running, shut down Windows, and then turn off the power. * Wait 30 seconds, and then turn the computer on. * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. * Ensure that the Safe Mode option is selected. * Press Enter. The computer then begins to start in Safe mode. * Login on your usual account. ___________ Once in Safe Mode: Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present): C:\WINDOWS\system32\aycdd.bak2 C:\WINDOWS\system32\aycdd.bak1 C:\WINDOWS\system32\jjllm.bak1 C:\WINDOWS\system32\hhhkj.bak1 C:\WINDOWS\system32\lnnmp.ini2 C:\WINDOWS\system32\lnnmp.bak2 C:\WINDOWS\system32\lnnmp.bak1 C:\WINDOWS\system32\kjllm.bak1 C:\WINDOWS\system32\ayadd.bak2 C:\WINDOWS\system32\ayadd.bak1 C:\WINDOWS\system32\ilnmp.bak2 ____________ Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. ___________ Boot your computer normally now. ___________ Please, try now run Combofix and Panda active scan. Please, send combofix log, panda activescan results and a fresh HjT log.
Panda Active Scan seems to be doing the same thing as before. Although this time, when I re-open Internet Explorer, I get the following message: "Internet Explorer is not currently your default browser. Would you like to make it your default browser?" With the option to click yes or no. Combo fix worked though. Here is the log. Combo Fix "a" - 2007-07-04 19:08:20 - ComboFix 07-07-04.4 - Service Pack 2 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP ((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 ))))))))))))))))))))))))))))))) 2007-07-04 16:56 <DIR> d-------- C:\!KillBox 2007-07-03 17:54 <DIR> d-------- C:\Deckard 2007-07-03 15:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-03 13:00 <DIR> d-------- C:\HJT 2007-07-03 02:15 <DIR> d---s---- C:\DOCUME~1\Guest\UserData 2007-07-01 18:01 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 15:46 <DIR> d-------- C:\VundoFix Backups 2007-06-30 23:48 <DIR> d-------- C:\WINDOWS\pss 2007-06-30 23:47 <DIR> d-------- C:\Program Files\SpyNoMore 2007-06-29 23:02 <DIR> d-------- C:\Program Files\Microsoft Sticky Notes 2007-06-28 20:46 <DIR> d-------- C:\DOCUME~1\Guest\Contacts 2007-06-28 00:34 <DIR> d-------- C:\Downloads 2007-06-27 13:24 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google 2007-06-27 13:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-06-27 13:03 <DIR> d-------- C:\DOCUME~1\a\APPLIC~1\Google 2007-06-27 12:29 1,048,576 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT 2007-06-27 12:29 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\toshiba 2007-06-27 12:29 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\InterTrust 2007-06-27 11:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-06-27 11:23 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-06-27 11:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-27 11:18 <DIR> d-------- C:\Program Files\nod32 2007-06-27 09:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Backup 2007-06-26 22:54 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2007-06-26 22:52 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-06-26 22:30 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2007-06-26 22:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-06-26 22:27 <DIR> d-------- C:\Program Files\Windows Defender 2007-06-26 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage 2007-06-26 13:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-06-20 13:10 737,280 --a------ C:\WINDOWS\iun6002.exe 2007-06-20 01:20 <DIR> d-------- C:\Program Files\Common Files\Logitech (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-04 23:04:50 825 --sha-w C:\WINDOWS\system32\mmf.sys 2007-06-27 14:43:05 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-27 13:32:13 -------- d-----w C:\Program Files\Norton AntiVirus 2007-06-27 13:31:00 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-15 12:01:24 -------- d-----w C:\Program Files\QuickTime 2007-06-15 11:54:53 -------- d-----w C:\Program Files\BitComet 2007-05-19 15:50:37 -------- d-----w C:\DOCUME~1\a\APPLIC~1\Media Player Classic 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-08 20:03:37 -------- d-----w C:\Program Files\VideoLAN 2007-05-08 19:59:58 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll 2007-05-01 03:57:50 1,152 ----a-w C:\WINDOWS\system32\windrv.sys 2007-05-01 03:34:13 3,340 ----a-w C:\WINDOWS\system32\tmp.reg 2007-04-28 17:28:35 249,856 ------w C:\WINDOWS\Setup1.exe 2007-04-28 17:28:34 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-24 20:56:53 48,640 ----a-w C:\WINDOWS\mmfs.dll 2007-04-24 20:56:53 2,560 ----a-w C:\WINDOWS\Runservice.exe 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2001-04-16 19:39 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}] 2007-04-29 05:29 394816 --a------ C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2007-03-14 06:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] 2006-07-07 15:29 324416 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 00:10] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-06-14 08:00] "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 21:14] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-13 22:29] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 04:46] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-14 23:17] "NDSTray.exe"="NDSTray.exe" [] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" [2003-09-26 18:43] "LVCOMS"="C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE" [2002-04-05 16:35] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-27 11:23] "SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2006-03-13 13:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com] rundll32.exe "C:\WINDOWS\system32\cjaorovl.dll",forkonce [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc Contents of the 'Scheduled Tasks' folder 2007-06-18 22:20:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-07-04 23:07:41 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-04 19:10:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-04 19:10:25 C:\ComboFix-quarantined-files.txt ... 2007-07-04 19:10 --- E O F --- Another file appeared, called 'ComboFix-quarantined-files" Here it is: Code: 2002-08-02 16:40 32656 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir 2002-08-07 18:57 49152 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir 2002-08-08 19:01 155648 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir 2007-06-27 10:04 200 --a------ C:\Qoobox\Quarantine\C\WINDOWS\retadpu1000272.exe.vir Folder PATH listing for volume S3A2021D001 Volume serial number is AF50-8D53 C:\QOOBOX \---Quarantine +---C | \---WINDOWS | | retadpu1000272.exe.vir | | | \---system32 | | packet.dll.vir | | wpcap.dll.vir | | | \---drivers | npf.sys.vir | \---Registry_backups HjT Log Logfile of HijackThis v1.99.1 Scan saved at 7:34:39 PM, on 7/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\a\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Thanks, John.
Hi! Open notepad and copy/paste the text in the quotebox below into it: Save this as ComboFix-Do.txt Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog. ______________ Please visit Virustotal * Click the Browse... button * Navigate to the file C:\WINDOWS\Setup1.exe * Click the Open button * Click the Send button * Copy and paste the results back here ______________ Please send a fresh Hijackthis log, combofix log and virustotal results.
ComboFix "a" - 2007-07-05 10:31:47 - ComboFix 07-07-04.4 - Service Pack 2 Command switches used :: C:\Documents and Settings\a\Desktop\ComboFix-do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\iun6002.exe ((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 ))))))))))))))))))))))))))))))) 2007-07-05 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer 2007-07-05 01:25 <DIR> d-------- C:\DOCUME~1\a\APPLIC~1\Apple Computer 2007-07-05 01:24 <DIR> d-------- C:\DOCUME~1\a\APPLIC~1\LimeWire 2007-07-04 16:56 <DIR> d-------- C:\!KillBox 2007-07-03 17:54 <DIR> d-------- C:\Deckard 2007-07-03 15:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-03 13:00 <DIR> d-------- C:\HJT 2007-07-03 02:15 <DIR> d---s---- C:\DOCUME~1\Guest\UserData 2007-07-01 18:01 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 15:46 <DIR> d-------- C:\VundoFix Backups 2007-06-30 23:48 <DIR> d-------- C:\WINDOWS\pss 2007-06-30 23:47 <DIR> d-------- C:\Program Files\SpyNoMore 2007-06-29 23:02 <DIR> d-------- C:\Program Files\Microsoft Sticky Notes 2007-06-28 20:46 <DIR> d-------- C:\DOCUME~1\Guest\Contacts 2007-06-28 00:34 <DIR> d-------- C:\Downloads 2007-06-27 13:24 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google 2007-06-27 13:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-06-27 13:03 <DIR> d-------- C:\DOCUME~1\a\APPLIC~1\Google 2007-06-27 12:29 1,048,576 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT 2007-06-27 12:29 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\toshiba 2007-06-27 12:29 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\InterTrust 2007-06-27 11:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-06-27 11:23 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-06-27 11:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-27 11:18 <DIR> d-------- C:\Program Files\nod32 2007-06-27 09:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Backup 2007-06-26 22:54 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2007-06-26 22:52 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-06-26 22:30 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2007-06-26 22:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-06-26 22:27 <DIR> d-------- C:\Program Files\Windows Defender 2007-06-26 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage 2007-06-26 13:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-06-20 01:20 <DIR> d-------- C:\Program Files\Common Files\Logitech (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-05 05:37:49 825 --sha-w C:\WINDOWS\system32\mmf.sys 2007-06-27 14:43:05 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-27 13:32:13 -------- d-----w C:\Program Files\Norton AntiVirus 2007-06-27 13:31:00 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-15 12:01:24 -------- d-----w C:\Program Files\QuickTime 2007-06-15 11:54:53 -------- d-----w C:\Program Files\BitComet 2007-05-19 15:50:37 -------- d-----w C:\DOCUME~1\a\APPLIC~1\Media Player Classic 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-08 20:03:37 -------- d-----w C:\Program Files\VideoLAN 2007-05-08 19:59:58 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll 2007-05-01 03:57:50 1,152 ----a-w C:\WINDOWS\system32\windrv.sys 2007-05-01 03:34:13 3,340 ----a-w C:\WINDOWS\system32\tmp.reg 2007-04-28 17:28:35 249,856 ------w C:\WINDOWS\Setup1.exe 2007-04-28 17:28:34 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-24 20:56:53 48,640 ----a-w C:\WINDOWS\mmfs.dll 2007-04-24 20:56:53 2,560 ----a-w C:\WINDOWS\Runservice.exe 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2001-04-16 19:39 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}] 2007-04-29 05:29 394816 --a------ C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2007-03-14 06:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] 2006-07-07 15:29 324416 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 00:10] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-06-14 08:00] "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 21:14] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-13 22:29] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 04:46] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-14 23:17] "NDSTray.exe"="NDSTray.exe" [] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" [2003-09-26 18:43] "LVCOMS"="C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE" [2002-04-05 16:35] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-27 11:23] "SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2006-03-13 13:11] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 22:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc Contents of the 'Scheduled Tasks' folder 2007-06-18 22:20:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-07-05 05:40:43 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-05 10:33:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-05 10:33:55 C:\ComboFix-quarantined-files.txt ... 2007-07-05 10:33 C:\ComboFix2.txt ... 2007-07-04 19:10 --- E O F --- Virus Total Virus total would not upload my file. It would keep saying the page cannot be found. I uploaded it to a similar site: http://virusscan.jotti.org/ Here is the log from that. A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing HJT Logfile of HijackThis v1.99.1 Scan saved at 11:04:30 AM, on 7/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\runservice.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\BitComet\BitComet.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\a\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.78.117.240:3128 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PDDriver\LVCOMS.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Thanks, John.
It has gotten better. Ill do some tests later on tonight and see if I can get the problem to occur. Thanks for your help, I will post back here after im done. Just one more quick question. Do you know if limewire gives viruses, the only thing im downloading is music. Or is there a risk that ill get them? Thanks, John
Hi John! There is always risk that you'll get virus by downloading someting.. I have seen a few times that scanner has found something strange in .mp3 file... That may be falseposivitve or some bug.. But be always aware. __________________ Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: * Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here: Managing Windows Millenium System Restore or Windows XP System Restore Guide Reenable system restore with instructions from tutorial above * Make your Internet Explorer more secure - This can be done by following these simple instructions: * From within Internet Explorer click on the Tools menu and then click on Options. * Click once on the Security tab * Click once on the Internet icon so it becomes highlighted. * Click once on the Custom Level button. * Change the Download signed ActiveX controls to Prompt * Change the Download unsigned ActiveX controls to Disable * Change the Initialize and script ActiveX controls not marked as safe to Disable * Change the Installation of desktop items to Prompt * Change the Launching programs and files in an IFRAME to Prompt * Change the Navigate sub-frames across different domains to Prompt * When all these settings have been made, click on the OK button. * If it prompts you as to whether or not you want to save the settings, press the Yes button. * Next press the Apply button and then the OK to exit the Internet Properties page. * Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources * Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. * Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls * Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. * Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer * Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Instructions for - Spybot S & D and Ad-aware * Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware * Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will enhance your safety * IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer * Google Toolbar <= Get the free google toolbar to help stop pop up windows. * Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference! The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. Also, please read this great article by Tony Klein So How Did I Get Infected In First Place Glad I was able to help. Happy surfing and stay clean!
