Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old December 25th, 2007, 09:49 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Help please: Moved from XP by Murray

I have a problem. My messengers and most of my start up items have been deleted. Ive tried running anti virus things, and AVG just found some things but it didnt fix them earlier. Should AVG take care of this problem or am I going to have to find my restore disks?
Reply With Quote
  #2  
Old December 25th, 2007, 09:51 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
It didnt, it deleted one of them, and left 4 untouched.
Reply With Quote
  #3  
Old December 25th, 2007, 09:57 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:55:36 AM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\EACCEL~1\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Documents and Settings\Justin Nyle Holt\Desktop\aswclnr.exe
C:\Documents and Settings\Justin Nyle Holt\Desktop\aswclnr.tmp
C:\Documents and Settings\Justin Nyle Holt\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gaiaonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/mic...?1175195710078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mic...?1175195604312
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://rpm.cnsres.muskingum.edu/CAT/CNICAT.cab
O20 - Winlogon Notify: awttuvw - awttuvw.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14328 bytes
Reply With Quote
  #4  
Old December 25th, 2007, 03:05 PM
w1che's Avatar
w1che w1che is offline
Senior Member
 
Join Date: Sep 2000
O/S: Windows 7 64-bit
Location: St Louis, MO
Posts: 4,683
You need to post your log file in Cyber Safety. That's where the experts are that you need to help you... Here.. http://www.cybertechhelp.com/forums/...splay.php?f=25
Reply With Quote
  #5  
Old December 26th, 2007, 01:37 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Welcome to CTH justme568. The log shows some serious infection there. That removed startup is unclear just yet - some malware replaces legit startups with it's own files, and then it is possible some scan tool there removed that. But let's do some steps and check after to see. You also have too much protective software loaded with AVG and StopSign, so need to uninstall one of those. The choice might be made easier if you read this information, which discusses the history and known problems with eAccelation's software. Hopefully it wasn't involved in creating problems already. If you choose you can uninstall any listings for StopSign/eAcceleration through Add/Remove Programs now.

Once you have done that please reboot. Then let's do other removal steps.

First you need to disable Windows Defender, as it may interfere with repairs.

* Click Start > Programs > Windows Defender or launch from the system tray icon.
* Click on Tools & Settings > Options.
* Under Real-time protection options, uncheck the "Real-time protection" check box.
* Click Save.
* Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
* (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)

Also disable AVG while these steps are being done.

Then Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver. For this run ComboFix will also suspend your net connection - if this does not return after running this go to Start - Settings - Network Connections, right click your Internet Connection and select Repair, or reboot the computer to reset the connection if needed).

Post back the C:\ComboFix.txt log as well as a new HijackThis log please.
Reply With Quote
  #6  
Old December 26th, 2007, 06:41 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Here's the combofix log:
ComboFix 07-12-26.3 - Justin Nyle Holt 2007-12-26 0:27:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.420 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Nyle Holt\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-25 14:45 . 2007-12-25 14:45 <DIR> d-------- C:\Documents and Settings\Justin Nyle Holt\Application Data\Uniblue
2007-12-25 14:35 . 2007-12-06 18:12 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2007-12-25 14:23 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-25 14:22 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 14:22 . 2007-12-25 14:22 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-25 14:16 . 2007-12-25 14:24 <DIR> d-------- C:\Program Files\Windows Live
2007-12-25 14:16 . 2007-12-25 14:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-25 14:15 . 2007-12-25 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-25 10:24 . 2007-12-25 10:25 67 --a------ C:\WINDOWS\swupdate.INI
2007-12-25 09:30 . 2007-12-25 09:30 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-12-24 02:00 . 2007-12-24 02:00 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 01:58 . 2007-12-25 01:48 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-24 01:58 . 2007-12-25 01:48 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-24 01:58 . 2007-12-25 01:48 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-23 03:21 . 2007-12-23 03:21 28,932 --a------ C:\barsettingx.~dat
2007-12-23 03:09 . 2007-12-23 03:09 <DIR> d-------- C:\Program Files\Magic Music Studio Pro
2007-12-10 04:10 . 2007-12-10 04:10 <DIR> d-------- C:\Program Files\Rouge-Guild
2007-12-03 05:24 . 2007-12-03 20:25 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-03 05:24 . 2007-12-03 05:24 56 -r-hs---- C:\WINDOWS\system32\CE560AA6B5.sys
2007-12-03 05:23 . 2007-12-03 05:23 <DIR> d-------- C:\Program Files\Enterbrain
2007-12-03 05:22 . 2007-12-03 05:22 <DIR> d-------- C:\Program Files\Common Files\Enterbrain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-26 05:33 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\uTorrent
2007-12-25 21:35 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-25 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-25 19:40 --------- d-----w C:\Program Files\Google
2007-12-25 19:34 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-25 19:24 --------- d-----w C:\Program Files\Yahoo!
2007-12-25 19:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-25 19:19 --------- d-----w C:\Program Files\AIM6
2007-12-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-25 11:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-25 06:57 --------- d-----w C:\Program Files\Windows Defender
2007-12-25 06:57 --------- d-----w C:\Program Files\cp
2007-12-25 06:48 --------- d-----w C:\Program Files\Microsoft Works
2007-12-24 00:32 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\AVG7
2007-12-21 19:42 --------- d-----w C:\Program Files\uTorrent
2007-12-15 19:45 --------- d-----w C:\Program Files\Gpotato
2007-12-12 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-06 22:41 220,032 ----a-w C:\WINDOWS\system32\drivers\SynTP.sys
2007-12-01 02:32 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-24 00:14 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-23 22:05 --------- d-----w C:\Program Files\DAMN NFO Viewer
2007-11-22 08:44 --------- d-----w C:\Program Files\TOSHIBA
2007-11-22 08:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 07:58 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-11-22 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2007-11-22 07:20 --------- d-----w C:\Program Files\River Past
2007-11-22 07:18 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\River Past G5
2007-11-19 07:51 --------- d-----w C:\Program Files\Microsoft Games
2007-11-16 16:23 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\Screenshot Studio Files
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 15:15 --------- d--h--r C:\Documents and Settings\Justin Nyle Holt\Application Data\yahoo!
2007-11-09 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-06 07:40 --------- d-----w C:\Program Files\iTunes
2007-11-06 07:39 --------- d-----w C:\Program Files\iPod
2007-11-06 07:38 --------- d-----w C:\Program Files\QuickTime
2007-11-05 01:51 --------- d-----w C:\Program Files\Riva
2007-11-05 01:51 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-11-03 03:29 --------- d-----w C:\Program Files\Maxis
2007-11-02 05:06 --------- d-----w C:\Program Files\Common Files\PocketSoft
2007-11-02 02:06 --------- d-----w C:\Program Files\AutoMacroRecorder
2007-11-02 01:50 --------- d-----w C:\Program Files\YRefresher
2007-10-29 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-10-23 22:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-08 12:29 1,759,744 ----a-w C:\Documents and Settings\Justin Nyle Holt\Neuz.exe
2004-09-03 03:12 370,688 ----a-w C:\Documents and Settings\Justin Nyle Holt\mss32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C}]
C:\WINDOWS\system32\ssqpq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 14:04]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"CATTRAY"="C:\Program Files\cp\cattray.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 16:20]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-08-24 03:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 11:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2007-11-22 03:43:44]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 11:31:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"= C:\WINDOWS\system32\awttuvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttuvw]
awttuvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Odometer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Odometer.lnk
backup=C:\WINDOWS\pss\Odometer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Justin Nyle Holt^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Justin Nyle Holt\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
2007-03-20 15:40 1884160 --a------ C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.ex e /StartupJobs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2005-09-18 17:40 1421824 --a------ C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-06-14 17:32 132760 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 03:05]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18]
Start Pending2 catservice;CATPRO Service;C:\Program Files\cp\catserv.exe [2007-09-23 17:05]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5f7625b3-71c7-11dc-a233-00130216c921}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 02:46:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-26 05:04:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-26 05:38:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 00:36:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c atservice]
"ImagePath"="C:\Program Files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice"
.
Completion time: 2007-12-26 0:39:05 - machine was rebooted
.
2007-12-20 23:24:41 --- E O F ---
Reply With Quote
  #7  
Old December 26th, 2007, 06:42 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
and heres hijacker:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:41:22 AM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Justin Nyle Holt\Desktop\Games\My Things\Anti-Virus\New Folder\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/mic...?1175195710078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mic...?1175195604312
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://rpm.cnsres.muskingum.edu/CAT/CNICAT.cab
O20 - Winlogon Notify: awttuvw - awttuvw.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13098 bytes
Reply With Quote
  #8  
Old December 26th, 2007, 06:51 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Oh and I deleted stopsign. It was the 4 untouched viuses that AVG found.
Reply With Quote
  #9  
Old December 26th, 2007, 05:08 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Looks like some infection had been removed, and now ComboFix has done more as well. You have Viewpoint software showing there. As the next scan to use here includes them as adware to remove best if you go to Add/Remove Programs and uninstall all Viewpoint items listed first.


Once you have done that Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
File::
C:\barsettingx.~dat
C:\WINDOWS\system32\ssqpq.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttuvw]
Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------
Go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

Start-up Options:
*Start SUPERAntiSpyware when Windows starts

Automatic Updates:
*Check for program updates when the application starts.
Start-up Scanning:
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.


Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

===============================================


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here along with the ComboFix.txt log and a new HijackThis log please.
Reply With Quote
  #10  
Old December 27th, 2007, 08:38 AM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Here's the first combofix log:
ComboFix 07-12-26.3 - Justin Nyle Holt 2007-12-27 2:32:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.432 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Nyle Holt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin Nyle Holt\Desktop\CFScript
* Created a new restore point

FILE
C:\barsettingx.~dat
C:\WINDOWS\system32\ssqpq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\barsettingx.~dat

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-27 02:29 . 2007-12-27 02:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-27 02:29 . 2007-12-27 02:29 <DIR> d-------- C:\Documents and Settings\Justin Nyle Holt\Application Data\SUPERAntiSpyware.com
2007-12-27 02:29 . 2007-12-27 02:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-27 02:28 . 2007-12-27 02:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-25 14:45 . 2007-12-25 14:45 <DIR> d-------- C:\Documents and Settings\Justin Nyle Holt\Application Data\Uniblue
2007-12-25 14:35 . 2007-12-06 18:12 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2007-12-25 14:23 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-25 14:22 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 14:22 . 2007-12-25 14:22 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-25 14:16 . 2007-12-25 14:24 <DIR> d-------- C:\Program Files\Windows Live
2007-12-25 14:16 . 2007-12-25 14:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-25 14:15 . 2007-12-25 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-25 10:24 . 2007-12-25 10:25 67 --a------ C:\WINDOWS\swupdate.INI
2007-12-25 09:30 . 2007-12-25 09:30 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-12-24 02:00 . 2007-12-24 02:00 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 01:58 . 2007-12-25 01:48 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-24 01:58 . 2007-12-25 01:48 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-24 01:58 . 2007-12-25 01:48 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-23 03:09 . 2007-12-23 03:09 <DIR> d-------- C:\Program Files\Magic Music Studio Pro
2007-12-10 04:10 . 2007-12-10 04:10 <DIR> d-------- C:\Program Files\Rouge-Guild
2007-12-03 05:24 . 2007-12-03 20:25 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-03 05:24 . 2007-12-03 05:24 56 -r-hs---- C:\WINDOWS\system32\CE560AA6B5.sys
2007-12-03 05:23 . 2007-12-03 05:23 <DIR> d-------- C:\Program Files\Enterbrain
2007-12-03 05:22 . 2007-12-03 05:22 <DIR> d-------- C:\Program Files\Common Files\Enterbrain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-27 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 07:19 --------- d-----w C:\Program Files\Viewpoint
2007-12-26 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-26 05:33 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\uTorrent
2007-12-25 21:35 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-25 19:40 --------- d-----w C:\Program Files\Google
2007-12-25 19:34 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-25 19:24 --------- d-----w C:\Program Files\Yahoo!
2007-12-25 19:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-25 19:19 --------- d-----w C:\Program Files\AIM6
2007-12-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-25 11:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-25 06:57 --------- d-----w C:\Program Files\Windows Defender
2007-12-25 06:57 --------- d-----w C:\Program Files\cp
2007-12-25 06:48 --------- d-----w C:\Program Files\Microsoft Works
2007-12-24 00:32 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\AVG7
2007-12-21 19:42 --------- d-----w C:\Program Files\uTorrent
2007-12-15 19:45 --------- d-----w C:\Program Files\Gpotato
2007-12-12 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-06 22:41 220,032 ----a-w C:\WINDOWS\system32\drivers\SynTP.sys
2007-12-06 22:20 147,456 ----a-w C:\WINDOWS\system32\SynTPAPI.dll
2007-12-06 22:09 196,608 ----a-w C:\WINDOWS\system32\SynCtrl.dll
2007-12-06 22:08 163,840 ----a-w C:\WINDOWS\system32\SynCOM.dll
2007-12-01 02:32 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-24 00:14 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-23 22:05 --------- d-----w C:\Program Files\DAMN NFO Viewer
2007-11-22 08:44 --------- d-----w C:\Program Files\TOSHIBA
2007-11-22 08:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 08:22 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-11-22 07:58 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-11-22 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2007-11-22 07:20 --------- d-----w C:\Program Files\River Past
2007-11-22 07:18 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\River Past G5
2007-11-19 07:51 --------- d-----w C:\Program Files\Microsoft Games
2007-11-16 16:23 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\Screenshot Studio Files
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 15:15 --------- d--h--r C:\Documents and Settings\Justin Nyle Holt\Application Data\yahoo!
2007-11-09 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-06 07:40 --------- d-----w C:\Program Files\iTunes
2007-11-06 07:39 --------- d-----w C:\Program Files\iPod
2007-11-06 07:38 --------- d-----w C:\Program Files\QuickTime
2007-11-05 01:51 --------- d-----w C:\Program Files\Riva
2007-11-05 01:51 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-11-03 03:29 --------- d-----w C:\Program Files\Maxis
2007-11-02 05:06 --------- d-----w C:\Program Files\Common Files\PocketSoft
2007-11-02 02:06 --------- d-----w C:\Program Files\AutoMacroRecorder
2007-11-02 01:50 --------- d-----w C:\Program Files\YRefresher
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 22:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-22 07:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 07:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-12 19:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 19:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-08 12:29 1,759,744 ----a-w C:\Documents and Settings\Justin Nyle Holt\Neuz.exe
2007-10-02 13:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
2004-09-03 03:12 370,688 ----a-w C:\Documents and Settings\Justin Nyle Holt\mss32.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-26_ 0.38.17.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-27 07:29:13 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-27 07:29:13 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-27 07:29:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 14:04]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"CATTRAY"="C:\Program Files\cp\cattray.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 16:20]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-08-24 03:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 11:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2007-11-22 03:43:44]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 11:31:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Odometer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Odometer.lnk
backup=C:\WINDOWS\pss\Odometer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Justin Nyle Holt^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Justin Nyle Holt\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
2007-03-20 15:40 1884160 --a------ C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.ex e /StartupJobs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2005-09-18 17:40 1421824 --a------ C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-06-14 17:32 132760 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 03:05]
R2 catservice;CATPRO Service;C:\Program Files\cp\catserv.exe [2007-09-23 17:05]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5f7625b3-71c7-11dc-a233-00130216c921}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 02:46:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 07:04:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-27 07:05:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 02:37:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c atservice]
"ImagePath"="C:\Program Files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice"
.
Completion time: 2007-12-27 2:37:41
C:\ComboFix2.txt ... 2007-12-26 00:39
.
2007-12-20 23:24:41 --- E O F ---
Reply With Quote
  #11  
Old December 27th, 2007, 05:34 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Post back the other requested logs and we'll review after that.
Reply With Quote
  #12  
Old December 27th, 2007, 06:18 PM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Here's the superantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2007 at 03:57 AM

Application Version : 3.9.1008

Core Rules Database Version : 3369
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 01:09:47

Memory items scanned : 177
Memory threats detected : 0
Registry items scanned : 7293
Registry threats detected : 5
File items scanned : 37522
File threats detected : 1

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTTUVW.DLL
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
Reply With Quote
  #13  
Old December 27th, 2007, 06:19 PM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Here's the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:18:31 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Justin Nyle Holt\Desktop\Games\My Things\Anti-Virus\New Folder\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/mic...?1175195710078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mic...?1175195604312
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://rpm.cnsres.muskingum.edu/CAT/CNICAT.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 12700 bytes
Reply With Quote
  #14  
Old December 27th, 2007, 06:23 PM
justme568's Avatar
justme568 justme568 is offline
Member
 
Join Date: Dec 2007
Posts: 48
Sorry I didn't post them all at the same time. I fell asleep while the superantivirus was making its scan.
Reply With Quote
  #15  
Old December 27th, 2007, 10:28 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Things are looking good so far. One unknown startup that shows now with no file being found that perhaps you can provide info on:

"CATTRAY"="C:\Program Files\cp\cattray.exe" []

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c atservice]
"ImagePath"="C:\Program Files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice"

The log shows many startups disabled through msconfig, though none appear to be infection items. These should all be re-enabled at least once to do a complete cleaning here, and also one additional scan based on the active file Super picked up.


Go to Start - Run, type msconfig (and Enter).

Under the Startup tab, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs.

After the reboot run and post back new ComboFix and HijackThis logs.


Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)", and post that log as well please.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Help Please: Moved from XP by Murray notveronica Malware Removal 41 May 13th, 2008 02:04 AM
Just Don't get it: Moved from 98 by Murray Cjcclarke Malware Removal 13 January 19th, 2008 02:30 AM
Pop Ups: Moved from XP by Murray Bigdave1971 Malware Removal 19 June 16th, 2007 10:15 PM
HJT help: Moved from ME by Murray dammtheman Malware Removal 3 April 24th, 2007 07:08 PM
Can someone help: Moved by Murray from XP ZachDavis Malware Removal 2 August 13th, 2006 06:08 AM


All times are GMT +1. The time now is 03:32 AM.