I am having quite a time trying to repair my mothers laptop! It was infected with several worms and viruses which I have cleared as far as i can tell (one was vundo and also some variant of the winantispyware)

The problems I am having are that certain keys on the keyboard work intermittently (sometimes they work but for the most part they do not)

One of the keys that does not function is the “period” key The numbers do not work either and it seems that there is a stuck shift key because the symbols above the numbers work

I have removed the shift keys and cleaned under them as well as under the keys that seem to be affected but this did not correct the problem

Plugging in an external keyboard has the same result so it does not appear to be a hardware issue

Some other anomalies are that the computer totally skips the BIOS stage when booting so I cannot boot from safe mode Also when I try to type in a website in the url bar of a browser (firefox or ie) a dot net is added When I click an icon on the desktop every single icon is highlighted and then the computer bogs itself down while it executes every program that highlighted itself!

When I run a virus scan< I have to click rapidly on the “scan” or “start” button or else the program errors out or freezes so I have to shut it down and restart it (the program not the computer)

I am sure that the list of symptoms is longer but I cannot remember all of them right now

i would really appreciate any help I can get as these issues are about to drive me crazy I downloaded hijack this so I can post a log file if need be

Thank you!

Yes, please post the HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:35 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\TASKMGR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

i had to divide this into two posts sorry!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM..\Run: [B’sCLiP] C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [type32] “C:\Program Files\Microsoft IntelliType Pro\type32.exe”
O4 - HKLM..\Run: [horygyxi] C:\Program Files\WindowsUpdate\horygyxi22011.exe
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Live Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GTray.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page… - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: c:\windows\system32\jkhebcy.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

End of file - 11293 bytes

Hi, you have a very old version of java, which we can take care of. You alos have two antivirus programs, you should uninstall one.

This file is a tad suspicious so we’ll check it at virustotal.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\WindowsUpdate\horygyxi22011.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

There is also what appears to be vundo. So get yourself down to one antivirus and we’ll start cleaning this up.

Hi Meeme,

Before following oldman’s advice further, do the following:
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

This can take considerable time, but it is worth it,

polonus

Sorry I have not replied sooner
We had our internet knocked out from the strong storms

Here is the log from Super Anti Spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 03:10 AM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 00:51:01

Memory items scanned : 474
Memory threats detected : 0
Registry items scanned : 6194
Registry threats detected : 0
File items scanned : 39600
File threats detected : 0

SAS didn’t find anything but it is in your HJT log.

Did you submit the file to virustotal as in my previous post?

How about your antvirus, do you still have both installed?

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

I can’t upload it to virustotal. When I try to browse for it, the folder is hidden and does not show up. I have tried to make the folder visible, but using this option does nothing.

Also, I am unable to type in the folder location manually, as it contains both numbers and a forward slash. (Incidentally, I am typing this from my work computer, so I am able to use numbers and punctuation.)

I also cannot highlight a single word or file name. When I try, the item I want to highlight plus everything beyond it gets highlighted. Also, the cut and past commands do not operate correctly every time. I knew that there was more to the problem, but could not remember in my first post.

As per your instructions, I removed AVG and the old Microsoft Anti-spyware that was out of date.

Is there another way for me to upload to virustotal? For instance, can I write the folder to a disk and use my work computer without the fear that it too will be corrupted.

As soon as I get home from work I will download combofix and post the results.

Thanks so much for your help! I really appreciate it.

Ok, I’d rather not transfer it to another computer as we don’t know what it is.

If I can find the batch file we can do it that way. i’ll post it as soon as I can locate it. My computer is a mess right now, thing saved all over.

Please set your folder options like this and try to submit the file again.

At the top of windows explorer, click tools, folder options, click the
view tab

check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box

Given some of the other problems you have going on, I’d like you to download an run this program as well and post the log. Please run it before combofix.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

After running that scan, suddenly all of the annoying symptoms have cleared up and even the punctuation and number keys are working again.

Deckard’s System Scanner v20071014.68
Run by Carrie on 2008-02-10 02:50:22
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2008-02-10 07:50:28 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

– HijackThis (run as Carrie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:14 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Carrie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Carrie.exe

Part 2 of the log:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM..\Run: [B’sCLiP] C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [type32] “C:\Program Files\Microsoft IntelliType Pro\type32.exe”
O4 - HKLM..\Run: [horygyxi] C:\Program Files\WindowsUpdate\horygyxi22011.exe
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Live Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GTray.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page… - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: c:\windows\system32\jkhebcy.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

Part 3 of the log:

–
End of file - 10464 bytes

– File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2
.js - JSFile - shell\open\command - “C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe” “%1”

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (B.H.A Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>
R4 BsUDF (B.H.A UDF Filesystem) - c:\windows\system32\drivers\bsudf.sys <Not Verified; B.H.A Co.,Ltd.; UDF File System Driver (WindowsXP)>

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S3 catchme - c:\docume~1\carrie\locals~1\temp\catchme.sys (file missing)
S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 HSFHWCD2 - c:\windows\system32\drivers\hsfhwcd2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4F5FF13900
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4F5FF13900
Service: NIC1394

– Scheduled Tasks -------------------------------------------------------------

2008-01-11 15:00:05 410 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-01-07 19:14:00 434 --a------ C:\WINDOWS\Tasks\WebReg 20040630191426.job
2007-12-22 19:20:00 346 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1087946104.job

– Files created between 2008-01-10 and 2008-02-10 -----------------------------

2008-02-09 16:32:52 0 d-------- C:\Documents and Settings\Carrie.housecall6.6
2008-02-09 16:30:40 0 d-------- C:\WINDOWS\LastGood
2008-02-05 14:06:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 14:05:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-05 14:05:46 0 d-------- C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com
2008-02-05 13:56:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 03:40:56 0 d-------- C:\Program Files\Trend Micro

– Find3M Report ---------------------------------------------------------------

2008-02-09 12:29:08 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-02-05 14:02:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 19:27:24 0 d-------- C:\Program Files\SpywareBlaster
2008-01-20 01:33:24 0 d-------- C:\Program Files\Winamp
2008-01-15 10:11:12 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-11 03:58:42 0 d-------- C:\Program Files\Norton Security Scan
2008-01-09 13:29:10 0 d-------- C:\Program Files\Google
2008-01-05 15:55:20 0 d-------- C:\Program Files\Juno
2007-12-29 16:15:57 0 d–h----- C:\Program Files\InstallShield Installation Information

Part 4 of the log:

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“00THotkey”=“C:\WINDOWS\System32\00THotkey.exe” [04/15/2003 11:01 PM]
“000StTHK”=“000StTHK.exe” [06/23/2001 11:28 PM C:\WINDOWS\system32\000StTHK.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe” [02/06/2004 07:31 PM]
“AGRSMMSG”=“AGRSMMSG.exe” [04/18/2003 02:20 PM C:\WINDOWS\agrsmmsg.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [05/30/2003 10:25 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [05/30/2003 10:23 PM]
“TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [01/21/2003 09:00 PM]
“TFNF5”=“TFNF5.exe” [07/18/2003 08:41 PM C:\WINDOWS\system32\TFNF5.exe]
“ezShieldProtector for Px”=“C:\WINDOWS\System32\ezSP_Px.exe” [08/20/2002 01:29 PM]
“TPSMain”=“TPSMain.exe” [09/25/2003 01:19 PM C:\WINDOWS\system32\TPSMain.exe]
“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [10/20/2003 11:39 AM]
“B’sCLiP”=“C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe” [02/04/2004 08:43 AM]
“PRONoMgr.exe”=“c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe” [12/10/2003 04:36 AM]
“SpyBlocker”=“C:\Program Files\SpyBlocker Software\spyblocker.exe”
“AirCardEnabler”=“C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe” [10/09/2003 04:20 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [08/18/2004 09:34 AM]
“gcasServ”=“C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” [06/24/2005 02:24 PM]
“type32”=“C:\Program Files\Microsoft IntelliType Pro\type32.exe” [06/03/2004 03:51 AM]
“horygyxi”=“C:\Program Files\WindowsUpdate\horygyxi22011.exe”
“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [02/04/2005 06:32 PM]
“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [09/24/2003 09:00 PM]
“SigmaTel StacMon”=“C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe” [08/03/2003 07:01 PM]
“TFncKy”=“TFncKy.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 08:00 AM]
“KernelFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -k”
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [01/15/2008 05:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [09/05/2003 06:24 AM]
“SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 02:56 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [06/21/2007 02:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [6/13/2004 8:15:19 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
HP Digital Imaging Monitor.lnk.disabled [6/2/2007 6:01:28 PM]
j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [1/20/2006 7:38:46 PM]
j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [6/10/2004 1:39:44 PM]
j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [6/10/2004 1:38:26 PM]
j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [1/20/2006 7:38:47 PM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [8/6/2003 4:23:32 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/6/2004 7:53:02 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 12/16/2003 06:49 PM 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=c:\windows\system32\jkhebcy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“swg”=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
“spc_w”=“C:\Program Files\JUSearch\juspc.exe” -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“HP Software Update”=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
“CamMonitor”=C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
“TomcatStartup”=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
“HPLJ Config”=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn “hp LaserJet 1010 Series Driver” -n 0 -l 1033 -sl 120000
“nwiz”=nwiz.exe /installquiet
“Share-to-Web Namespace Daemon”=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
“StatusClient”=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

– End of Deckard’s System Scanner: finished at 2008-02-10 02:56:11 ------------

Some of these scanners try to correct some things as they scan.

We still have some more to do, there is evidence of a couple of nasties. Please submit that file to virustotal as per earlier instructions and run combofix.

Please ensure windows firewall is turned on if you do not have a third party firewall installed. It will do for now.

As usual I seem to have spoken too soon
I did try to upload the file twice last night after replying to your previous message
The first time it said that zero bites had uploaded which I assume means that the upload was unsuccessful
The second time I tried to upload the file seemed to be gone! It is not there but the file still shows up in the log
Also this morning when I opened the laptop there were more than a hundred applications open and more attempting to start
I was unable to do anything and so I had to reboot now I am back to this (essentially where we started I think)

I am at a loss This thing is nastier than I could ever have imagined

Don’t worry about trying to submit the file for now.

I think you had a file running from a temp location and DSS cleaned out the temp files, so some of you problems where temporarily fixed.

Please run combofix and post the log.

Thanks

ComboFix 08-02.05.3 - Carrie 2008-02-10 17:28:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
Running from: C:\Documents and Settings\Carrie\Desktop\ComboFix.exe

• Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 02:49 . 2008-02-10 02:49 d-------- C:\Deckard
2008-02-09 16:32 . 2008-02-09 16:36 d-------- C:\Documents and Settings\Carrie.housecall6.6
2008-02-05 14:06 . 2008-02-05 14:06 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 14:05 . 2008-02-09 16:29 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-05 14:05 . 2008-02-05 14:05 d-------- C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com
2008-02-05 13:56 . 2008-02-05 13:56 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 03:40 . 2008-01-30 03:40 d-------- C:\Program Files\Trend Micro
2008-01-30 01:38 . 2007-10-10 18:55 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-20 01:29 . 2007-03-07 18:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-01-20 01:29 . 2007-03-07 18:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-20 01:29 . 2007-03-07 18:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:27 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-02-10 19:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-05 19:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 00:27 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-20 06:33 --------- d-----w C:\Program Files\Winamp
2008-01-09 18:29 --------- d-----w C:\Program Files\Google
2008-01-05 20:55 --------- d-----w C:\Program Files\Juno
2007-12-30 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-12-29 21:15 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2005-06-30 02:47 192,424 -c–a-w C:\Documents and Settings\Carrie\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 13:43 184,680 -c–a-w C:\Documents and Settings\Carrie\Application Data\shb.dat
2005-04-24 23:34 92,047 ----a-w C:\Documents and Settings\Carrie\png2ico-win-2002-12-08.zip
2005-02-16 11:59 12,930,019 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_16_06_05_29.dmp.zip
2005-02-16 11:05 12,930,601 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_16_05_42_42.dmp.zip
2005-02-16 10:42 12,933,522 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_16_05_31_30.dmp.zip
2005-02-16 10:31 12,933,017 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_15_23_16_02.dmp.zip
2005-02-11 14:22 140,288 -c–a-w C:\WINDOWS\Internet Logs\xDB43.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2003-09-05 06:24 65536]
“SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:56 15360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“00THotkey”=“C:\WINDOWS\System32[u]0[/u]0THotkey.exe” [2003-04-15 23:01 258048]
“000StTHK”=“000StTHK.exe” [2001-06-23 23:28 24576 C:\WINDOWS\system32[u]0[/u]00StTHK.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe” [2004-02-06 19:31 32881]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2003-05-30 22:25 110592]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2003-05-30 22:23 614400]
“TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [2003-01-21 21:00 126976]
“TFNF5”=“TFNF5.exe” [2003-07-18 20:41 73728 C:\WINDOWS\system32\TFNF5.exe]
“ezShieldProtector for Px”=“C:\WINDOWS\System32\ezSP_Px.exe” [2002-08-20 13:29 40960]
“TPSMain”=“TPSMain.exe” [2003-09-25 13:19 278528 C:\WINDOWS\system32\TPSMain.exe]
“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [2003-10-20 11:39 159744]
“B’sCLiP”=“C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe” [2004-02-04 08:43 1409024]
“PRONoMgr.exe”=“c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe” [2003-12-10 04:36 86016]
“SpyBlocker”=“C:\Program Files\SpyBlocker Software\spyblocker.exe”
“AirCardEnabler”=“C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe” [2003-10-09 16:20 163840]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2004-08-18 09:34 98304]
“gcasServ”=“C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” [2005-06-24 14:24 473928]
“type32”=“C:\Program Files\Microsoft IntelliType Pro\type32.exe” [2004-06-03 03:51 172032]
“horygyxi”=“C:\Program Files\WindowsUpdate\horygyxi22011.exe”
“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2005-02-04 18:32 135168]
“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2003-09-24 21:00 4861952]
“SigmaTel StacMon”=“C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe” [2003-08-03 19:01 86073]
“TFncKy”=“TFncKy.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-01-15 17:54 37376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-13 20:15:19 98304]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk.disabled [2007-06-02 18:01:28 1842]
j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [2006-01-20 19:38:46 107008]
j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [2004-06-10 13:39:44 17408]
j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [2004-06-10 13:38:26 39936]
j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [2006-01-20 19:38:47 500224]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 16:23:32 51776]

part 2:

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-02-06 19:53:02 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=c:\windows\system32\jkhebcy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“swg”=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
“spc_w”=“C:\Program Files\JUSearch\juspc.exe” -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“HP Software Update”=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
“CamMonitor”=C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
“TomcatStartup”=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
“HPLJ Config”=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn “hp LaserJet 1010 Series Driver” -n 0 -l 1033 -sl 120000
“nwiz”=nwiz.exe /installquiet
“Share-to-Web Namespace Daemon”=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
“StatusClient”=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2004-02-04 04:08]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 20:38]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2004-02-02 22:05]
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2003-09-16 11:47]
S3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys [2004-04-27 13:23]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 12:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-23 00:20:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1087946104.job”

• C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
  “2008-01-08 00:14:00 C:\WINDOWS\Tasks\WebReg 20040630191426.job”
• C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20040630191426 /N
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 17:34:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-02-10 17:38:01
.
2008-02-09 21:33:26 — E O F —

Hi, sorry about the delay, but I’m but to my butt in snow.

Now to your problem. If I’ve got this straight, you left the laptop running and it went into hibernation, you open it and all h— had broke loose. If that’s the case let’s take care of one thing that may be the source of some of this.

Open the Windows Control Panel
Double-click Power Options

Click the Hibernate tab, uncheck the ‘Enable hibernate support’ check box, and then click Apply.

Restart your computer. We can re-enable it when we are done.

Please rename combofix.exe to bugout.exe When I ask you to run combofix, run the renamed exe.

Now we find we this ones living.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]

catchme.sys

[Exclude]

[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.
[*]Right click on the compressed RegSearch folder, and choose “Extract All”. In the box that pops open, click “Next”, then “Next” again, and then “Finish”. You now have another RegSearch folder on your desktop.
[*]Open the new folder, and double click on regsearch.exe
[*]Click “Import” in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
[]Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
[] Please reply here with the entire contents of the Notepad file from RegSearch

NOTE: it’s important to get this imformation before running avenger. If you are not sure that you set it up right or are having problems, please do not hesitate to ask.

Now let’s see if we can get this guy’s attention.

Please download The Avenger by Swandog46 to your Desktop.

1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

Do not run it yet fiirst do this

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM..\Run: [horygyxi] C:\Program Files\WindowsUpdate\horygyxi22011.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: c:\windows\system32\jkhebcy.dll

Close all other browsers/windows, click fix, close HJT.

Now for Avenger

[QUOTE]Drivers to unload:
catchme

Files to delete:
c:\docume~1\carrie\locals~1\temp\catchme.sys
c:\windows\system32\jkhebcy.dll
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Copy/Paste [b]all[b] the text in the above quote box into this window by
[*] MAKE SURE THE TEXT MATCHES EXACTLY
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log

Then run the renamed combofix, followed by DSS. Please post the avenger results, the combofix and DSS logs, and the registry search results.

You can attach the logs by using the additional options button on the reply page. You may have to scroll down to see the browse button.