Multiple problems with virus and avast program

Viruses and worms
21

2nd part of HJT log:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Documents and Settings\Jon Faulkner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient

22

3rd part of HJT log:

O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.sonypictures.com/games/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


End of file - 10562 bytes

23

Okay, it’s back in the chest, but I will include it in the fix, just in case there is another instance.

Do you know anything about this program?

C:\Program Files[b]vmntoolbar[/b]

did you download and install it?

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\susp32.exe C:\FXTS2Install.EXE C:\WINDOWS\system32\users32.dat

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .

24

ComboFix 07-12-31.4 - Jon Faulkner 2008-01-01 21:59:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121 [GMT -6:00]
Running from: C:\Documents and Settings\Jon Faulkner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon Faulkner\Desktop\CFscript.txt

  • Created a new restore point

FILE
C:\FXTS2Install.EXE
C:\WINDOWS\system32\susp32.exe
C:\WINDOWS\system32\users32.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FXTS2Install.EXE
C:\WINDOWS\system32\users32.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 16:18 . 2008-01-01 16:18 d–h----- C:\WINDOWS\PIF
2007-12-31 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 14:34 . 2007-12-31 14:34 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-31 14:33 . 2007-12-31 17:47 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-31 14:33 . 2007-12-31 14:33 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 14:33 . 2007-12-31 14:33 d-------- C:\Documents and Settings\Jon Faulkner\Application Data\SUPERAntiSpyware.com
2007-12-30 22:26 . 2007-12-30 22:26 d-------- C:\Program Files\Alwil Software
2007-12-30 22:26 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-30 22:26 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-30 22:26 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-30 22:26 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 22:26 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 22:26 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 22:26 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 22:26 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-30 22:02 . 2007-12-30 22:02 d-------- C:\Program Files\Windows Defender
2007-12-30 21:06 . 2007-12-30 21:06 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-25 12:39 . 2007-12-30 21:28 d-------- C:\Program Files\Photo Viewer
2007-12-20 21:06 . 2007-12-20 21:08 d-------- C:\Program Files\Motorola Phone Tools
2007-12-13 15:03 . 2007-12-13 15:03 98 --a------ C:\WINDOWS\WirelessFTP.INI
2007-12-06 21:21 . 2007-12-06 21:21 d-------- C:\Program Files\Apple Software Update
2007-12-06 21:20 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-06 20:56 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-06 20:56 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 03:52 42,040 ----a-w C:\Documents and Settings\Jon Faulkner\Application Data\wklnhst.dat
2008-01-02 02:21 --------- d-----w C:\Program Files\TrueAssistant
2007-12-31 19:19 1,443,343 ----a-w C:\WINDOWS\system32\ksvcl.dll
2007-12-31 19:17 26,290 ----a-w C:\WINDOWS\system32\kcopt.dll
2007-12-31 19:11 12,288 ----a-w C:\WINDOWS\system32\Dll.dll
2007-12-31 05:08 --------- d-----w C:\Program Files\vmntoolbar
2007-12-31 03:06 --------- d-----w C:\Program Files\Lavasoft
2007-12-28 21:07 --------- d-----w C:\Program Files\ltmoh
2007-12-28 21:05 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-28 21:05 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-28 21:05 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-28 03:24 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Image Zone Express
2007-12-26 18:25 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Vso
2007-12-21 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-21 03:06 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-12-21 03:05 24,192 -c–a-w C:\Documents and Settings\Jon Faulkner\usbsermptxp.sys
2007-12-21 03:05 22,768 -c–a-w C:\Documents and Settings\Jon Faulkner\usbsermpt.sys
2007-12-21 03:05 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-12-20 03:13 --------- d-----w C:\Program Files\DVDFab Platinum 3
2007-12-08 07:01 --------- d-----w C:\Program Files\iTunes
2007-12-07 03:30 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Apple Computer
2007-12-07 03:24 --------- d-----w C:\Program Files\iPod
2007-12-07 03:23 --------- d-----w C:\Program Files\QuickTime
2007-11-28 04:22 --------- d-----w C:\Program Files\STOPzilla!
2007-11-28 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-11-28 03:30 1,024 ----a-w C:\WINDOWS\system32\drivers\AF4DDDA4-BF0D-479B-A00D-F62E37030F0A.cxv
2007-11-28 03:27 2,048 ----a-w C:\WINDOWS\system32\drivers\1E648BC4-712E-4D9C-ABBE-BA2DE1381703.cxv
2007-11-28 02:38 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Lavasoft
2007-11-28 02:23 75,800 ----a-w C:\WINDOWS\system32\kdhpm.exe
2007-11-26 11:12 --------- d-----w C:\Program Files\Logitech
2007-11-20 16:41 --------- d-----w C:\Program Files\CandleWorks
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-03 23:48 47,360 ----a-w C:\Documents and Settings\Jon Faulkner\Application Data\pcouffin.sys
2006-08-14 21:48 19 -c–a-w C:\Program Files\Answer.txt
2006-08-14 21:29 2,609 -c–a-w C:\Program Files\index.htm
2006-07-03 13:22 26,624 -c–a-w C:\Program Files\New President ask Resignations Supreme Justices…wps
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_20.35.35.24 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-02 02:20:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2007-12-28 15:05 65536]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00 15360]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [2007-12-28 15:05 36864]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 10:24 1694208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-12-28 15:05 68856]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

25

2nd part ComboFix log:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Tvs”=“C:\Program Files\Toshiba\Tvs\TvsTray.exe” [2007-12-28 15:05 73728]
“THotkey”=“C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe” [2005-08-10 12:23 356352]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-12-28 15:05 94208]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-12-28 15:05 77824]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-12-28 15:05 114688]
“LtMoh”=“C:\Program Files\ltmoh\Ltmoh.exe” [2007-12-28 15:05 184320]
“AGRSMMSG”=“AGRSMMSG.exe” [2005-04-12 17:17 88358 C:\WINDOWS\agrsmmsg.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2007-12-28 15:05 98394]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-12-28 15:05 688218]
“TFncKy”=“TFncKy.exe”
“TPSMain”=“TPSMain.exe” [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
“NDSTray.exe”=“NDSTray.exe”
“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [2007-12-28 15:05 1077301]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [2007-12-28 15:05 122880]
“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [2007-12-28 15:05 151552]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2007-12-28 15:05 122941]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2007-12-28 15:05 385024]
“Logitech Utility”=“Logi_MwX.Exe” [2003-12-17 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2007-12-28 15:05 49152]
“Notebook Maximizer”=“C:\Program Files\Notebook Maximizer\maximizer_startup.exe” [2004-05-25 15:35 28672]
“MimBoot”=“C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe” [2006-11-07 15:41 8192]
“CFSServ.exe”=“CFSServ.exe”
“ReminderApp”=“C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe” [2007-12-28 15:05 156160]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-11-14 23:43 286720]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]

C:\Documents and Settings\Jon Faulkner\Start Menu\Programs\Startup
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2006-11-17 03:45:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-08-08 01:38:41]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-07-28 14:56:17]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2007-07-24 15:58:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 13:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS
S3 SEMWModem;Sony Ericsson SEMWModem;C:\WINDOWS\system32\DRIVERS\GCXX.sys [2005-01-03 01:32]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;C:\WINDOWS\system32\DRIVERS\GCXXNet.sys [2005-01-03 01:32]
S3 STVqx3;Intel Play QX3 Microscope;C:\WINDOWS\system32\drivers\STVqx3.sys [2001-04-12 13:04]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-05-30 19:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-02 02:23:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    .

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 22:03:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-01 22:05:13
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 04:05:04
C:\qoobox\ComboFix2.txt 2008-01-01 02:35:52
.
2007-12-23 07:06:39 — E O F —

26

vmntoolbar showed up one day…I don’t know how it got on my system…I thought I had removed it but it seems to never go away…I don’t want it, never did…

27

Go to add/ remove programs and see if vmntoolbar is there, if it is please uninstall it. Afterward run the following fix.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\ksvcl.dll C:\WINDOWS\system32\kcopt.dll C:\WINDOWS\system32\Dll.dll

Folder::
C:\Program Files\vmntoolbar

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a newHJT log.

28

After running ComboFix, upon rebooting this message came up before the desktop loaded up:
“Windows cannot find ‘C:\Document~1\LOCALS~1\Temp\uninstall.exe’ Make sure you typed the name correctly, and then try again. To search for a file, click the Start Button, and then click Search”
I clicked OK and it continued to the desktop normally.

ComboFix Log:

ComboFix 07-12-31.4 - Jon Faulkner 2008-01-02 0:01:55.3 - NTFSx86
Running from: C:\Documents and Settings\Jon Faulkner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon Faulkner\Desktop\CFscript.txt

  • Created a new restore point

FILE
C:\WINDOWS\system32\Dll.dll
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\ksvcl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\vmntoolbar
C:\Program Files\vmntoolbar\Cache\a.bmp
C:\Program Files\vmntoolbar\Cache\an.bmp
C:\Program Files\vmntoolbar\Cache\autofill.bmp
C:\Program Files\vmntoolbar\Cache\b.bmp
C:\Program Files\vmntoolbar\Cache\background.bmp
C:\Program Files\vmntoolbar\Cache\blank.bmp
C:\Program Files\vmntoolbar\Cache\bn.bmp
C:\Program Files\vmntoolbar\Cache\c.bmp
C:\Program Files\vmntoolbar\Cache\chat003.bmp
C:\Program Files\vmntoolbar\Cache\cn.bmp
C:\Program Files\vmntoolbar\Cache\COMBOSEARCH.acs
C:\Program Files\vmntoolbar\Cache\d.bmp
C:\Program Files\vmntoolbar\Cache\dictionary.bmp
C:\Program Files\vmntoolbar\Cache\dn.bmp
C:\Program Files\vmntoolbar\Cache\ency_search.bmp
C:\Program Files\vmntoolbar\Cache\f.bmp
C:\Program Files\vmntoolbar\Cache\finance.bmp
C:\Program Files\vmntoolbar\Cache\flag_argentine.bmp
C:\Program Files\vmntoolbar\Cache\flag_australia.bmp
C:\Program Files\vmntoolbar\Cache\flag_brazil.bmp
C:\Program Files\vmntoolbar\Cache\flag_canada.bmp
C:\Program Files\vmntoolbar\Cache\flag_china.bmp
C:\Program Files\vmntoolbar\Cache\flag_france.bmp
C:\Program Files\vmntoolbar\Cache\flag_germany.bmp
C:\Program Files\vmntoolbar\Cache\flag_greece.bmp
C:\Program Files\vmntoolbar\Cache\flag_hongkong.bmp
C:\Program Files\vmntoolbar\Cache\flag_india.bmp
C:\Program Files\vmntoolbar\Cache\flag_indonesia.bmp
C:\Program Files\vmntoolbar\Cache\flag_italy.bmp
C:\Program Files\vmntoolbar\Cache\flag_japan.bmp
C:\Program Files\vmntoolbar\Cache\flag_korea.bmp
C:\Program Files\vmntoolbar\Cache\flag_mexico.bmp
C:\Program Files\vmntoolbar\Cache\flag_netherlands.bmp
C:\Program Files\vmntoolbar\Cache\flag_spain.bmp
C:\Program Files\vmntoolbar\Cache\flag_sweeden.bmp
C:\Program Files\vmntoolbar\Cache\flag_taiwan.bmp
C:\Program Files\vmntoolbar\Cache\flag_uk.bmp
C:\Program Files\vmntoolbar\Cache\flag_usa.bmp
C:\Program Files\vmntoolbar\Cache\fn.bmp
C:\Program Files\vmntoolbar\Cache\g.bmp
C:\Program Files\vmntoolbar\Cache\gaming.bmp
C:\Program Files\vmntoolbar\Cache\gn.bmp
C:\Program Files\vmntoolbar\Cache\gograph.bmp
C:\Program Files\vmntoolbar\Cache\graphred0.bmp
C:\Program Files\vmntoolbar\Cache\graphred0_5.bmp
C:\Program Files\vmntoolbar\Cache\graphred1.bmp
C:\Program Files\vmntoolbar\Cache\graphred1_5.bmp
C:\Program Files\vmntoolbar\Cache\graphred2.bmp
C:\Program Files\vmntoolbar\Cache\graphred2_5.bmp
C:\Program Files\vmntoolbar\Cache\graphred3.bmp
C:\Program Files\vmntoolbar\Cache\graphred3_5.bmp
C:\Program Files\vmntoolbar\Cache\graphred4.bmp
C:\Program Files\vmntoolbar\Cache\graphred4_5.bmp
C:\Program Files\vmntoolbar\Cache\graphred5.bmp
C:\Program Files\vmntoolbar\Cache\h.bmp
C:\Program Files\vmntoolbar\Cache\h_aquarius.bmp
C:\Program Files\vmntoolbar\Cache\h_aries.bmp
C:\Program Files\vmntoolbar\Cache\h_cancer.bmp
C:\Program Files\vmntoolbar\Cache\h_capricorn.bmp
C:\Program Files\vmntoolbar\Cache\h_gemini.bmp
C:\Program Files\vmntoolbar\Cache\h_leo.bmp
C:\Program Files\vmntoolbar\Cache\h_libra.bmp
C:\Program Files\vmntoolbar\Cache\h_pisces.bmp
C:\Program Files\vmntoolbar\Cache\h_sagittarius.bmp
C:\Program Files\vmntoolbar\Cache\h_scorpio.bmp
C:\Program Files\vmntoolbar\Cache\h_taurus.bmp
C:\Program Files\vmntoolbar\Cache\h_virgo.bmp
C:\Program Files\vmntoolbar\Cache\hideremove.bmp
C:\Program Files\vmntoolbar\Cache\highlight.bmp
C:\Program Files\vmntoolbar\Cache\hn.bmp
C:\Program Files\vmntoolbar\Cache\hororank.xml
C:\Program Files\vmntoolbar\Cache\i.bmp
C:\Program Files\vmntoolbar\Cache\image.bmp
C:\Program Files\vmntoolbar\Cache\img_games0.cfg
C:\Program Files\vmntoolbar\Cache\in.bmp
C:\Program Files\vmntoolbar\Cache\ipsearch.bmp
C:\Program Files\vmntoolbar\Cache\j.bmp
C:\Program Files\vmntoolbar\Cache\jn.bmp
C:\Program Files\vmntoolbar\Cache\k.bmp
C:\Program Files\vmntoolbar\Cache\kn.bmp
C:\Program Files\vmntoolbar\Cache\l.bmp
C:\Program Files\vmntoolbar\Cache\lastalert.txt
C:\Program Files\vmntoolbar\Cache\ln.bmp
C:\Program Files\vmntoolbar\Cache\login.bmp
C:\Program Files\vmntoolbar\Cache\logo.bmp
C:\Program Files\vmntoolbar\Cache\music.bmp
C:\Program Files\vmntoolbar\Cache\n.bmp
C:\Program Files\vmntoolbar\Cache\New Yorkweather.txt
C:\Program Files\vmntoolbar\Cache\new02.bmp
C:\Program Files\vmntoolbar\Cache\new02b.bmp
C:\Program Files\vmntoolbar\Cache\newalert.txt
C:\Program Files\vmntoolbar\Cache\news.bmp
C:\Program Files\vmntoolbar\Cache\news.gif
C:\Program Files\vmntoolbar\Cache\newsitem.gif
C:\Program Files\vmntoolbar\Cache\newspaper.gif
C:\Program Files\vmntoolbar\Cache\nn.bmp
C:\Program Files\vmntoolbar\Cache\o.bmp
C:\Program Files\vmntoolbar\Cache\on.bmp
C:\Program Files\vmntoolbar\Cache\p.bmp
C:\Program Files\vmntoolbar\Cache\people.bmp
C:\Program Files\vmntoolbar\Cache\pestscanimg.bmp
C:\Program Files\vmntoolbar\Cache\pn.bmp
C:\Program Files\vmntoolbar\Cache\popup_off.bmp
C:\Program Files\vmntoolbar\Cache\popup_on.bmp
C:\Program Files\vmntoolbar\Cache\product.bmp
C:\Program Files\vmntoolbar\Cache\q.bmp
C:\Program Files\vmntoolbar\Cache\qn.bmp
C:\Program Files\vmntoolbar\Cache\r.bmp
C:\Program Files\vmntoolbar\Cache\relatedlinks.bmp
C:\Program Files\vmntoolbar\Cache\report.bmp
C:\Program Files\vmntoolbar\Cache\rn.bmp
C:\Program Files\vmntoolbar\Cache\rss.bmp
C:\Program Files\vmntoolbar\Cache\rss1.bmp
C:\Program Files\vmntoolbar\Cache\rssnewsmenu.html
C:\Program Files\vmntoolbar\Cache\rssnewsmenu.zip
C:\Program Files\vmntoolbar\Cache\s.bmp
C:\Program Files\vmntoolbar\Cache\scrolldown.gif
C:\Program Files\vmntoolbar\Cache\scrolldownstep.gif
C:\Program Files\vmntoolbar\Cache\scrollup.gif
C:\Program Files\vmntoolbar\Cache\scrollupstep.gif
C:\Program Files\vmntoolbar\Cache\search_dictionnary.bmp
C:\Program Files\vmntoolbar\Cache\search_domain.bmp
C:\Program Files\vmntoolbar\Cache\search_ency.bmp
C:\Program Files\vmntoolbar\Cache\search_graphic.bmp
C:\Program Files\vmntoolbar\Cache\search_images.bmp
C:\Program Files\vmntoolbar\Cache\search_music.bmp
C:\Program Files\vmntoolbar\Cache\search_news.bmp
C:\Program Files\vmntoolbar\Cache\search_people.bmp
C:\Program Files\vmntoolbar\Cache\search_products.bmp
C:\Program Files\vmntoolbar\Cache\search_software.bmp
C:\Program Files\vmntoolbar\Cache\search_stocks.bmp
C:\Program Files\vmntoolbar\Cache\search_video.bmp
C:\Program Files\vmntoolbar\Cache\Sinfo.txt
C:\Program Files\vmntoolbar\Cache\Sinfo1.txt
C:\Program Files\vmntoolbar\Cache\Sinfo10.txt
C:\Program Files\vmntoolbar\Cache\Sinfo11.txt
C:\Program Files\vmntoolbar\Cache\Sinfo12.txt
C:\Program Files\vmntoolbar\Cache\Sinfo13.txt
C:\Program Files\vmntoolbar\Cache\Sinfo14.txt
C:\Program Files\vmntoolbar\Cache\Sinfo15.txt
C:\Program Files\vmntoolbar\Cache\Sinfo16.txt
C:\Program Files\vmntoolbar\Cache\Sinfo17.txt
C:\Program Files\vmntoolbar\Cache\Sinfo18.txt
C:\Program Files\vmntoolbar\Cache\Sinfo19.txt
C:\Program Files\vmntoolbar\Cache\Sinfo2.txt
C:\Program Files\vmntoolbar\Cache\Sinfo20.txt
C:\Program Files\vmntoolbar\Cache\Sinfo3.txt
C:\Program Files\vmntoolbar\Cache\Sinfo4.txt

29

ComboFix post part 2:

C:\Program Files\vmntoolbar\Cache\Sinfo5.txt
C:\Program Files\vmntoolbar\Cache\Sinfo6.txt
C:\Program Files\vmntoolbar\Cache\Sinfo7.txt
C:\Program Files\vmntoolbar\Cache\Sinfo8.txt
C:\Program Files\vmntoolbar\Cache\Sinfo9.txt
C:\Program Files\vmntoolbar\Cache\siteinfo.bmp
C:\Program Files\vmntoolbar\Cache\skin.bmp
C:\Program Files\vmntoolbar\Cache\slider.bmp
C:\Program Files\vmntoolbar\Cache\sn.bmp
C:\Program Files\vmntoolbar\Cache\sof_search.bmp
C:\Program Files\vmntoolbar\Cache\stars-red1.bmp
C:\Program Files\vmntoolbar\Cache\stars-red2.bmp
C:\Program Files\vmntoolbar\Cache\stars-red3.bmp
C:\Program Files\vmntoolbar\Cache\stars-red4.bmp
C:\Program Files\vmntoolbar\Cache\stars-red5.bmp
C:\Program Files\vmntoolbar\Cache\storage.bmp
C:\Program Files\vmntoolbar\Cache\t.bmp
C:\Program Files\vmntoolbar\Cache\thes_search.bmp
C:\Program Files\vmntoolbar\Cache\tn.bmp
C:\Program Files\vmntoolbar\Cache\tools.bmp
C:\Program Files\vmntoolbar\Cache\translate.bmp
C:\Program Files\vmntoolbar\Cache\u.bmp
C:\Program Files\vmntoolbar\Cache\un.bmp
C:\Program Files\vmntoolbar\Cache\upgrade.bmp
C:\Program Files\vmntoolbar\Cache\userbadsites.txt
C:\Program Files\vmntoolbar\Cache\v.bmp
C:\Program Files\vmntoolbar\Cache\vmntoolbartb0403.cfg
C:\Program Files\vmntoolbar\Cache\vn.bmp
C:\Program Files\vmntoolbar\Cache\w.bmp
C:\Program Files\vmntoolbar\Cache\weather.txt
C:\Program Files\vmntoolbar\Cache\web.bmp
C:\Program Files\vmntoolbar\Cache\whois.bmp
C:\Program Files\vmntoolbar\Cache\wn.bmp
C:\Program Files\vmntoolbar\Cache\x.bmp
C:\Program Files\vmntoolbar\Cache\xp_close_small.gif
C:\Program Files\vmntoolbar\Cache\yahoo.bmp
C:\Program Files\vmntoolbar\Cache\z.bmp
C:\Program Files\vmntoolbar\Cache\zn.bmp
C:\Program Files\vmntoolbar\Cache\zoom.bmp
C:\Program Files\vmntoolbar\install.ico
C:\Program Files\vmntoolbar\toolbar.ini
C:\Program Files\vmntoolbar\uninstall.exe
C:\WINDOWS\system32\Dll.dll
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\ksvcl.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 16:18 . 2008-01-01 16:18 d–h----- C:\WINDOWS\PIF
2007-12-31 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 14:34 . 2007-12-31 14:34 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-31 14:33 . 2007-12-31 17:47 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-31 14:33 . 2007-12-31 14:33 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 14:33 . 2007-12-31 14:33 d-------- C:\Documents and Settings\Jon Faulkner\Application Data\SUPERAntiSpyware.com
2007-12-30 22:26 . 2007-12-30 22:26 d-------- C:\Program Files\Alwil Software
2007-12-30 22:26 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-30 22:26 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-30 22:26 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-30 22:26 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 22:26 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 22:26 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 22:26 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 22:26 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-30 22:02 . 2007-12-30 22:02 d-------- C:\Program Files\Windows Defender
2007-12-30 21:06 . 2007-12-30 21:06 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-25 12:39 . 2007-12-30 21:28 d-------- C:\Program Files\Photo Viewer
2007-12-20 21:06 . 2007-12-20 21:08 d-------- C:\Program Files\Motorola Phone Tools
2007-12-13 15:03 . 2007-12-13 15:03 98 --a------ C:\WINDOWS\WirelessFTP.INI
2007-12-06 21:21 . 2007-12-06 21:21 d-------- C:\Program Files\Apple Software Update
2007-12-06 21:20 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-06 20:56 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-06 20:56 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 04:56 --------- d-----w C:\Program Files\TrueAssistant
2008-01-02 03:52 42,040 ----a-w C:\Documents and Settings\Jon Faulkner\Application Data\wklnhst.dat
2007-12-31 03:06 --------- d-----w C:\Program Files\Lavasoft
2007-12-28 21:07 --------- d-----w C:\Program Files\ltmoh
2007-12-28 21:05 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-28 21:05 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-28 21:05 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-28 03:24 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Image Zone Express
2007-12-26 18:25 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Vso
2007-12-21 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-21 03:06 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-12-21 03:05 24,192 -c–a-w C:\Documents and Settings\Jon Faulkner\usbsermptxp.sys
2007-12-21 03:05 22,768 -c–a-w C:\Documents and Settings\Jon Faulkner\usbsermpt.sys
2007-12-21 03:05 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-12-20 03:13 --------- d-----w C:\Program Files\DVDFab Platinum 3
2007-12-08 07:01 --------- d-----w C:\Program Files\iTunes
2007-12-07 03:30 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Apple Computer
2007-12-07 03:24 --------- d-----w C:\Program Files\iPod
2007-12-07 03:23 --------- d-----w C:\Program Files\QuickTime
2007-11-28 04:22 --------- d-----w C:\Program Files\STOPzilla!
2007-11-28 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-11-28 03:30 1,024 ----a-w C:\WINDOWS\system32\drivers\AF4DDDA4-BF0D-479B-A00D-F62E37030F0A.cxv
2007-11-28 03:27 2,048 ----a-w C:\WINDOWS\system32\drivers\1E648BC4-712E-4D9C-ABBE-BA2DE1381703.cxv
2007-11-28 02:38 --------- d-----w C:\Documents and Settings\Jon Faulkner\Application Data\Lavasoft
2007-11-28 02:23 75,800 ----a-w C:\WINDOWS\system32\kdhpm.exe
2007-11-26 11:12 --------- d-----w C:\Program Files\Logitech
2007-11-20 16:41 --------- d-----w C:\Program Files\CandleWorks
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-03 23:48 47,360 ----a-w C:\Documents and Settings\Jon Faulkner\Application Data\pcouffin.sys
2006-08-14 21:48 19 -c–a-w C:\Program Files\Answer.txt
2006-08-14 21:29 2,609 -c–a-w C:\Program Files\index.htm
2006-07-03 13:22 26,624 -c–a-w C:\Program Files\New President ask Resignations Supreme Justices…wps
.

30

ComboFix log part 3:

((((((((((((((((((((((((((((( snapshot@2007-12-31_20.35.35.24 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-02 04:55:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2d0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2007-12-28 15:05 65536]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00 15360]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [2007-12-28 15:05 36864]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 10:24 1694208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-12-28 15:05 68856]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Tvs”=“C:\Program Files\Toshiba\Tvs\TvsTray.exe” [2007-12-28 15:05 73728]
“THotkey”=“C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe” [2005-08-10 12:23 356352]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-12-28 15:05 94208]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-12-28 15:05 77824]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-12-28 15:05 114688]
“LtMoh”=“C:\Program Files\ltmoh\Ltmoh.exe” [2007-12-28 15:05 184320]
“AGRSMMSG”=“AGRSMMSG.exe” [2005-04-12 17:17 88358 C:\WINDOWS\agrsmmsg.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2007-12-28 15:05 98394]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-12-28 15:05 688218]
“TFncKy”=“TFncKy.exe”
“TPSMain”=“TPSMain.exe” [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
“NDSTray.exe”=“NDSTray.exe”
“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [2007-12-28 15:05 1077301]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [2007-12-28 15:05 122880]
“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [2007-12-28 15:05 151552]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2007-12-28 15:05 122941]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2007-12-28 15:05 385024]
“Logitech Utility”=“Logi_MwX.Exe” [2003-12-17 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2007-12-28 15:05 49152]
“Notebook Maximizer”=“C:\Program Files\Notebook Maximizer\maximizer_startup.exe” [2004-05-25 15:35 28672]
“MimBoot”=“C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe” [2006-11-07 15:41 8192]
“CFSServ.exe”=“CFSServ.exe”
“ReminderApp”=“C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe” [2007-12-28 15:05 156160]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-11-14 23:43 286720]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“vmntoolbar”=“C:\DOCUME~1\JONFAU~1\LOCALS~1\Temp\uninstall.exe” [2006-04-26 07:12 70936]

C:\Documents and Settings\Jon Faulkner\Start Menu\Programs\Startup
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2006-11-17 03:45:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-08-08 01:38:41]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-07-28 14:56:17]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2007-07-24 15:58:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 13:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS
S3 SEMWModem;Sony Ericsson SEMWModem;C:\WINDOWS\system32\DRIVERS\GCXX.sys [2005-01-03 01:32]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;C:\WINDOWS\system32\DRIVERS\GCXXNet.sys [2005-01-03 01:32]
S3 STVqx3;Intel Play QX3 Microscope;C:\WINDOWS\system32\drivers\STVqx3.sys [2001-04-12 13:04]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-05-30 19:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-02 04:58:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    .

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 00:06:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-02 0:07:52
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 06:07:37
C:\qoobox\ComboFix2.txt 2008-01-02 04:05:13
C:\qoobox\ComboFix3.txt 2008-01-01 02:35:52
.
2007-12-23 07:06:39 — E O F —

31

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:33 AM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Jon Faulkner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

32

HJT log part 2:

O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.sonypictures.com/games/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


End of file - 10453 bytes

33

Looks good. That message was from a run once reg key. Try rebooting and see if the messsage comes back again. If so let me know and we’ll remove the reg entry.

If you still are recieving the message, do this reg fix. If no message then don’t bother with this reg fix.

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "vmntoolbar"=-

You will need to create the repair registry fix to do that, copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS make sure it is set in the top box to save to DESKTOP and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

If everything is ok now I’ll give you a clean up routine to get rid of the tools we used.

34

I rebooted and the message did not show up again so I did not have to do the reg fix…

Everything seems to be working ok…the messages aren’t popping up anymore and so far when I click on links they go to the correct place…!!! I still have those files in the Virus Chest, do we just leave them there? I’m going to keep Avast active and I guess I should keep the SUPERAnitspyware active too? Is the cleanup program you gave me good to run every so often? As you have figured out by now, I’m not real up on that kind of stuff…You just don’t know how much I appreciate all your help…I would name my first born after you, but he’s 34 and has gotten rather attached to his name, unless your name is Matthew, then it’s a go!!!

35

I’m glad everthing is ok now. I’ll put a clean up routine for you tomorrow. It’s late here.

Yes keep cleanup and use it regularly, same with SAS. We’’ deal with the virus chest then also.

36

To clean up the tools we used:

click start button, click run, copy and paste the following line into the box and click ok

combofix /u

Open HJT, click misc tools button, slide the slider down, click uninstall.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup

  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

If everything is fine and you want to clean out the avast virus chest, open the chest, click on the infected file button. Then right click on the file you want to delete, select delete. note:there is no hurry to remove files from the chest, they can’t be run from the chest or accessed from outside. Keeping them there gives you the chance to investigate the detection and the ability to restore a file that was alsely identified as infected. Moving to the chest is always the correct first action.

Run the cleanup utility that you downloaded.

It looks like you had or have a very old version of java. It can be an entry point for malware. If you wish to install the current version do the following steps.

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Keep SAS updated and run it from time to time. Remember the free version is on demand only. You will have to manually scan with it.

It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

I would name my first born after you, but he's 34 and has gotten rather attached to his name, unless your name is Matthew, then it's a go!!!!

Thanks for the offer. :wink:

37

I have done everything you instructed except delete the files in the Virus Chest…I just have a goofy question…if they are in the virus chest and I delete them, what happens if they are files the computer needs to run? Is that what we did with the ComboFix, replace the bad ones?? So if that is true, then in the future any that are moved there can not be deleted until fixed? Is that correct? Or am I still confused…???

So far, knock on wood, everything is working great…Oldman, you are a genius…!!! And such a nice and patient one. I truly appreciate the explicit instructions in laymen’s terms…you have my undying gratitude…

38

I’ll try to explain.

The files combo fix removed where files that had to go. The entire file was a trojan or part of a trojan. Those type of files can’t be cleaned. They where never part of your operating system or any programs you have.

The files in the chest are a different story. Avast could and does from time to time misidentify a good file as being infected. That’s why the recommendation is to move the file to the chest, then investigate. If it turns out to be a false positive then they can be restored. Definitely a good choice just in case it is a needed file.

A mentioned they are safe there and can’t be run. You can leave them there indefinitely if you so chose.

I’d suggest leaving them there for 2-3 weeks and if you are not having any problems, as far a windows saying it can’t find a file, then scan them one by in the chest by right clicking the file and select scan. If avast alerts you, it’s a safe bet that it was a good detection and the file can be deleted.

Clear as mud now? Any more questions, I will try to answer as best I can.