Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Viruses and worms
21

hijack this scan…i don’t know if i did it properly can i merely pressed scan this with log and it scanned but in the dialogue box it shows a bunch of things that can be check marked and the scan took about two seconds…here are the results anyway…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:04 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\8F2W0FEB\HiJackThis[1].exe

22

sorry here is the rest could only submit 10000 words or something

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM..\Run: [Symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”
O4 - HKLM..\Run: [lxdfmon.exe] “C:\Program Files\Lexmark 6500 Series\lxdfmon.exe”
O4 - HKLM..\Run: [lxdfamon] “C:\Program Files\Lexmark 6500 Series\lxdfamon.exe”
O4 - HKLM..\Run: [Lexmark 6500 Series Fax Server] “C:\Program Files\Lexmark 6500 Series\fm3032.exe” /s
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User ‘SYSTEM’)
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User ‘Default user’)
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User ‘Default user’)
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


End of file - 11512 bytes

thank you so much

23

OK lets have a quick rummage in system restore and see what that file is

Lets secure you first though
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
[*]Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
[*]Scroll down to where it says “Java Runtime Environment (JRE) 6 Update 7allows end-users to run Java applications”.
[*]Click the “Download” button to the right.
[*]Read the License Agreement and then check the box that says: “Accept License Agreement”. The page will refresh.
[*]Click on the link to download Windows Offline Installation and save the file to your desktop.
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
[*]Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java versions.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

THEN

Please download ComboFix from Here or Here to your Desktop.

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


SysRst::

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.
24

I’ve accidently downloaded the online version…does this pose a problem…if so is there anyway of rectifying it…sorry and thanks

25
I've accidently downloaded the online version...does this pose a problem...if so is there anyway of rectifying it...sorry and thanks
Sorry I do not know what you mean. Do you have combofix on your desktop now ?
26

it won’t let me run combofix it jsut gives a popup that says you cannot rename combofix as combofix[1]

27

it hasn’t given me an opportunity to right anything in the run box it is however performing a scan

28

OK I will wait for the results ;D

29

the scan completed…i did open notepad however…had not had an opportunity to type anything anywhere and it just rebooted my computer

30

There will be a report at C:\combofix

31

is this the report or is there something i need to do with this…thank you sooo much

ComboFix 08-08-29.02 - Christopher 2008-08-29 16:42:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.440 [GMT -4:00]
Running from: C:\Documents and Settings\Christopher\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player#SharedObjects\E7E62UA7\bin.clearspring.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player#SharedObjects\E7E62UA7\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player#SharedObjects\E7E62UA7\interclick.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player#SharedObjects\E7E62UA7\interclick.com\ud.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#bin.clearspring.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#bin.clearspring.com\settings.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#interclick.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#interclick.com\settings.sol
C:\Documents and Settings\Christopher\Cookies\christopher@lxk235.lexmark[1].txt
C:\Documents and Settings\Christopher\Cookies\christopher@passagesmalibu[1].txt
C:\Documents and Settings\Christopher\Cookies\christopher@peach.bskyb[2].txt
C:\Documents and Settings\Christopher\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 16:33 . 2008-08-29 16:33 d-------- C:\Program Files\Sun
2008-08-29 16:33 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-29 16:30 . 2008-08-29 16:33 d-------- C:\Program Files\Java
2008-08-29 16:30 . 2008-08-29 16:30 d-------- C:\Program Files\Common Files\Java
2008-08-29 11:52 . 2008-08-29 11:52 d-------- C:\Documents and Settings\Christopher\DoctorWeb
2008-08-28 22:27 . 2008-08-28 22:27 d-------- C:\Program Files\SpywareBlaster
2008-08-28 22:27 . 2008-08-28 22:27 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 21:28 . 2008-08-28 21:28 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-28 21:28 . 2008-08-28 21:28 d-------- C:\Documents and Settings\Christopher\Application Data\SUPERAntiSpyware.com
2008-08-28 21:28 . 2008-08-28 21:28 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-28 21:26 . 2008-08-28 21:26 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-28 19:39 . 2008-08-28 19:39 d-------- C:\Program Files\Malwarebytes’ Anti-Malware
2008-08-28 19:39 . 2008-08-28 19:39 d-------- C:\Documents and Settings\Christopher\Application Data\Malwarebytes
2008-08-28 19:39 . 2008-08-28 19:39 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-28 19:39 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-28 19:39 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 20:07 . 2008-08-28 20:43 d-------- C:\Program Files\PWA
2008-08-23 18:38 . 2008-08-23 18:38 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-13 10:50 . 2008-05-01 10:30 331,776 -----c— C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:25 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-08-29 20:06 --------- d-----w C:\Documents and Settings\Christopher\Application Data\skypePM
2008-07-10 12:52 --------- d-----w C:\Program Files\InterActual
2008-06-29 18:26 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-06-29 18:26 --------- d-----w C:\Program Files\Vimicro
2008-06-29 18:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-18 23:18 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

32

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2004-12-30 03:32 65536]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 08:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 12:24 1694208]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-06 19:37 21898024]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-04-09 10:00 68856]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-08-05 16:56 64512]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2006-03-22 00:05 344064]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-02 04:02 761948]
“DLA”=“C:\WINDOWS\System32\DLA\DLACTRLW.EXE” [2005-10-06 08:20 122940]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [2005-04-26 19:13 122880]
“Tvs”=“C:\Program Files\Toshiba\Tvs\TvsTray.exe” [2006-02-02 15:11 73728]
“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [2005-12-06 01:06 1077322]
“THotkey”=“C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe” [2006-08-25 16:47 356352]
“LtMoh”=“C:\Program Files\ltmoh\Ltmoh.exe” [2004-08-17 15:37 184320]
“Start RF Wireless Mouse”=“C:\Program Files\RF Wireless Mouse\cm20.exe” [2002-01-31 10:59 61440]
“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2007-11-28 20:51 583048]
“lxdfmon.exe”=“C:\Program Files\Lexmark 6500 Series\lxdfmon.exe” [2007-06-11 09:53 455600]
“lxdfamon”=“C:\Program Files\Lexmark 6500 Series\lxdfamon.exe” [2007-06-01 04:06 20480]
“Lexmark 6500 Series Fax Server”=“C:\Program Files\Lexmark 6500 Series\fm3032.exe” [2007-06-11 09:56 308144]
“BigDog303”=“C:\WINDOWS\VM303_STI.EXE” [2005-10-25 00:56 61440]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]
“RTHDCPL”=“RTHDCPL.EXE” [2006-05-04 18:59 16206848 C:\WINDOWS\RTHDCPL.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2005-12-12 19:50 88204 C:\WINDOWS\agrsmmsg.exe]
“NDSTray.exe”=“NDSTray.exe” [BU]
“TPSMain”=“TPSMain.exe” [2005-06-01 00:00 282624 C:\WINDOWS\system32\TPSMain.exe]
“CFSServ.exe”=“CFSServ.exe” [BU]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-10 08:00 15360]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
IEHOME.LNK - C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat [2006-12-13 14:45:36 298]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
IEHOME.LNK - C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat [2006-12-13 14:45:36 298]

C:\Documents and Settings\Christopher\Start Menu\Programs\Startup
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 00:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-09-14 18:48:02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\WINDOWS\system32\lxdfcoms.exe”=
“C:\Program Files\Lexmark 6500 Series\lxdfamon.exe”=
“C:\Program Files\Lexmark 6500 Series\frun.exe”=
“C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe”=
“C:\Program Files\Lexmark 6500 Series\lxdfmon.exe”=
“C:\WINDOWS\system32\lxdfcfg.exe”=
“C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfpswx.exe”=
“C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdftime.exe”=
“C:\Program Files\Lexmark 6500 Series\LXDFFax.exe”=
“C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfjswx.exe”=
“C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfwbgw.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 02:06]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe [2007-05-29 02:06]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.hotmail.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 16:48:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
→ ?:\WINDOWS\system32\urlmon.dll
→ ?:\WINDOWS\system32\urlmon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfserv.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\verclsid.exe
.

.
Completion time: 2008-08-29 16:52:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 20:52:28

Pre-Run: 33,837,121,536 bytes free
Post-Run: 36,317,757,440 bytes free

192 — E O F — 2008-08-14 11:46:54
thank you!!!

33

the highjack this scan came up with the following…thank you!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:49 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Christopher\Desktop\HiJackThis.exe

34

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM..\Run: [Symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”
O4 - HKLM..\Run: [lxdfmon.exe] “C:\Program Files\Lexmark 6500 Series\lxdfmon.exe”
O4 - HKLM..\Run: [lxdfamon] “C:\Program Files\Lexmark 6500 Series\lxdfamon.exe”
O4 - HKLM..\Run: [Lexmark 6500 Series Fax Server] “C:\Program Files\Lexmark 6500 Series\fm3032.exe” /s
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User ‘SYSTEM’)
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User ‘Default user’)
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User ‘Default user’)
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


End of file - 11229 bytes
thanks!!!

35

Lets see if we can try the sysrestore search again

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

SysRst::

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .
36

which is the run box? when i pressed run before it merely ran the program…thanks

37

Ahh OK I see where the problem is. The instruction are set at the lowest level. But in your case open Notepad and type in SysRst:: then save the notepad file as CFScript.txt. Then drag and drop it onto the combofix icon

38

Sorry, that i’ve been away from the computer but basically i ran avast again after the initial combofix and it seems my computer is virus free…THANK YOU SOOO much…i really appreciate all the help…you saved me!!! should i delete all the software i installed that being combofix, hijackthis, malware’ anti-malware, SUPERantispyware?

Thanks again

39

and dr.cure…thanks

40

delete combofix it changes too fast to keep
hijack this does not change often is small so keep it in your emergency folder
I’d also keep MBAM and SAS and keep them updated
malware today frequently knarls the internet connection making it impossible to download these when you might need them again- unless you clicked some start at boot options they should take no resources except a little disk space

how bout running secunia software inspector and getting everything up to date?
Firewall name?
are you running any start at boot (real time) anti spyware/ malware product (MBAM and SAS being on demand)
we do not want to do this again, do we