Jump to content


Photo

Cant get rid of spyware


  • Please log in to reply
28 replies to this topic

#1 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 11 September 2006 - 03:45 PM

I hope that I am posting this in the right forum, Im new to the site and not sure where to post this. I have picked up something that is killing my computer, draining ram and constantly hitting me with pop ups. I am running windows xp home and using Ad-Aware SE Personal Build 1.06r1 and have updated definitions prior to my latest scan. The following is the scan report.


Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, September 11, 2006 10:06:57 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R122 08.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):7 total references
Tracking Cookie(TAC index:3):13 total references
Windows(TAC index:3):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-11-2006 10:06:57 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\jere\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 584
ThreadCreationTime : 9-11-2006 4:04:10 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 648
ThreadCreationTime : 9-11-2006 4:04:11 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 676
ThreadCreationTime : 9-11-2006 4:04:12 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 9-11-2006 4:04:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 732
ThreadCreationTime : 9-11-2006 4:04:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 888
ThreadCreationTime : 9-11-2006 4:04:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 948
ThreadCreationTime : 9-11-2006 4:04:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 984
ThreadCreationTime : 9-11-2006 4:04:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1044
ThreadCreationTime : 9-11-2006 4:04:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1216
ThreadCreationTime : 9-11-2006 4:04:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1532
ThreadCreationTime : 9-11-2006 4:04:15 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1560
ThreadCreationTime : 9-11-2006 4:04:15 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [acs.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1660
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal


#:14 [igfxtray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1720
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 3.0.0.4332
ProductVersion : 7.0.0.4332
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:15 [hkcmd.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1728
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 3.0.0.4332
ProductVersion : 7.0.0.4332
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : HKCMD.EXE

#:16 [igfxpers.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1736
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 3.0.0.4332
ProductVersion : 7.0.0.4332
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : persistence Module
InternalName : PERSISTENCE
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : IGFXPERS.EXE

#:17 [ltmoh.exe]
FilePath : C:\Program Files\ltmoh\
ProcessID : 1752
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 1.73
ProductVersion : 1.73
ProductName : LtMoh Application
CompanyName : Agere Systems
FileDescription : LtMoh MFC Application
InternalName : LtMoh
LegalCopyright : Agere Copyright © 2001-2004
LegalTrademarks : Agere Systens
OriginalFilename : LtMoh.EXE

#:18 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 1788
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 2.1.49 2.1.49 12/20/2004 15:10:02
ProductVersion : 2.1.49 2.1.49 12/20/2004 15:10:02
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:19 [apoint.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 1804
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 6.0.2.186
ProductVersion : 6.0.2.186
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright © 1999-2004 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:20 [00thotkey.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1812
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 0
ProductVersion : 6, 3, 0, 0
ProductName : TOSHIBA THotkey
CompanyName : TOSHIBA Corporation
FileDescription : THotkey
InternalName : THotkey
LegalCopyright : Copyright © 1999 -2004 TOSHIBA Corporation
OriginalFilename : THotkey.exe

#:21 [tfnf5.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1868
ThreadCreationTime : 9-11-2006 4:04:16 PM
BasePriority : Normal
FileVersion : 2, 9, 0, 0
ProductVersion : 2, 9, 0, 0
ProductName : TOSHIBA Hotkey Utility for Display Devices
CompanyName : TOSHIBA Corp.
FileDescription : TFnF5
InternalName : TFnF5
LegalCopyright : Copyright © 2001-2004
OriginalFilename : TFnF5.Exe
Comments : Hotkey (Fn+F5) for Display Devices

#:22 [touched.exe]
FilePath : C:\Program Files\TOSHIBA\TouchED\
ProcessID : 1876
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 2, 5, 1, 0
ProductVersion : 2, 5, 1, 0
ProductName : TouchPad On/Off Utility
CompanyName : TOSHIBA Corporation
FileDescription : TouchPad On/Off Utility
InternalName : TouchED
LegalCopyright : Copyright 1998-2002 TOSHIBA Corporation. All rights reserved.
OriginalFilename : TouchED.exe

#:23 [smoothview.exe]
FilePath : C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\
ProcessID : 1884
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 23
ProductVersion : 2, 0, 0, 23
ProductName : TOSHIBA Zooming Utility
CompanyName : TOSHIBA Corporation
FileDescription : SmoothView
InternalName : SmoothView
LegalCopyright : Copyright © 2003 TOSHIBA Corporation. All rights reserved.
OriginalFilename : SmoothView.exe
Comments : TOSHIBA Zooming Utility

#:24 [tfncky.exe]
FilePath : C:\Program Files\TOSHIBA\TOSHIBA Controls\
ProcessID : 1892
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 3.21.02
ProductVersion : 3.21.00
ProductName : TFncKy
CompanyName : TOSHIBA Corporation
FileDescription : TFncKy
InternalName : TFncKy
LegalCopyright : Copyright © 2001-2005 TOSHIBA Corporation. All rights reserved.
OriginalFilename : TFncKy.EXE

#:25 [ndstray.exe]
FilePath : C:\Program Files\TOSHIBA\ConfigFree\
ProcessID : 1908
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal


#:26 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 1916
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 1.04.08a
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2004 Sonic Solutions

#:27 [pinger.exe]
FilePath : C:\toshiba\ivp\ism\
ProcessID : 1976
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 3.7.0.0
ProductVersion : 3.7.0.0
ProductName : Software Upgrades
CompanyName : TOSHIBA Corporation
FileDescription : TOSHIBA Pinger
InternalName : PINGER
LegalCopyright : © 1997-2005 TOSHIBA Corporation
OriginalFilename : PINGER.EXE

#:28 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2008
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:29 [bartshel.exe]
FilePath : C:\Program Files\PeoplePC\ISP6330\Browser\
ProcessID : 164
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 6, 3, 1, 285
ProductVersion : 6, 3, 0, 0
ProductName : PeoplePC BartShell Module
CompanyName : PeoplePC
FileDescription : BartShell Module
InternalName : BartShell
LegalCopyright : Copyright © 2006 PeoplePC
OriginalFilename : BartShel.exe

#:30 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 180
ThreadCreationTime : 9-11-2006 4:04:17 PM
BasePriority : Normal
FileVersion : 10, 0, 0, 20
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:31 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 232
ThreadCreationTime : 9-11-2006 4:04:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:32 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 336
ThreadCreationTime : 9-11-2006 4:04:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:33 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 436
ThreadCreationTime : 9-11-2006 4:04:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:34 [tpsbattm.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 448
ThreadCreationTime : 9-11-2006 4:04:18 PM
BasePriority : Normal
FileVersion : 1, 0, 3, 0
ProductVersion : 7, 0, 0, 0
ProductName : TOSHIBA Power Saver
CompanyName : TOSHIBA Corporation
InternalName : TPSBattM
LegalCopyright : Copyright © 1998-2005 TOSHIBA Corporation
OriginalFilename : TPSBattM.exe

#:35 [dwdsregt.exe]
FilePath : C:\windows\system32\
ProcessID : 488
ThreadCreationTime : 9-11-2006 4:04:18 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
LegalCopyright : © 2004

#:36 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
ProcessID : 368
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal


#:37 [toscdspd.exe]
FilePath : C:\Program Files\TOSHIBA\TOSCDSPD\
ProcessID : 108
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal


#:38 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:39 [995632.exe]
FilePath : C:\DOCUME~1\jere\LOCALS~1\Temp\
ProcessID : 616
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal


#:40 [992560.exe]
FilePath : C:\DOCUME~1\jere\LOCALS~1\Temp\
ProcessID : 628
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal


#:41 [cproc.exe]
FilePath : C:\WINDOWS\system32\crunner\
ProcessID : 644
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal


#:42 [aspi109379.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 736
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal


#:43 [apntex.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 768
ThreadCreationTime : 9-11-2006 4:04:19 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for Windows NT/2000/XP
LegalCopyright : Copyright © 1998-2003 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:44 [iam.exe]
FilePath : C:\Program Files\CallWave\
ProcessID : 1068
ThreadCreationTime : 9-11-2006 4:04:20 PM
BasePriority : Normal
FileVersion : 3.07.8 (4-April-2005)
ProductVersion : 3.07.8 (4-April-2005)
ProductName : CallWave Service
CompanyName : CallWave, Inc.
FileDescription : Internet Answering Machine
InternalName : CallApp
LegalCopyright : Copyright © 1999-2003 CallWave, Inc.
OriginalFilename : CallApp.exe

#:45 [cfsvcs.exe]
FilePath : C:\Program Files\TOSHIBA\ConfigFree\
ProcessID : 1092
ThreadCreationTime : 9-11-2006 4:04:20 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 1
ProductVersion : 6, 0, 0, 0
ProductName : ConfigFree™
CompanyName : TOSHIBA CORPORATION
FileDescription : Service of ConfigFree.
InternalName : CFSvcs.exe
LegalCopyright : ©copyright TOSHIBA CORPORATION 2003-2005
LegalTrademarks : ConfigFree™
OriginalFilename : CFSvcs.exe
Comments : Service of ConfigFree.

#:46 [ramasst.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1172
ThreadCreationTime : 9-11-2006 4:04:22 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 0
ProductVersion : 1, 1, 0, 0
CompanyName : Matsushita Electric Industrial Co., Ltd.
FileDescription : CD Burning of Windows XP disabling tool for DVD MULTI Drive
LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2004
OriginalFilename : RAMASST.EXE

#:47 [dvdramsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1380
ThreadCreationTime : 9-11-2006 4:04:24 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 0
ProductVersion : 3, 0, 0, 0
CompanyName : Matsushita Electric Industrial Co., Ltd.
FileDescription : DVD-RAM Utility Helper Service
LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2004
OriginalFilename : DVDRAMSV.EXE

#:48 [swupdtmr.exe]
FilePath : c:\TOSHIBA\IVP\swupdate\
ProcessID : 1644
ThreadCreationTime : 9-11-2006 4:04:27 PM
BasePriority : Normal


#:49 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2064
ThreadCreationTime : 9-11-2006 4:04:27 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:50 [ppshared.exe]
FilePath : C:\PROGRA~1\PeoplePC\ISP6330\Browser\
ProcessID : 2108
ThreadCreationTime : 9-11-2006 4:04:27 PM
BasePriority : Normal
FileVersion : 6, 3, 1, 6
ProductVersion : 6, 3, 0, 0
ProductName : PPShared Module
CompanyName : PeoplePC
FileDescription : PPShared Module
InternalName : PPShared
LegalCopyright : Copyright © 2006 PeoplePC
OriginalFilename : PPShared.EXE

#:51 [bartshel.exe]
FilePath : C:\Program Files\PeoplePC\ISP6330\Browser\
ProcessID : 3060
ThreadCreationTime : 9-11-2006 4:05:55 PM
BasePriority : Normal
FileVersion : 6, 3, 1, 285
ProductVersion : 6, 3, 0, 0
ProductName : PeoplePC BartShell Module
CompanyName : PeoplePC
FileDescription : BartShell Module
InternalName : BartShell
LegalCopyright : Copyright © 2006 PeoplePC
OriginalFilename : BartShel.exe

#:52 [peoplepc.exe]
FilePath : C:\Program Files\PeoplePC Accelerated\
ProcessID : 176
ThreadCreationTime : 9-11-2006 4:06:41 PM
BasePriority : Normal


#:53 [yahoomessenger.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ProcessID : 2504
ThreadCreationTime : 9-11-2006 4:08:21 PM
BasePriority : Normal
FileVersion : 8,0,0,701
ProductVersion : 8,0,0,701
ProductName : Yahoo! Messenger
CompanyName : Yahoo! Inc.
FileDescription : Yahoo! Messenger
LegalCopyright : © 1998-2006 Yahoo! Inc. All rights reserved.

#:54 [firefox.exe]
FilePath : C:\PROGRA~1\MOZILL~1\
ProcessID : 2688
ThreadCreationTime : 9-11-2006 4:08:28 PM
BasePriority : Normal


#:55 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2428
ThreadCreationTime : 9-11-2006 4:39:25 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:56 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3948
ThreadCreationTime : 9-11-2006 5:00:16 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Windows Object Recognized!
Type : RegData
Data :
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\windows\currentversion\policies\system
Value : DisableTaskMgr
Data :

Windows Object Recognized!
Type : RegData
Data :
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\windows\currentversion\policies\system
Value : DisableTaskMgr
Data :

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 9


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@offers.worldadvertisingdirect[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:jere@offers.worldadvertisingdirect.com/
Expires : 12-31-2020 5:00:00 PM
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@fortunecity[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:jere@fortunecity.com/
Expires : 12-31-2020 5:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@ac2.valuead[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:jere@ac2.valuead.com/
Expires : 12-31-2020 5:00:00 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:jere@atdmt.com/
Expires : 9-9-2011 5:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:jere@realmedia.com/
Expires : 12-31-2020 5:00:00 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:16
Value : Cookie:jere@casalemedia.com/
Expires : 9-2-2007 2:37:12 AM
LastSync : Hits:16
UseCount : 0
Hits : 16

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@revenue[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:jere@revenue.net/
Expires : 6-9-2022 10:05:42 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:jere@tribalfusion.com/
Expires : 12-31-2037 5:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:jere@fastclick.net/
Expires : 9-10-2008 6:36:18 AM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@targetnet[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:jere@targetnet.com/
Expires : 5-17-2033 8:33:20 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@reduxads.valuead[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:jere@reduxads.valuead.com/
Expires : 12-31-2020 5:00:00 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:27
Value : Cookie:jere@zedo.com/
Expires : 9-8-2016 6:21:10 AM
LastSync : Hits:27
UseCount : 0
Hits : 27

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jere@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:jere@mediaplex.com/
Expires : 6-21-2009 5:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 22



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
54 entries scanned.
New critical objects:0
Objects found so far: 22




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

10:30:36 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:23:38.906
Objects scanned:132534
Objects identified:15
Objects ignored:0
New critical objects:15




Can anyone help me get rid of whatever is affecting my machine? Yhank you

Jere

#2 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 11 September 2006 - 07:56 PM

Hi

Tracking cookies are easy to remove with Ad-aware and MRU List Objects are not malicious. However, there are some odd items on your system. Could you try this please.

First boot into safe mode, if you are not familiar with this see this Microsoft article for details:

http://support.micro...kb;EN-US;315222

If you have not booted in safe mode before the screen will look different as Windows is not loading all the Windows components.


Next logon and please clear the temp files.

press start then select Run and in the box type:

cleanmgr

Then click the OK button to start Disk Cleanup.

If it prompts for drive select C: then when the window opens check these three items i.e. the radio button is pressed in.

Temporary Files
Temporary Internet Files
Recycle Bin

Then click the OK button and yes to confirm removal.

Now reboot the PC and logon as normal. Run HijackThis and post the log file. See this post for details on how to do this:

http://www.lavasofts...p?showtopic=216

Many thanks

#3 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 11 September 2006 - 09:29 PM

Thank you Ad Astra,

I hope I did this right and that the following is what you requested:

Logfile of HijackThis v1.99.1
Scan saved at 4:12:22 PM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\windows\system32\stonedrv.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\aspi109379.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system32\dwdsregt.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Documents and Settings\jere\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soulwinner.org/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsu19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [loaddr] C:\vcdsojv.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [lgh3f61f] RUNDLL32.EXE w5e31a0d.dll,n 0043f61b000000055e31a0d
O4 - HKLM\..\Run: [ngh3f621] RUNDLL32.EXE w5e3e107.dll,n 0043f61d000000025e3e107
O4 - HKLM\..\Run: [ogh3f622] RUNDLL32.EXE w5e323b2.dll,n 0043f61e000000055e323b2
O4 - HKLM\..\Run: [ms061348175214] C:\WINDOWS\ms061348175214.exe
O4 - HKLM\..\Run: [{F8-8E-E2-24-ZN}] C:\windows\system32\dwdsregt.exe ELT001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinopex.exe ELT001
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oodsregl.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinopex.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1197E88E-3CC7-4C84-AE0A-99389765F509}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe



Again thanks for the help.

Jere

#4 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 11 September 2006 - 11:14 PM

Hi Jere,

I'm here to assist with the result of the HijackThis scan as you have a large number of random named processes and files running.

You have a number of suspicious files I'd like to examine further to determine what it is and the best way to remove it.

Go here to upload the files as attachments
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Jere at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Files to attach for upload:

C:\WINDOWS\system32\nsu19.dll

C:\vcdsojv.exe

c:\windows\system32\stonedrv.exe

C:\windows\system32\dwdsregt.exe

C:\WINDOWS\system32\pwinopex.exe

C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

C:\WINDOWS\system32\crunner\cproc.exe (Do you know what crunner is? If not, upload all files in that folder/directory)

C:\WINDOWS\system32\oodsregl.exe

C:\WINDOWS\system32\pwinopex.exe

You'll need to do a search to find the location of these last few. Once found please upload these too:

w5e31a0d.dll

w5e3e107.dll

w5e323b2.dll

ms061348175214.exe


(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to be a member to upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.
..................................
When you are done uploading the files, please come back to this topic here and follow these instruction next to produce a different log I need to see.

Open HijackThis and instead of scan, choose *Open Misc Tools Section*

Next, choose *Open Uninstall Manager*

When done, press the *save list* button.

This will create a list and notepad should popup with a text file. Please copy and paste the contents of that file back here please.

We can then start to map a process to best remove these problems.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#5 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 12 September 2006 - 06:30 PM

Thank you CalamityJane for the help that your willing to offer, it is much appreciated. I have tried to do as you requested but am having major issues getting it done. I have registered and tried to upload the files you asked to see but this is where the problems start. My computer freezes when I click on the file that is to be attatched to the upload.


Is there another way for me to get these files to you? I havent tried yet byt maybe I can FTP them to one of my web sites and you could access them from there? Any suggestions you have would be greatly appreciated.

Thank you again.

Jere

#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 12 September 2006 - 06:59 PM

Hi,

I do have another method, yes.

I'm going to nuke them with a tool and then have you password the backups the tool makes and then you should be able to upload them.

I have the location for ms061348175214.exe (it's in the C:\Windows directory)

But if you could please tell me the location of these files, I can write up that list and instructions.

w5e31a0d.dll

w5e3e107.dll

w5e323b2.dll

Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#7 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 12 September 2006 - 09:02 PM

Hi,

All threee of these files are in c/WINDOWS/system32


Thanks

#8 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 12 September 2006 - 09:12 PM

Super! Give me a few minutes to write this up.

I'm going to leave out crunner, since I don't know what that is. Do you?

C:\WINDOWS\system32\crunner\cproc.exe

It looks like it might be something legit from searches I've done on it.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#9 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 12 September 2006 - 09:53 PM

No Jane Im sorrry i have no idea what crunner is or what program its attatched to.

Jere

#10 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 12 September 2006 - 09:54 PM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\nsu19.dll
C:\vcdsojv.exe
c:\windows\system32\stonedrv.exe
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\pwinopex.exe
C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe
C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe
C:\WINDOWS\ms061348175214.exe
C:\WINDOWS\system32\oodsregl.exe
C:\WINDOWS\system32\pwinopex.exe
C:\WINDOWS\system32\w5e31a0d.dll
C:\WINDOWS\system32\w5e3e107.dll
C:\WINDOWS\system32\w5e323b2.dll



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log
............................
Navigate to: C:\avenger\backup.zip.

1. Double-click the compressed folder that you want to password protect.
2. On the File menu, click Add a Password.
3. In the Password box, type the password: infected.
Type the same password in the Confirm Password box, and then click OK.

Go here to upload the file as an attachment
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Jere at LS ),
fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

File to attach for upload:
C:\avenger\backup.zip

(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to be a member to upload, anybody can upload the files - you can post a a guest.

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with the results and any further steps needed to remove them, if any.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#11 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 12 September 2006 - 10:55 PM

Hi Jane,

Here are the files you requested.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aptskyxv

*******************

Script file located at: \??\C:\Program Files\joknhowk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\nsu19.dll not found!
Deletion of file C:\WINDOWS\system32\nsu19.dll failed!

Could not process line:
C:\WINDOWS\system32\nsu19.dll
Status: 0xc0000034



File C:\vcdsojv.exe not found!
Deletion of file C:\vcdsojv.exe failed!

Could not process line:
C:\vcdsojv.exe
Status: 0xc0000034

File c:\windows\system32\stonedrv.exe deleted successfully.
File C:\windows\system32\dwdsregt.exe deleted successfully.
File C:\WINDOWS\system32\pwinopex.exe deleted successfully.
File C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe deleted successfully.
File C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe deleted successfully.
File C:\WINDOWS\ms061348175214.exe deleted successfully.
File C:\WINDOWS\system32\oodsregl.exe deleted successfully.


File C:\WINDOWS\system32\pwinopex.exe not found!
Deletion of file C:\WINDOWS\system32\pwinopex.exe failed!

Could not process line:
C:\WINDOWS\system32\pwinopex.exe
Status: 0xc0000034

File C:\WINDOWS\system32\w5e31a0d.dll deleted successfully.
File C:\WINDOWS\system32\w5e3e107.dll deleted successfully.
File C:\WINDOWS\system32\w5e323b2.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.












Logfile of HijackThis v1.99.1
Scan saved at 5:56:25 PM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\aspi109379.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\system32\RAMASST.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\jere\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soulwinner.org/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsg6D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [loaddr] C:\vcdsojv.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [lgh3f61f] RUNDLL32.EXE w5e31a0d.dll,n 0043f61b000000055e31a0d
O4 - HKLM\..\Run: [ngh3f621] RUNDLL32.EXE w5e3e107.dll,n 0043f61d000000025e3e107
O4 - HKLM\..\Run: [ogh3f622] RUNDLL32.EXE w5e323b2.dll,n 0043f61e000000055e323b2
O4 - HKLM\..\Run: [ms061348175214] C:\WINDOWS\ms061348175214.exe
O4 - HKLM\..\Run: [{F8-8E-E2-24-ZN}] c:\windows\system32\dwdsregt.exe ELT001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinnpex.exe ELT001
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\omdsregn.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnpex.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1197E88E-3CC7-4C84-AE0A-99389765F509}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

#12 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 September 2006 - 12:26 AM

Thanks, Jere,

I got them just fine. I missed one and the BHO has changed it's name. I'd like to try that one more time please to try to capture the BHO and the missed file at least, so I can submit them for detection.

2. Copy all the text contained bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:

C:\WINDOWS\system32\aspi109379.exe
C:\WINDOWS\system32\omdsregn.exe
C:\WINDOWS\system32\owinnpex.exe
C:\WINDOWS\system32\nsg6D.dll
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\aspi109379.exe



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

Upload the C:\avenger\backup.zip to the Spykiller upload topic you started earlier here:
http://www.thespykil...hp?topic=2559.0
........................
One those earlier files was a remote access trojan. You should be aware of the risks

http://www.sophos.co...rojcosiamk.html

Troj/Cosiam-K Trojan
Summary

Side effects

* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry


What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft...o/virusrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

Open HijackThis and do a *system scan only*

Checkmark these entries in the list, then press the *fix checked* button

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsg6D.dll

O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)

O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

O4 - HKLM\..\Run: [loaddr] C:\vcdsojv.exe

O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKLM\..\Run: [lgh3f61f] RUNDLL32.EXE w5e31a0d.dll,n 0043f61b000000055e31a0d

O4 - HKLM\..\Run: [ngh3f621] RUNDLL32.EXE w5e3e107.dll,n 0043f61d000000025e3e107

O4 - HKLM\..\Run: [ogh3f622] RUNDLL32.EXE w5e323b2.dll,n 0043f61e000000055e323b2

O4 - HKLM\..\Run: [ms061348175214] C:\WINDOWS\ms061348175214.exe

O4 - HKLM\..\Run: [{F8-8E-E2-24-ZN}] c:\windows\system32\dwdsregt.exe ELT001

O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinnpex.exe ELT001

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\omdsregn.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnpex.exe

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.mmohsix.com

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner -
C:\WINDOWS\system32\aspi109379.exe

Reboot your PC

Scan once more and post a fresh HijackThis log please.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#13 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 September 2006 - 03:27 PM

Hi Jere,

Have you run the HijackThis steps yet? Can you post a fresh Hijackthis log after the reboot?
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#14 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 13 September 2006 - 05:57 PM

Jane,

Sorry for the delay.....the latest file is included.


Logfile of HijackThis v1.99.1
Scan saved at 11:58:17 AM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\Documents and Settings\jere\My Documents\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soulwinner.org/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

#15 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 September 2006 - 07:21 PM

No problem, Jere. Delays are not a problem here, just didn't know how you were making out.

That last log looks pretty good. Some remnants to clean up I'll post further down on how to fix.

I still don't know what that crunner is. Do you have something like that listed in Add/Remove programs in the Control Panel? I don't have any evidence it is malware, but you should at least be aware of what it is and what it does anyway.

If you want to upload some of the files in that folder to the Spykiller uploads topic, I'll be happy to look at it for you
C:\WINDOWS\system32\crunner
....................
Open HijackThis and do a *system scan only*
When it finishes, checkmark these entries and then press the *fix checked* button

O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe (file missing)

Let me know how your computer is acting now?
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#16 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 13 September 2006 - 09:35 PM

Hi Jane,

I have uploaded the crunner files for you...two are exe files. The computer is running much better now and seems to be back to normal. Its not freezing up and there are no more ads popping up all the time. I honestly have no clue hoe you can know what to do to fix this like you did but I am very greatful.

I havent looked into formatting the computer yet because i didnt know if I should do that before we were done doing what you had to do. Should I still do this?

Thansk for all your help Jane and if you have paypal Id love to pass along a little thank you gift.

Jere

#17 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 14 September 2006 - 12:47 AM

Hi Jere,

I got the files, not sure what it is. Only BitDefender thinks it is Clickspring AdWare. I've submitted the file to numerous AV/AS/AT vendors for an analysis by email. I'll wait to see if anyone else finds this is Clickspring.

These were the initial scan results. I'll get more in reply to my email submission.

Complete scanning result of "cupdater.exe", received in VirusTotal at 09.13.2006, 23:52:37 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.13.2006 no virus found
Authentium 4.93.8 09.13.2006 no virus found
Avast 4.7.844.0 09.13.2006 no virus found
AVG 386 09.13.2006 no virus found
BitDefender 7.2 09.13.2006 Adware.Clickspring.AA
CAT-QuickHeal 8.00 09.13.2006 no virus found
ClamAV devel-20060426 09.13.2006 no virus found
eTrust-InoculateIT 23.72.123 09.13.2006 no virus found
eTrust-Vet 30.3.3076 09.13.2006 no virus found
DrWeb 4.33 09.13.2006 no virus found
Ewido 4.0 09.13.2006 no virus found
Fortinet 2.82.0.0 09.13.2006 no virus found
F-Prot 3.16f 09.13.2006 no virus found
F-Prot4 4.2.1.29 09.13.2006 no virus found
Ikarus 0.2.65.0 09.13.2006 no virus found
Kaspersky 4.0.2.24 09.13.2006 no virus found
McAfee 4851 09.13.2006 no virus found
Microsoft 1.1560 09.13.2006 no virus found
NOD32v2 1.1754 09.13.2006 no virus found
Norman 5.80.02 09.13.2006 no virus found
Panda 9.0.0.4 09.13.2006 no virus found
Sophos 4.09.0 09.13.2006 no virus found
Symantec 8.0 09.13.2006 no virus found
TheHacker 5.9.8.210 09.13.2006 no virus found
UNA 1.83 09.13.2006 no virus found
VBA32 3.11.1 09.13.2006 no virus found
VirusBuster 4.3.7:9 09.13.2006 no virus found

Aditional Information
File size: 16384 bytes
MD5: 6dcf86ad71e2ad74280f5b8ca9502ed1
SHA1: d4afa91961f4fa57add1945f1c2e0c4200be46ff

.................
Complete scanning result of "cproc.exe", received in VirusTotal at 09.14.2006, 00:02:22 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.13.2006 no virus found
Authentium 4.93.8 09.13.2006 no virus found
Avast 4.7.844.0 09.13.2006 no virus found
AVG 386 09.13.2006 no virus found
BitDefender 7.2 09.13.2006 Adware.Clickspring.AA
CAT-QuickHeal 8.00 09.13.2006 no virus found
ClamAV devel-20060426 09.13.2006 no virus found
DrWeb 4.33 09.13.2006 no virus found
eTrust-InoculateIT 23.72.123 09.13.2006 no virus found
eTrust-Vet 30.3.3076 09.13.2006 no virus found
Ewido 4.0 09.13.2006 no virus found
Fortinet 2.82.0.0 09.13.2006 no virus found
F-Prot 3.16f 09.13.2006 no virus found
F-Prot4 4.2.1.29 09.13.2006 no virus found
Ikarus 0.2.65.0 09.13.2006 no virus found
Kaspersky 4.0.2.24 09.13.2006 no virus found
McAfee 4851 09.13.2006 no virus found
Microsoft 1.1560 09.13.2006 no virus found
NOD32v2 1.1754 09.13.2006 no virus found
Norman 5.90.23 09.13.2006 no virus found
Panda 9.0.0.4 09.13.2006 no virus found
Sophos 4.09.0 09.13.2006 no virus found
Symantec 8.0 09.13.2006 no virus found
TheHacker 5.9.8.210 09.13.2006 no virus found
UNA 1.83 09.13.2006 no virus found
VBA32 3.11.1 09.13.2006 no virus found
VirusBuster 4.3.7:9 09.13.2006 no virus found

Aditional Information
File size: 20480 bytes
MD5: bd16c16a42d3a3f10d6f7afecf7110ff
SHA1: 26b3e22c668866f265f3b909f91bfbc75988cea9
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#18 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 14 September 2006 - 02:45 PM

Im curious as to what you get back about this. I have not installed this program and am quite sure it didnt come preloaded when i bouth the computer a few months back.

Thanks again jane for all you help.


Jere

#19 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 14 September 2006 - 05:46 PM

Good morning Jere,

I have two responses here from my email submissions. Both Kaspersky and AntiVir are calling this new malware (TR/Dldr.MSIL.Agent.C), so let's delete it.

Open HijackThis and do a *system scan only*
When it finishes, checkmark this entry in the list. Then press the *fix checked* button.

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

Then delete this entire folder:

C:\WINDOWS\system32\crunner
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#20 Jere

Jere

    Member

  • Members
  • PipPip
  • 14 posts

Posted 14 September 2006 - 11:20 PM

Jane,

Agin thanks for the extra work.

Ive run HJT and deleted that directory. Everything should be clean now right?

Jere




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users