PDA

View Full Version : Got a bad feeling about this DLL



LadyGrey
12-21-2007, 08:24 PM
Working on a computer, getting RUNDLL error message on startup
C:\windows\system32\ttpuvheh.dll could not be opened
The module could not be found.
I've searched on Google just about every way I can think of and it comes up with zip, nada, zilch.
Any one have any ideas?
I think it's a nasty myself but I'm sure stumped on how to get rid of it.
Thanks as always,
LG;)

Budfred
12-21-2007, 08:43 PM
Probably Vundo or Smitfraud... Got a log to check out??

LadyGrey
12-21-2007, 08:52 PM
Hi Budfred and thanks, not yet on the log but will have in the next hour or so!
LG;)

LadyGrey
12-21-2007, 09:11 PM
while I'm waiting for some other things to finish so I can get the log let me give you just a tad of background on the computer. Toshiba Satellite A55-S1063 laptop running a scaled down version of XP Home. Young mans Father was trying to do something nice a couple of Christmases ago and bought a display model off the shelf at a Wally Mart with no Disks and no Documentation, not even a box. This was a mess and still is to some extent. I let the AVGs do their thing, 150 malware,59 trojans and loop back viruses. Seemed to make it run a bit better after that was taken care of. Then had two found new hardware screens that kept coming up, turned out to be Video related, found the correct drivers and put those in so that's done. Now just this nasty DLL error screen is left then I can get working on some of the simpler things, like disabling those heaven awful pop up balloons!!
Going to see if Toshiba will sell the original restore disks to this young man, I kinda doubt it but all they can say is no so I'll try.
Don't see how it is running XP anyway. Only a 1.5 GHz cpu with 256 MB RAM and 40 Gig HDD.
Ok, let me go finish up with this other stuff and get the log to you.
Thanks again,
LG;)

PrntRhd
12-21-2007, 09:21 PM
Notebook likely never had recovery disks, just a recovery partition, and should have had the partition burned to backup media immediately.
Of course they did not tell the purchaser that, so here we are.
Scaled down XP Home?

LadyGrey
12-21-2007, 09:48 PM
Hiya Prnt,
Yep, that's what I call it. It's not fully functional, just a for instance, all the desktop wallpapers are greyed out, they are there but have been locked by a reg key so they can't be accessed or changed. I think I've got a way to edit the reg. so that they can use the wallpapers. Just other small things, Media player was not on it at all. That ships as far as I know with any Windoze version. Lot and Lots of WalMart bologna on there that I will address soon as I can get this darn error screen gone. Remember it was a dispaly model, so it most likely had a scaled down verson of XP on it put there by Toshiba for WalMart to use to sell the computer. Kinda a mini XP:D
Of course they were running no firewall and no antivirus and no antispyware, oh I take that back the windoze firewall was on,:rolleyes: like I said, no firewall! :D
I hope I do the hijackthis log right, haven't run one in donkey ages.
Just about ready to put it up.
LG;)

LadyGrey
12-21-2007, 10:01 PM
OK here we go.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:01 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {555f4acd-c56a-ece8-a274-2abaa556d83b} - {b38d655a-aba2-472a-8ece-a65cdca4f555} - C:\WINDOWS\system32\lcnrufqs.dll (file missing)
O2 - BHO: (no name) - {BFE96C4D-D078-4003-A191-9F39B0B6F6EF} - C:\WINDOWS\system32\awtqr.dll (file missing)
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4882da28] rundll32.exe "C:\WINDOWS\system32\ttpuvheh.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: awtut - C:\WINDOWS\system32\awtut.dll (file missing)
O20 - Winlogon Notify: khffc - C:\WINDOWS\system32\khffc.dll (file missing)
O20 - Winlogon Notify: mljklig - mljklig.dll (file missing)
O20 - Winlogon Notify: pmkhe - C:\WINDOWS\system32\pmkhe.dll (file missing)
O20 - Winlogon Notify: vtuvu - C:\WINDOWS\system32\vtuvu.dll (file missing)
O20 - Winlogon Notify: wvurs - C:\WINDOWS\system32\wvurs.dll (file missing)
O20 - Winlogon Notify: wvuvw - C:\WINDOWS\system32\wvuvw.dll (file missing)
O20 - Winlogon Notify: yabxw - C:\WINDOWS\system32\yabxw.dll (file missing)
O20 - Winlogon Notify: yabyy - C:\WINDOWS\system32\yabyy.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 7044 bytes

PrntRhd
12-21-2007, 10:03 PM
Yeah, I do understand the locked down OS.
I had a former boss whose idea of fun was to go to Circuit City or Best Buy and delete a needed Windows file while messing with the display PCs.
:p

Ajmukon
12-21-2007, 11:31 PM
Yeah, I do understand the locked down OS.
I had a former boss whose idea of fun was to go to Circuit City or Best Buy and delete a needed Windows file while messing with the display PCs.
:p
HA HA HA... that is rich...
wow- that is hilarious

Budfred
12-22-2007, 01:39 AM
I used to try to get the ones that had crashed working again when I would hang out looking at computers... :D

Anyway, that is a mess... You are going to need a couple of heavy duty tools, but given what you described, I suggest wiping it and installing Win2K or something that won't give it indigestion (even a user friendly version of Linux)... If you want to try to fix it up as is, please do these:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop).
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

and then.............................

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the Registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the Desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your Desktop icons.
Finally open the SDFix folder on your Desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

LadyGrey
12-22-2007, 08:08 AM
Yep, mess is a nice word for it!:D
Thanks so very much, I'll get started on it this morning. I'm going to take a shot at fixing it, good learning experience for me and if it works, Great!
If it doesn't then I have a copy of W2K, told my hubby just that, that it would be better off running W2K. If they don't want W2K then they will just have to settle for a mess of a computer that may or may not run when they want it to. If even that.
I will follow your directions to the letter Budfred,thanks again and I'll be back later on today I hope with the other logs and some news.
LG;)

LadyGrey
12-22-2007, 09:45 AM
Well, got done sooner than I thought! Hubby and son actually left me alone for an hour:D
Ok here are the logs, Combofix first


ComboFix 07-12-21.4 - walmart 2007-12-22 7:25:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -8:00]
Running from: C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.
2007-12-21 19:14 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-21 19:10 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-21 19:09 . 2007-12-21 19:09 <DIR> d-------- C:\Display.temp
2007-12-21 19:09 . 2004-01-26 19:03 98,304 --a------ C:\WINDOWS\system32\igfxcpl.cpl
2007-12-21 15:17 . 2007-12-21 12:59 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AVG7
2007-12-21 15:17 . 2007-12-21 15:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 15:16 . 2007-12-21 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-21 14:16 . 2006-10-04 06:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-21 14:12 . 2007-12-21 14:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-21 14:12 . 2007-12-21 14:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Program Files\NETGEAR
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Documents and Settings\WALMAR~1~TOS\LOCALS~1
2007-12-21 14:11 . 2003-11-28 10:18 337,216 --a------ C:\WINDOWS\system32\drivers\wg121nd5.sys
2007-12-21 14:11 . 2003-07-24 12:10 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2007-12-21 14:11 . 2003-09-23 11:37 77,926 --a------ C:\WINDOWS\system32\wg121.dll
2007-12-21 13:54 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-21 13:54 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-21 13:54 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-21 11:36 . 2007-12-21 11:36 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Grisoft
2007-12-21 11:36 . 2007-12-21 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 11:36 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-21 10:54 . 2007-12-21 11:34 990,273 --ahs---- C:\WINDOWS\system32\hehvuptt.ini
2007-12-20 16:55 . 2007-12-20 16:55 994,149 --ahs---- C:\WINDOWS\system32\icfrdfsi.ini
2007-12-19 16:56 . 2007-12-20 16:56 986,716 --ahs---- C:\WINDOWS\system32\jqxwqeji.ini
2007-12-19 09:01 . 2007-12-19 16:41 986,754 --ahs---- C:\WINDOWS\system32\bmhvkumm.ini
2007-12-18 13:43 . 2007-12-19 08:55 986,574 --ahs---- C:\WINDOWS\system32\hwosmdeo.ini
2007-12-17 16:41 . 2007-12-18 01:30 971,378 --ahs---- C:\WINDOWS\system32\yccuugig.ini
2007-12-16 16:41 . 2007-12-17 12:31 970,521 --ahs---- C:\WINDOWS\system32\gasmnafj.ini
2007-12-16 15:38 . 2007-12-16 15:38 970,434 --ahs---- C:\WINDOWS\system32\maxrwjbf.ini
2007-12-15 10:55 . 2007-12-16 15:24 970,374 --ahs---- C:\WINDOWS\system32\hufkitcr.ini
2007-12-14 11:05 . 2007-12-14 11:05 894,438 --ahs---- C:\WINDOWS\system32\dvvejevl.ini
2007-12-13 14:21 . 2007-12-14 14:02 872,247 --ahs---- C:\WINDOWS\system32\rapampvy.ini
2007-12-12 14:18 . 2007-12-13 14:18 964,683 --ahs---- C:\WINDOWS\system32\qlfxnavu.ini
2007-12-11 14:15 . 2007-12-12 14:16 903,561 --ahs---- C:\WINDOWS\system32\vkyjnjjb.ini
2007-12-10 11:03 . 2007-12-11 14:15 901,627 --ahs---- C:\WINDOWS\system32\akmbocos.ini
2007-12-09 14:18 . 2007-12-21 14:00 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-12-09 14:18 . 2007-12-09 14:18 1,154,709 --a------ C:\Install
2007-12-09 11:03 . 2007-12-10 11:03 859,817 --ahs---- C:\WINDOWS\system32\vcihfwna.ini
2007-12-08 11:00 . 2007-12-09 11:01 834,512 --ahs---- C:\WINDOWS\system32\ufylmynw.ini
2007-12-07 11:04 . 2007-12-08 03:10 834,283 --ahs---- C:\WINDOWS\system32\wrpwpxlw.ini
2007-12-07 10:04 . 2007-12-07 10:04 834,100 --ahs---- C:\WINDOWS\system32\jtbpgqsg.ini
2007-11-25 10:33 . 2007-11-25 10:34 440,528 --ahs---- C:\WINDOWS\system32\fcwshwxj.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-21 22:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 22:03 --------- d-----w C:\Program Files\Google
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:12 0 -c--a-w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\wklnhst.dat
2007-10-30 23:12 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Template
2007-10-24 23:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 23:45 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AOL
2007-10-24 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-24 20:11 --------- d-----w C:\Program Files\Pure Networks
2007-10-24 19:55 --------- d-----w C:\Program Files\Napster
2007-10-24 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-24 19:40 --------- d-----w C:\Program Files\Real
2007-10-24 18:03 --------- d-----w C:\Program Files\support.com
2007-10-24 17:52 --------- d-----w C:\Program Files\Toshiba
2007-10-24 17:12 --------- d-----w C:\Program Files\Windows Live Toolbar
2006-01-16 13:29 0 -c--a-w C:\Documents and Settings\walmart\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b38d655a-aba2-472a-8ece-a65cdca4f555}]
C:\WINDOWS\system32\lcnrufqs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE96C4D-D078-4003-A191-9F39B0B6F6EF}]
C:\WINDOWS\system32\awtqr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 02:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2007-09-22 13:14]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-26 19:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-26 19:03]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TFNF5"="TFNF5.exe" [2003-12-02 13:15 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 19:43 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-09-22 13:15]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2007-09-22 13:15]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"4882da28"="C:\WINDOWS\system32\ttpuvheh.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 15:16]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 15:16]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-21 14:11:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
C:\WINDOWS\system32\awtqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtut]
C:\WINDOWS\system32\awtut.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffc]
C:\WINDOWS\system32\khffc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklig]
mljklig.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhe]
C:\WINDOWS\system32\pmkhe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvu]
C:\WINDOWS\system32\vtuvu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurs]
C:\WINDOWS\system32\wvurs.dll

LadyGrey
12-22-2007, 09:46 AM
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvw]
C:\WINDOWS\system32\wvuvw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabxw]
C:\WINDOWS\system32\yabxw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabyy]
C:\WINDOWS\system32\yabyy.dll
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys [2003-11-28 10:18]
*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 18:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-19 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 18:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 21:00:01 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 22:00:02 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 23:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 00:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 01:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-17 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-20 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-22 04:00:01 C:\WINDOWS\Tasks\At21.job"
"2007-12-22 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-17 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-17 07:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-12-18 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 11:00:00 C:\WINDOWS\Tasks\At4.job"
"2007-12-18 12:00:00 C:\WINDOWS\Tasks\At5.job"
"2007-12-18 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 15:00:00 C:\WINDOWS\Tasks\At8.job"
"2007-12-18 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 07:31:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2007-12-22 7:35:05 - machine was rebooted
.
2007-12-12 11:05:14 --- E O F ---

LadyGrey
12-22-2007, 09:47 AM
SDFix next



SDFix: Version 1.119
Run by walmart on Sat 12/22/2007 at 08:11 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\WALMAR~1.TOS\Desktop\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
No Trojan Files Found


Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 08:28:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
Remaining Files:
---------------

Files with Hidden Attributes:
Sat 22 Sep 2007 6,440 A.SH. --- "C:\WINDOWS\system32\cffhk.bak1"
Sun 23 Sep 2007 6,496 A.SH. --- "C:\WINDOWS\system32\ehkmp.bak1"
Mon 17 Dec 2007 187,889 A.SH. --- "C:\WINDOWS\system32\rqtwa.bak1"
Fri 21 Dec 2007 8,754 A.SH. --- "C:\WINDOWS\system32\rqtwa.bak2"
Tue 25 Sep 2007 6,440 A.SH. --- "C:\WINDOWS\system32\sruvw.bak1"
Wed 26 Sep 2007 6,440 A.SH. --- "C:\WINDOWS\system32\tutwa.bak1"
Wed 26 Sep 2007 6,480 A.SH. --- "C:\WINDOWS\system32\uvutv.bak1"
Tue 25 Sep 2007 6,630 A.SH. --- "C:\WINDOWS\system32\wvuvw.bak1"
Sat 22 Sep 2007 6,440 A.SH. --- "C:\WINDOWS\system32\wxbay.bak1"
Mon 24 Sep 2007 6,480 A.SH. --- "C:\WINDOWS\system32\yybay.bak1"
Tue 21 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 21 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 22 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5b662b788 7793c36c7b10d29ea0e0cdc\BITD.tmp"
Sat 22 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e7 0c80a1e476f1abf49afecb1\BITC.tmp"
Tue 21 Aug 2007 4,348 ...H. --- "C:\Documents and Settings\walmart.TOSHIBA-USER\My Documents\My Music\License Backup\drmv1key.bak"
Wed 22 Aug 2007 20 A..H. --- "C:\Documents and Settings\walmart.TOSHIBA-USER\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 21 Aug 2007 312 A.SH. --- "C:\Documents and Settings\walmart.TOSHIBA-USER\My Documents\My Music\License Backup\drmv2key.bak"
Finished!

LadyGrey
12-22-2007, 09:49 AM
New HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:49 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {555f4acd-c56a-ece8-a274-2abaa556d83b} - {b38d655a-aba2-472a-8ece-a65cdca4f555} - C:\WINDOWS\system32\lcnrufqs.dll (file missing)
O2 - BHO: (no name) - {BFE96C4D-D078-4003-A191-9F39B0B6F6EF} - C:\WINDOWS\system32\awtqr.dll (file missing)
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4882da28] rundll32.exe "C:\WINDOWS\system32\ttpuvheh.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: awtut - C:\WINDOWS\system32\awtut.dll (file missing)
O20 - Winlogon Notify: khffc - C:\WINDOWS\system32\khffc.dll (file missing)
O20 - Winlogon Notify: mljklig - mljklig.dll (file missing)
O20 - Winlogon Notify: pmkhe - C:\WINDOWS\system32\pmkhe.dll (file missing)
O20 - Winlogon Notify: vtuvu - C:\WINDOWS\system32\vtuvu.dll (file missing)
O20 - Winlogon Notify: wvurs - C:\WINDOWS\system32\wvurs.dll (file missing)
O20 - Winlogon Notify: wvuvw - C:\WINDOWS\system32\wvuvw.dll (file missing)
O20 - Winlogon Notify: yabxw - C:\WINDOWS\system32\yabxw.dll (file missing)
O20 - Winlogon Notify: yabyy - C:\WINDOWS\system32\yabyy.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 7010 bytes

Budfred
12-22-2007, 09:56 AM
Just checking in and see that it is still a mess... If you can, run this:

* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.


and I'll check back later to see how it went... If this doesn't clear it out, the next step will be a CFScript...

LadyGrey
12-22-2007, 02:01 PM
FSecure



Scanning Report

Saturday, December 22, 2007 11:48:13 - 12:57:28

Computer name: TOSHIBA-USER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 80 malware found

Tracking Cookie (http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Tracking Cookie&orig='disk') (spyware)

System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
SystemVundo.gen38 (http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Vundo.gen38&orig='disk') (virus)

C:\WINDOWS\SYSTEM32\DVVEJEVL.INI (Submitted)
C:\WINDOWS\SYSTEM32\FCWSHWXJ.INI (Submitted)
C:\WINDOWS\SYSTEM32\OAKBLXWP.INI (Submitted)
C:\WINDOWS\SYSTEM32\QLFXNAVU.INI (Submitted)
C:\WINDOWS\SYSTEM32\VKYJNJJB.INI (Submitted)
C:\WINDOWS\SYSTEM32\VSXTNSXR.INI (Submitted)
C:\WINDOWS\SYSTEM32\WRPWPXLW.INI (Submitted)
C:\WINDOWS\SYSTEM32\YOWXUTAJ.INI (Submitted)Vundo.gen39 (http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Vundo.gen39&orig='disk') (virus)

C:\WINDOWS\SYSTEM32\EONVQJBC.INI (Submitted)
C:\WINDOWS\SYSTEM32\GEVYTBSW.INI (Submitted)
C:\WINDOWS\SYSTEM32\JFCNVBET.INI (Submitted)
C:\WINDOWS\SYSTEM32\KTTHSVCD.INI (Submitted)
C:\WINDOWS\SYSTEM32\OAXIQKSE.INI (Submitted)
C:\WINDOWS\SYSTEM32\ONYRVDBL.INI (Submitted)
C:\WINDOWS\SYSTEM32\PUKFDVEL.INI (Submitted)
C:\WINDOWS\SYSTEM32\SFWWWVGF.INI (Submitted)
C:\WINDOWS\SYSTEM32\UNHCMOAH.INI (Submitted)
C:\WINDOWS\SYSTEM32\XTEUPMAO.INI (Submitted)Vundo.gen41 (http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Vundo.gen41&orig='disk') (virus)

C:\WINDOWS\SYSTEM32\WVUUS.DLL (Submitted)Vundo.gen45 (http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Vundo.gen45&orig='disk') (virus)

C:\WINDOWS\SYSTEM32\YHMEQHNN.INI (Submitted)Zango (http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Zango&orig='disk') (spyware)

System (Disinfected)Statistics

Scanned:

Files: 22983
System: 4095
Not scanned: 3Actions:

Disinfected: 2
Renamed: 0
Deleted: 0
None: 78
Submitted: 20Files not scanned:

C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULTOptions

Scanning engines:

F-Secure Libra: 2.4.2, 2007-12-20
F-Secure AVP: 7.0.171, 2007-12-21
F-Secure Orion: 1.2.37, 2007-12-21
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-11-18Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXSWF
Use Advanced heuristics

Budfred
12-22-2007, 03:09 PM
Hopefully that took care of a lot of it... Get a fresh copy of ComboFix (it is updated frequently) and post a log... I'll put a CFScript together and see if we can nuke the rest of the garbage...

LadyGrey
12-22-2007, 05:54 PM
Unfortunetly I still have the darn .dll error message coming up on start up:(





ComboFix 07-12-21.4 - walmart 2007-12-22 15:59:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -8:00]Running from: C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.
2007-12-22 07:42 . 2007-12-22 07:42 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 19:14 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-21 19:10 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-21 19:09 . 2007-12-21 19:09 <DIR> d-------- C:\Display.temp
2007-12-21 19:09 . 2004-01-26 19:03 98,304 --a------ C:\WINDOWS\system32\igfxcpl.cpl
2007-12-21 15:17 . 2007-12-22 08:00 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AVG7
2007-12-21 15:17 . 2007-12-21 15:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 15:16 . 2007-12-21 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-21 14:16 . 2006-10-04 06:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-21 14:12 . 2007-12-21 14:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-21 14:12 . 2007-12-21 14:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Program Files\NETGEAR
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Documents and Settings\WALMAR~1~TOS\LOCALS~1
2007-12-21 14:11 . 2003-11-28 10:18 337,216 --a------ C:\WINDOWS\system32\drivers\wg121nd5.sys
2007-12-21 14:11 . 2003-07-24 12:10 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2007-12-21 14:11 . 2003-09-23 11:37 77,926 --a------ C:\WINDOWS\system32\wg121.dll
2007-12-21 13:54 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-21 13:54 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-21 13:54 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-21 11:36 . 2007-12-21 11:36 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Grisoft
2007-12-21 11:36 . 2007-12-21 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 11:36 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-21 10:54 . 2007-12-21 11:34 990,273 --ahs---- C:\WINDOWS\system32\hehvuptt.ini
2007-12-20 16:55 . 2007-12-20 16:55 994,149 --ahs---- C:\WINDOWS\system32\icfrdfsi.ini
2007-12-19 16:56 . 2007-12-20 16:56 986,716 --ahs---- C:\WINDOWS\system32\jqxwqeji.ini
2007-12-19 09:01 . 2007-12-19 16:41 986,754 --ahs---- C:\WINDOWS\system32\bmhvkumm.ini
2007-12-18 13:43 . 2007-12-19 08:55 986,574 --ahs---- C:\WINDOWS\system32\hwosmdeo.ini
2007-12-17 16:41 . 2007-12-18 01:30 971,378 --ahs---- C:\WINDOWS\system32\yccuugig.ini
2007-12-16 16:41 . 2007-12-17 12:31 970,521 --ahs---- C:\WINDOWS\system32\gasmnafj.ini
2007-12-16 15:38 . 2007-12-16 15:38 970,434 --ahs---- C:\WINDOWS\system32\maxrwjbf.ini
2007-12-15 10:55 . 2007-12-16 15:24 970,374 --ahs---- C:\WINDOWS\system32\hufkitcr.ini
2007-12-14 11:05 . 2007-12-14 11:05 894,438 --ahs---- C:\WINDOWS\system32\dvvejevl.ini
2007-12-13 14:21 . 2007-12-14 14:02 872,247 --ahs---- C:\WINDOWS\system32\rapampvy.ini
2007-12-12 14:18 . 2007-12-13 14:18 964,683 --ahs---- C:\WINDOWS\system32\qlfxnavu.ini
2007-12-11 14:15 . 2007-12-12 14:16 903,561 --ahs---- C:\WINDOWS\system32\vkyjnjjb.ini
2007-12-10 11:03 . 2007-12-11 14:15 901,627 --ahs---- C:\WINDOWS\system32\akmbocos.ini
2007-12-09 14:18 . 2007-12-21 14:00 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-12-09 14:18 . 2007-12-09 14:18 1,154,709 --a------ C:\Install
2007-12-09 11:03 . 2007-12-10 11:03 859,817 --ahs---- C:\WINDOWS\system32\vcihfwna.ini
2007-12-08 11:00 . 2007-12-09 11:01 834,512 --ahs---- C:\WINDOWS\system32\ufylmynw.ini
2007-12-07 11:04 . 2007-12-08 03:10 834,283 --ahs---- C:\WINDOWS\system32\wrpwpxlw.ini
2007-12-07 10:04 . 2007-12-07 10:04 834,100 --ahs---- C:\WINDOWS\system32\jtbpgqsg.ini
2007-11-25 10:33 . 2007-11-25 10:34 440,528 --ahs---- C:\WINDOWS\system32\fcwshwxj.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-21 22:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 22:03 --------- d-----w C:\Program Files\Google
2007-12-21 19:39 8,754 --sha-w C:\WINDOWS\system32\rqtwa.bak2
2007-12-18 00:38 187,889 --sha-w C:\WINDOWS\system32\rqtwa.bak1
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:12 0 -c--a-w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\wklnhst.dat
2007-10-30 23:12 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Template
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 17:28 172,080 -c--a-w C:\WINDOWS\system32\wvuus.dll
2007-10-24 23:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 23:45 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AOL
2007-10-24 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-24 20:11 --------- d-----w C:\Program Files\Pure Networks
2007-10-24 19:55 --------- d-----w C:\Program Files\Napster
2007-10-24 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-24 19:40 --------- d-----w C:\Program Files\Real
2007-10-24 18:03 --------- d-----w C:\Program Files\support.com
2007-10-24 17:52 --------- d-----w C:\Program Files\Toshiba
2007-10-24 17:12 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-09-27 02:30 6,440 -csha-w C:\WINDOWS\system32\tutwa.bak1
2007-09-26 23:41 6,480 -csha-w C:\WINDOWS\system32\uvutv.bak1
2007-09-26 04:19 6,440 -csha-w C:\WINDOWS\system32\sruvw.bak1
2007-09-26 04:05 6,630 -csha-w C:\WINDOWS\system32\wvuvw.bak1
2007-09-25 01:51 6,480 -csha-w C:\WINDOWS\system32\yybay.bak1
2007-09-24 02:58 6,496 -csha-w C:\WINDOWS\system32\ehkmp.bak1
2007-09-22 21:21 6,440 -csha-w C:\WINDOWS\system32\cffhk.bak1
2007-09-22 21:14 258,048 ----a-w C:\WINDOWS\system32\00THotkey.exe
2007-09-22 17:52 6,440 -csha-w C:\WINDOWS\system32\wxbay.bak1
2006-01-16 13:29 0 -c--a-w C:\Documents and Settings\walmart\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2007-12-22_ 7.33.22.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-08 00:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-08 00:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-08 00:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-12-20 21:08:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-22 16:11:18 2,908,160 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-22 16:11:19 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-20 21:08:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-22 15:42:38 2,908,160 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NT USER.DAT
+ 2007-12-22 15:42:38 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\Us rClass.dat
- 2007-12-22 15:18:37 63,214 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-22 21:15:31 63,214 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-22 15:18:37 402,644 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-22 21:15:31 402,644 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

LadyGrey
12-22-2007, 06:02 PM
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b38d655a-aba2-472a-8ece-a65cdca4f555}]
C:\WINDOWS\system32\lcnrufqs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE96C4D-D078-4003-A191-9F39B0B6F6EF}]
C:\WINDOWS\system32\awtqr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 02:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2007-09-22 13:14]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-26 19:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-26 19:03]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TFNF5"="TFNF5.exe" [2003-12-02 13:15 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 19:43 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-09-22 13:15]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2007-09-22 13:15]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"4882da28"="C:\WINDOWS\system32\ttpuvheh.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 15:16]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 15:16]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-21 14:11:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
C:\WINDOWS\system32\awtqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtut]
C:\WINDOWS\system32\awtut.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffc]
C:\WINDOWS\system32\khffc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklig]
mljklig.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhe]
C:\WINDOWS\system32\pmkhe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvu]
C:\WINDOWS\system32\vtuvu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurs]
C:\WINDOWS\system32\wvurs.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvw]
C:\WINDOWS\system32\wvuvw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabxw]
C:\WINDOWS\system32\yabxw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabyy]
C:\WINDOWS\system32\yabyy.dll
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys [2003-11-28 10:18]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 18:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-19 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 18:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-22 20:00:01 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-22 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-22 22:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 23:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-23 00:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 01:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-21 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-17 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-20 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-22 04:00:01 C:\WINDOWS\Tasks\At21.job"
"2007-12-22 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-17 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-17 07:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-12-18 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 11:00:00 C:\WINDOWS\Tasks\At4.job"
"2007-12-18 12:00:00 C:\WINDOWS\Tasks\At5.job"
"2007-12-18 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
"2007-12-18 15:00:00 C:\WINDOWS\Tasks\At8.job"
"2007-12-22 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\Ppp3MN68.exe
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 16:02:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2007-12-22 16:03:56
C:\ComboFix2.txt ... 2007-12-22 07:35
.
2007-12-12 11:05:14 --- E O F ---

Budfred
12-23-2007, 02:37 AM
Okay, it turns out you've got a Smitfraud infection there... Fix that and we will see what is left...

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)]

It would be a good idea to print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

LadyGrey
12-23-2007, 09:05 AM
Mornin Budfred, Here is the log from Smitfraudfix.


SmitFraudFix v2.274
Scan done at 7:51:58.03, Sun 12/23/2007
Run from C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Killing process

hosts
127.0.0.1 localhost
Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.

Generic Renos Fix
GenericRenosFix by S!Ri

Deleting infected files
C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
IEDFix
IEDFix.exe by S!Ri

DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{33376601-5829-4C96-9388-B91D38C24311}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{33376601-5829-4C96-9388-B91D38C24311}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{33376601-5829-4C96-9388-B91D38C24311}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

Deleting Temp Files

Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

End

Budfred
12-23-2007, 10:01 AM
I was really hoping it would take out more than that... :(

Oh well, go ahead with a fresh ComboFix log and I will work up the script...

LadyGrey
12-23-2007, 11:15 AM
Downloaded a fresh Combofix and here is the log. This thing is really giving us a run for our money ain't it?:rolleyes:
Thanks so much for sticking with me on it, I'm learning some and will probably have questions after we get done. I would have just reinstalled in the first place but other than the fact that I want to learn, I would also have had to go on a driver hunt for this thing as it has no restore disks. Toshiba has some drivers and files that I saw but I don't think it would be that simple and I would end up looking all over the place for drivers. So I really thank you for helping me!!
LG;)



ComboFix 07-12-21.4 - walmart 2007-12-23 9:57:07.3 - NTFSx86
Running from: C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.
2007-12-23 07:52 . 2007-12-23 07:52 3,206 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 07:42 . 2007-12-22 07:42 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 19:14 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-21 19:10 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-21 19:09 . 2007-12-21 19:09 <DIR> d-------- C:\Display.temp
2007-12-21 19:09 . 2004-01-26 19:03 98,304 --a------ C:\WINDOWS\system32\igfxcpl.cpl
2007-12-21 15:17 . 2007-12-23 08:14 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AVG7
2007-12-21 15:17 . 2007-12-21 15:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 15:16 . 2007-12-21 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-21 14:16 . 2006-10-04 06:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-21 14:12 . 2007-12-21 14:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-21 14:12 . 2007-12-21 14:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Program Files\NETGEAR
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Documents and Settings\WALMAR~1~TOS\LOCALS~1
2007-12-21 14:11 . 2003-11-28 10:18 337,216 --a------ C:\WINDOWS\system32\drivers\wg121nd5.sys
2007-12-21 14:11 . 2003-07-24 12:10 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2007-12-21 14:11 . 2003-09-23 11:37 77,926 --a------ C:\WINDOWS\system32\wg121.dll
2007-12-21 13:54 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-21 13:54 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-21 13:54 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-21 11:36 . 2007-12-21 11:36 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Grisoft
2007-12-21 11:36 . 2007-12-21 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 11:36 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-21 10:54 . 2007-12-21 11:34 990,273 --ahs---- C:\WINDOWS\system32\hehvuptt.ini
2007-12-20 16:55 . 2007-12-20 16:55 994,149 --ahs---- C:\WINDOWS\system32\icfrdfsi.ini
2007-12-19 16:56 . 2007-12-20 16:56 986,716 --ahs---- C:\WINDOWS\system32\jqxwqeji.ini
2007-12-19 09:01 . 2007-12-19 16:41 986,754 --ahs---- C:\WINDOWS\system32\bmhvkumm.ini
2007-12-18 13:43 . 2007-12-19 08:55 986,574 --ahs---- C:\WINDOWS\system32\hwosmdeo.ini
2007-12-17 16:41 . 2007-12-18 01:30 971,378 --ahs---- C:\WINDOWS\system32\yccuugig.ini
2007-12-16 16:41 . 2007-12-17 12:31 970,521 --ahs---- C:\WINDOWS\system32\gasmnafj.ini
2007-12-16 15:38 . 2007-12-16 15:38 970,434 --ahs---- C:\WINDOWS\system32\maxrwjbf.ini
2007-12-15 10:55 . 2007-12-16 15:24 970,374 --ahs---- C:\WINDOWS\system32\hufkitcr.ini
2007-12-14 11:05 . 2007-12-14 11:05 894,438 --ahs---- C:\WINDOWS\system32\dvvejevl.ini
2007-12-13 14:21 . 2007-12-14 14:02 872,247 --ahs---- C:\WINDOWS\system32\rapampvy.ini
2007-12-12 14:18 . 2007-12-13 14:18 964,683 --ahs---- C:\WINDOWS\system32\qlfxnavu.ini
2007-12-11 14:15 . 2007-12-12 14:16 903,561 --ahs---- C:\WINDOWS\system32\vkyjnjjb.ini
2007-12-10 11:03 . 2007-12-11 14:15 901,627 --ahs---- C:\WINDOWS\system32\akmbocos.ini
2007-12-09 14:18 . 2007-12-21 14:00 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-12-09 14:18 . 2007-12-09 14:18 1,154,709 --a------ C:\Install
2007-12-09 11:03 . 2007-12-10 11:03 859,817 --ahs---- C:\WINDOWS\system32\vcihfwna.ini
2007-12-08 11:00 . 2007-12-09 11:01 834,512 --ahs---- C:\WINDOWS\system32\ufylmynw.ini
2007-12-07 11:04 . 2007-12-08 03:10 834,283 --ahs---- C:\WINDOWS\system32\wrpwpxlw.ini
2007-12-07 10:04 . 2007-12-07 10:04 834,100 --ahs---- C:\WINDOWS\system32\jtbpgqsg.ini
2007-11-25 10:33 . 2007-11-25 10:34 440,528 --ahs---- C:\WINDOWS\system32\fcwshwxj.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-21 22:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 22:03 --------- d-----w C:\Program Files\Google
2007-12-21 19:39 8,754 --sha-w C:\WINDOWS\system32\rqtwa.bak2
2007-12-18 00:38 187,889 --sha-w C:\WINDOWS\system32\rqtwa.bak1
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:12 0 -c--a-w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\wklnhst.dat
2007-10-30 23:12 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Template
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 17:28 172,080 -c--a-w C:\WINDOWS\system32\wvuus.dll
2007-10-24 23:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 23:45 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AOL
2007-10-24 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-24 20:11 --------- d-----w C:\Program Files\Pure Networks
2007-10-24 19:55 --------- d-----w C:\Program Files\Napster
2007-10-24 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-24 19:40 --------- d-----w C:\Program Files\Real
2007-10-24 18:03 --------- d-----w C:\Program Files\support.com
2007-10-24 17:52 --------- d-----w C:\Program Files\Toshiba
2007-10-24 17:12 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-09-27 02:30 6,440 -csha-w C:\WINDOWS\system32\tutwa.bak1
2007-09-26 23:41 6,480 -csha-w C:\WINDOWS\system32\uvutv.bak1
2007-09-26 04:19 6,440 -csha-w C:\WINDOWS\system32\sruvw.bak1
2007-09-26 04:05 6,630 -csha-w C:\WINDOWS\system32\wvuvw.bak1
2007-09-25 01:51 6,480 -csha-w C:\WINDOWS\system32\yybay.bak1
2007-09-24 02:58 6,496 -csha-w C:\WINDOWS\system32\ehkmp.bak1
2006-01-16 13:29 0 -c--a-w C:\Documents and Settings\walmart\Application Data\wklnhst.dat
2007-09-22 21:21 6,440 -csha-w C:\WINDOWS\system32\cffhk.bak1
2007-09-22 17:52 6,440 -csha-w C:\WINDOWS\system32\wxbay.bak1
.
((((((((((((((((((((((((((((( snapshot@2007-12-22_ 7.33.22.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-08 00:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-08 00:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll

+ 2007-05-08 00:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-12-20 21:08:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-22 16:11:18 2,908,160 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-22 16:11:19 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-20 21:08:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-22 15:42:38 2,908,160 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NT USER.DAT
+ 2007-12-22 15:42:38 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\Us rClass.dat
- 2007-12-22 15:18:37 63,214 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-23 16:18:21 63,214 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-22 15:18:37 402,644 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-23 16:18:21 402,644 ----a-w C:\WINDOWS\system32\perfh009.dat

LadyGrey
12-23-2007, 11:15 AM
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b38d655a-aba2-472a-8ece-a65cdca4f555}]
C:\WINDOWS\system32\lcnrufqs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE96C4D-D078-4003-A191-9F39B0B6F6EF}]
C:\WINDOWS\system32\awtqr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 02:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2007-09-22 13:14]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-26 19:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-26 19:03]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TFNF5"="TFNF5.exe" [2003-12-02 13:15 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 19:43 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-09-22 13:15]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2007-09-22 13:15]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"4882da28"="C:\WINDOWS\system32\ttpuvheh.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 15:16]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 15:16]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-21 14:11:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
C:\WINDOWS\system32\awtqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtut]
C:\WINDOWS\system32\awtut.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffc]
C:\WINDOWS\system32\khffc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklig]
mljklig.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhe]
C:\WINDOWS\system32\pmkhe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvu]
C:\WINDOWS\system32\vtuvu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurs]
C:\WINDOWS\system32\wvurs.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvw]
C:\WINDOWS\system32\wvuvw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabxw]
C:\WINDOWS\system32\yabxw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabyy]
C:\WINDOWS\system32\yabyy.dll
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys [2003-11-28 10:18]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 18:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 10:00:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2007-12-23 10:00:56
C:\ComboFix2.txt ... 2007-12-22 16:03
C:\ComboFix3.txt ... 2007-12-22 07:35
.
2007-12-12 11:05:14 --- E O F ---

Budfred
12-23-2007, 01:07 PM
Open Notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\hehvuptt.ini
C:\WINDOWS\system32\icfrdfsi.ini
C:\WINDOWS\system32\jqxwqeji.ini
C:\WINDOWS\system32\bmhvkumm.ini
C:\WINDOWS\system32\hwosmdeo.ini
C:\WINDOWS\system32\yccuugig.ini
C:\WINDOWS\system32\gasmnafj.ini
C:\WINDOWS\system32\maxrwjbf.ini
C:\WINDOWS\system32\hufkitcr.ini
C:\WINDOWS\system32\dvvejevl.ini
C:\WINDOWS\system32\rapampvy.ini
C:\WINDOWS\system32\qlfxnavu.ini
C:\WINDOWS\system32\vkyjnjjb.ini
C:\WINDOWS\system32\akmbocos.ini
C:\Install
C:\WINDOWS\system32\vcihfwna.ini
C:\WINDOWS\system32\ufylmynw.ini
C:\WINDOWS\system32\wrpwpxlw.ini
C:\WINDOWS\system32\jtbpgqsg.ini
C:\WINDOWS\system32\fcwshwxj.ini
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\wvuus.dll
C:\WINDOWS\system32\tutwa.bak1
C:\WINDOWS\system32\uvutv.bak1
C:\WINDOWS\system32\sruvw.bak1
C:\WINDOWS\system32\wvuvw.bak1
C:\WINDOWS\system32\yybay.bak1
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\cffhk.bak1
C:\WINDOWS\system32\wxbay.bak1
C:\WINDOWS\system32\lcnrufqs.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\ttpuvheh.dll

Folder::
C:\Program Files\MalwareAlarm

DirLook::
C:\Display.temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b38d655a-aba2-472a-8ece-a65cdca4f555}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE96C4D-D078-4003-A191-9F39B0B6F6EF}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtut]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklig]
mljklig.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurs]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabxw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabyy]



Save this as CFScript.txt


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Post the log in your next response... We'll see if this clears most of it out...

LadyGrey
12-23-2007, 02:52 PM
Mercy I hope I did it right!


Command switches used :: C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Install
C:\WINDOWS\system32\akmbocos.ini
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\bmhvkumm.ini
C:\WINDOWS\system32\cffhk.bak1
C:\WINDOWS\system32\dvvejevl.ini
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\fcwshwxj.ini
C:\WINDOWS\system32\gasmnafj.ini
C:\WINDOWS\system32\hehvuptt.ini
C:\WINDOWS\system32\hufkitcr.ini
C:\WINDOWS\system32\hwosmdeo.ini
C:\WINDOWS\system32\icfrdfsi.ini
C:\WINDOWS\system32\jqxwqeji.ini
C:\WINDOWS\system32\jtbpgqsg.ini
C:\WINDOWS\system32\lcnrufqs.dll
C:\WINDOWS\system32\maxrwjbf.ini
C:\WINDOWS\system32\qlfxnavu.ini
C:\WINDOWS\system32\rapampvy.ini
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\sruvw.bak1
C:\WINDOWS\system32\ttpuvheh.dll
C:\WINDOWS\system32\tutwa.bak1
C:\WINDOWS\system32\ufylmynw.ini
C:\WINDOWS\system32\uvutv.bak1
C:\WINDOWS\system32\vcihfwna.ini
C:\WINDOWS\system32\vkyjnjjb.ini
C:\WINDOWS\system32\wrpwpxlw.ini
C:\WINDOWS\system32\wvuus.dll
C:\WINDOWS\system32\wvuvw.bak1
C:\WINDOWS\system32\wxbay.bak1
C:\WINDOWS\system32\yccuugig.ini
C:\WINDOWS\system32\yybay.bak1
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Install
C:\Program Files\MalwareAlarm
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\WINDOWS\system32\akmbocos.ini
C:\WINDOWS\system32\bmhvkumm.ini
C:\WINDOWS\system32\cffhk.bak1
C:\WINDOWS\system32\dvvejevl.ini
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\fcwshwxj.ini
C:\WINDOWS\system32\gasmnafj.ini
C:\WINDOWS\system32\hehvuptt.ini
C:\WINDOWS\system32\hufkitcr.ini
C:\WINDOWS\system32\hwosmdeo.ini
C:\WINDOWS\system32\icfrdfsi.ini
C:\WINDOWS\system32\jqxwqeji.ini
C:\WINDOWS\system32\jtbpgqsg.ini
C:\WINDOWS\system32\maxrwjbf.ini
C:\WINDOWS\system32\qlfxnavu.ini
C:\WINDOWS\system32\rapampvy.ini
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\sruvw.bak1
C:\WINDOWS\system32\tutwa.bak1
C:\WINDOWS\system32\ufylmynw.ini
C:\WINDOWS\system32\uvutv.bak1
C:\WINDOWS\system32\vcihfwna.ini
C:\WINDOWS\system32\vkyjnjjb.ini
C:\WINDOWS\system32\wrpwpxlw.ini
C:\WINDOWS\system32\wvuus.dll
C:\WINDOWS\system32\wvuvw.bak1
C:\WINDOWS\system32\wxbay.bak1
C:\WINDOWS\system32\yccuugig.ini
C:\WINDOWS\system32\yybay.bak1
.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.
2007-12-23 07:52 . 2007-12-23 07:52 3,206 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 07:42 . 2007-12-22 07:42 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 19:14 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-21 19:10 . 2004-01-26 19:03 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-21 19:09 . 2007-12-21 19:09 <DIR> d-------- C:\Display.temp
2007-12-21 19:09 . 2004-01-26 19:03 98,304 --a------ C:\WINDOWS\system32\igfxcpl.cpl
2007-12-21 15:17 . 2007-12-23 08:14 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AVG7
2007-12-21 15:17 . 2007-12-21 15:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 15:16 . 2007-12-21 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-21 14:16 . 2006-10-04 06:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-21 14:12 . 2007-12-21 14:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-21 14:12 . 2007-12-21 14:13 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Program Files\NETGEAR
2007-12-21 14:11 . 2007-12-21 14:11 <DIR> d-------- C:\Documents and Settings\WALMAR~1~TOS\LOCALS~1
2007-12-21 14:11 . 2003-11-28 10:18 337,216 --a------ C:\WINDOWS\system32\drivers\wg121nd5.sys
2007-12-21 14:11 . 2003-07-24 12:10 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2007-12-21 14:11 . 2003-09-23 11:37 77,926 --a------ C:\WINDOWS\system32\wg121.dll
2007-12-21 13:54 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-21 13:54 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-21 13:54 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-21 11:36 . 2007-12-21 11:36 <DIR> d-------- C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Grisoft
2007-12-21 11:36 . 2007-12-21 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 11:36 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-21 22:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 22:03 --------- d-----w C:\Program Files\Google
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:12 0 -c--a-w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\wklnhst.dat
2007-10-30 23:12 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\Template
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 23:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 23:45 --------- d-----w C:\Documents and Settings\walmart.TOSHIBA-USER\Application Data\AOL
2007-10-24 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-24 20:11 --------- d-----w C:\Program Files\Pure Networks
2007-10-24 19:55 --------- d-----w C:\Program Files\Napster
2007-10-24 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-24 19:40 --------- d-----w C:\Program Files\Real
2007-10-24 18:03 --------- d-----w C:\Program Files\support.com
2007-10-24 17:52 --------- d-----w C:\Program Files\Toshiba
2007-10-24 17:12 --------- d-----w C:\Program Files\Windows Live Toolbar
2006-01-16 13:29 0 -c--a-w C:\Documents and Settings\walmart\Application Data\wklnhst.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.

LadyGrey
12-23-2007, 02:59 PM
.
---- Directory of C:\Display.temp ----
2004-01-26 19:03 99002 --a------ C:\Display.temp\Win2000\ialmkchw.sys
2004-01-26 19:03 98304 --a------ C:\Display.temp\Win2000\igfxcpl.cpl
2004-01-26 19:03 9602 --a------ C:\Display.temp\Win2000\ikch8xx.cat
2004-01-26 19:03 9598 --a------ C:\Display.temp\Win2000\isb8xx.cat
2004-01-26 19:03 9596 --a------ C:\Display.temp\Win2000\wa301b.cat
2004-01-26 19:03 9596 --a------ C:\Display.temp\Win2000\wa301a.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a314.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a313.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a311.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a310.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a309.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a308.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a307.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a306.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a305.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a304.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a303.cat
2004-01-26 19:03 9588 --a------ C:\Display.temp\Win2000\a302.cat
2004-01-26 19:03 9584 --a------ C:\Display.temp\Win2000\vch.cat
2004-01-26 19:03 95579 --a------ C:\Display.temp\Win2000\ialmnt5.sys
2004-01-26 19:03 94267 --a------ C:\Display.temp\Win2000\ialmrem.dll
2004-01-26 19:03 94208 --a------ C:\Display.temp\Win2000\igfxext.exe
2004-01-26 19:03 909312 --a------ C:\Display.temp\Win2000\igfxress.dll
2004-01-26 19:03 86016 --a------ C:\Display.temp\Win2000\igfxdo.dll
2004-01-26 19:03 69632 --a------ C:\Display.temp\Win2000\oemdspif.dll
2004-01-26 19:03 689 --a------ C:\Display.temp\setup.iss
2004-01-26 19:03 676 --a------ C:\Display.temp\Setup.ini
2004-01-26 19:03 66673 --a------ C:\Display.temp\Win2000\igfxhhun.lhp
2004-01-26 19:03 65536 --a------ C:\Display.temp\Win2000\ialmcoin.dll
2004-01-26 19:03 64172 --a------ C:\Display.temp\Win2000\igfxhkor.lhp
2004-01-26 19:03 63060 --a------ C:\Display.temp\Win2000\igfxhtrk.lhp
2004-01-26 19:03 63010 --a------ C:\Display.temp\Win2000\igfxhcsy.lhp
2004-01-26 19:03 62811 --a------ C:\Display.temp\Win2000\igfxhptg.lhp
2004-01-26 19:03 62603 --a------ C:\Display.temp\Win2000\igfxhplk.lhp
2004-01-26 19:03 61962 --a------ C:\Display.temp\Win2000\igfxhdeu.lhp
2004-01-26 19:03 61944 --a------ C:\Display.temp\Win2000\igfxhtha.lhp
2004-01-26 19:03 61468 --a------ C:\Display.temp\Win2000\igfxhfrc.lhp
2004-01-26 19:03 61435 --a------ C:\Display.temp\Win2000\igfxhfra.lhp
2004-01-26 19:03 61339 --a------ C:\Display.temp\Win2000\igfxhheb.lhp
2004-01-26 19:03 61156 --a------ C:\Display.temp\Win2000\igfxhell.lhp
2004-01-26 19:03 60949 --a------ C:\Display.temp\Win2000\igfxhptb.lhp
2004-01-26 19:03 60751 --a------ C:\Display.temp\Win2000\igfxhrus.lhp
2004-01-26 19:03 60716 --a------ C:\Display.temp\Win2000\igfxhdan.lhp
2004-01-26 19:03 60075 --a------ C:\Display.temp\Win2000\igfxhnld.lhp
2004-01-26 19:03 60063 --a------ C:\Display.temp\Win2000\igfxhjpn.lhp
2004-01-26 19:03 59810 --a------ C:\Display.temp\Win2000\igfxharb.lhp
2004-01-26 19:03 59810 --a------ C:\Display.temp\Win2000\igfxhara.lhp
2004-01-26 19:03 59717 --a------ C:\Display.temp\Win2000\igfxhesp.lhp
2004-01-26 19:03 59161 --a------ C:\Display.temp\Win2000\igfxhfin.lhp
2004-01-26 19:03 59037 --a------ C:\Display.temp\Win2000\igfxhsve.lhp
2004-01-26 19:03 58940 --a------ C:\Display.temp\Win2000\igfxhnor.lhp
2004-01-26 19:03 58803 --a------ C:\Display.temp\Win2000\igfxhita.lhp
2004-01-26 19:03 5875 --a------ C:\Display.temp\Win2000\isb8xx.inf
2004-01-26 19:03 58571 --a------ C:\Display.temp\Win2000\igfxhchs.lhp
2004-01-26 19:03 58444 --a------ C:\Display.temp\Win2000\igfxhcht.lhp
2004-01-26 19:03 57632 --a------ C:\Display.temp\Win2000\igfxheng.lhp
2004-01-26 19:03 56916 --a------ C:\Display.temp\Win2000\igfxhenu.lhp
2004-01-26 19:03 5307 --a------ C:\Display.temp\Win2000\wa301a.inf
2004-01-26 19:03 5283 --a------ C:\Display.temp\Win2000\ikch8xx.inf
2004-01-26 19:03 5204 --a------ C:\Display.temp\Win2000\wa301b.inf
2004-01-26 19:03 512 --a------ C:\Display.temp\data2.cab
2004-01-26 19:03 51088 --a------ C:\Display.temp\Win2000\i830mnt5.cat
2004-01-26 19:03 5105 --a------ C:\Display.temp\Win2000\a305.inf
2004-01-26 19:03 5090 --a------ C:\Display.temp\Win2000\Vch.inf
2004-01-26 19:03 5071 --a------ C:\Display.temp\Win2000\a307.inf
2004-01-26 19:03 5069 --a------ C:\Display.temp\Win2000\a311.inf
2004-01-26 19:03 5067 --a------ C:\Display.temp\Win2000\a310.inf
2004-01-26 19:03 5053 --a------ C:\Display.temp\Win2000\a314.inf
2004-01-26 19:03 5053 --a------ C:\Display.temp\Win2000\a309.inf
2004-01-26 19:03 5048 --a------ C:\Display.temp\Win2000\a313.inf
2004-01-26 19:03 5047 --a------ C:\Display.temp\Win2000\a303.inf
2004-01-26 19:03 5047 --a------ C:\Display.temp\Win2000\a302.inf
2004-01-26 19:03 5038 --a------ C:\Display.temp\Win2000\a304.inf
2004-01-26 19:03 5025 --a------ C:\Display.temp\Win2000\a308.inf
2004-01-26 19:03 499712 --a------ C:\Display.temp\Win2000\igfxcfg.exe
2004-01-26 19:03 4881 --a------ C:\Display.temp\Win2000\a306.inf
2004-01-26 19:03 488002 --a------ C:\Display.temp\Win2000\ialmdd5.dll
2004-01-26 19:03 46647 --a------ C:\Display.temp\Win2000\a304.sys
2004-01-26 19:03 45056 --a------ C:\Display.temp\Win2000\igfxdgps.dll
2004-01-26 19:03 437 --a------ C:\Display.temp\layout.bin
2004-01-26 19:03 39507 --a------ C:\Display.temp\Win2000\ialmnt5.inf
2004-01-26 19:03 37431 --a------ C:\Display.temp\Win2000\a313.sys
2004-01-26 19:03 36927 --a------ C:\Display.temp\Win2000\ialmrnt5.dll
2004-01-26 19:03 34476 --a------ C:\Display.temp\data1.hdr
2004-01-26 19:03 34 --a------ C:\Display.temp\autorun.inf
2004-01-26 19:03 339565 --a------ C:\Display.temp\ikernel.ex_
2004-01-26 19:03 33847 --a------ C:\Display.temp\Win2000\wa301b.sys
2004-01-26 19:03 33847 --a------ C:\Display.temp\Win2000\wa301a.sys
2004-01-26 19:03 33335 --a------ C:\Display.temp\Win2000\a311.sys
2004-01-26 19:03 33335 --a------ C:\Display.temp\Win2000\a310.sys
2004-01-26 19:03 32768 --a------ C:\Display.temp\Win2000\igfxexps.dll
2004-01-26 19:03 323584 --a------ C:\Display.temp\Win2000\igfxsrvc.dll
2004-01-26 19:03 29751 --a------ C:\Display.temp\Win2000\a303.sys
2004-01-26 19:03 28613 --a------ C:\Display.temp\readme.txt
2004-01-26 19:03 270336 --a------ C:\Display.temp\Support\shpshftr.dll
2004-01-26 19:03 26167 --a------ C:\Display.temp\Win2000\a309.sys
2004-01-26 19:03 25 --a------ C:\Display.temp\Install.cfg
2004-01-26 19:03 24576 --a------ C:\Display.temp\Support\SignTime.dll
2004-01-26 19:03 234823 --a------ C:\Display.temp\setup.inx
2004-01-26 19:03 221184 --a------ C:\Display.temp\Win2000\igfxeud.dll
2004-01-26 19:03 21559 --a------ C:\Display.temp\Win2000\a307.sys
2004-01-26 19:03 21045 --a------ C:\Display.temp\Win2000\Vch.sys
2004-01-26 19:03 204800 --a------ C:\Display.temp\Win2000\igfxpph.dll
2004-01-26 19:03 198331 --a------ C:\Display.temp\Win2000\ialmdev5.dll
2004-01-26 19:03 192512 --a------ C:\Display.temp\Win2000\ialmgdev.dll
2004-01-26 19:03 1851392 --a------ C:\Display.temp\Win2000\ialmgicd.dll
2004-01-26 19:03 1813934 --a------ C:\Display.temp\data1.cab
2004-01-26 19:03 16951 --a------ C:\Display.temp\Win2000\a306.sys
2004-01-26 19:03 165888 --a------ C:\Display.temp\Setup.exe
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxrptg.lrc
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxrita.lrc
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxrhun.lrc
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxrfrc.lrc
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxrfra.lrc
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxresp.lrc
2004-01-26 19:03 163840 --a------ C:\Display.temp\Win2000\igfxrell.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrtrk.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrtha.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrsve.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrrus.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrptb.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrplk.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrnor.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrnld.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrfin.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrdeu.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrdan.lrc
2004-01-26 19:03 159744 --a------ C:\Display.temp\Win2000\igfxrcsy.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxtray.exe
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrkor.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrjpn.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrheb.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrenu.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxreng.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrcht.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrchs.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrarb.lrc
2004-01-26 19:03 155648 --a------ C:\Display.temp\Win2000\igfxrara.lrc
2004-01-26 19:03 151552 --a------ C:\Display.temp\Win2000\igfxdiag.exe
2004-01-26 19:03 151552 --a------ C:\Display.temp\Win2000\igfxdev.dll
2004-01-26 19:03 12855 --a------ C:\Display.temp\Win2000\a305.sys
2004-01-26 19:03 122880 --a------ C:\Display.temp\Win2000\igfxhk.dll
2004-01-26 19:03 122110 --a------ C:\Display.temp\Win2000\ialmsbw.sys

LadyGrey
12-23-2007, 02:59 PM
2004-01-26 19:03 118784 --a------ C:\Display.temp\Win2000\hkcmd.exe
2004-01-26 19:03 118784 --a------ C:\Display.temp\Win2000\hccutils.dll
2004-01-26 19:03 11831 --a------ C:\Display.temp\Win2000\a302.sys
2004-01-26 19:03 116796 --a------ C:\Display.temp\Win2000\ialmdnt5.dll
2004-01-26 19:03 11319 --a------ C:\Display.temp\Win2000\a314.sys
2004-01-26 19:03 11319 --a------ C:\Display.temp\Win2000\a308.sys
2001-12-17 11:06 1191 --a------ C:\Display.temp\silent.txt

((((((((((((((((((((((((((((( snapshot@2007-12-22_ 7.33.22.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-08 00:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-08 00:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-08 00:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-12-20 21:08:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-22 16:11:18 2,908,160 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-22 16:11:19 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-20 21:08:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-22 15:42:38 2,908,160 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NT USER.DAT
+ 2007-12-22 15:42:38 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\Us rClass.dat
- 2007-12-22 15:18:37 63,214 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-23 16:18:21 63,214 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-22 15:18:37 402,644 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-23 16:18:21 402,644 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 02:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2007-09-22 13:14]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-26 19:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-26 19:03]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TFNF5"="TFNF5.exe" [2003-12-02 13:15 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 19:43 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-09-22 13:15]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2007-09-22 13:15]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"4882da28"="C:\WINDOWS\system32\ttpuvheh.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 15:16]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 15:16]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-21 14:11:32]
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 00:05]
R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys [2003-11-28 10:18]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 18:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 13:46:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-12-23 13:47:21
C:\ComboFix2.txt ... 2007-12-23 10:00
C:\ComboFix3.txt ... 2007-12-22 16:03
.
2007-12-12 11:05:14 --- E O F ---

Budfred
12-23-2007, 05:27 PM
The main problem file did not seem to delete... See if you can find and delete:

C:\WINDOWS\system32\ttpuvheh.dll

You will probably need to set Windows to show all hidden files to find it and you may need to delete it in Safe Mode...

Then use VundoFix to see if there are any remains and run it repeatedly until it comes up clean... Run it at least twice even if it says it is clean...

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your Desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

Then post a fresh HJT log and let me know how things seem to be going with the computer...

LadyGrey
12-24-2007, 03:19 PM
Here we go with the Vundo log, yep I ran it a bunch of times. I've been looking since around 5AM for that darn file and I did find it, in AVG Virus Vault. I deleted it from there, and then from the bin, hope to goodness that was ok! It was no where and I do mean no where else to be found. I went through so many files in System32 that I'm half blind, I did searches through windows search, nothing, nada! That's the only place I found it. As for the computer it is running much faster but I hate to say that the darn error message is still coming up on startup.:( I will post the new hijack log soon as I get my rolls on to rise for dinner tommorrow, then I will run hijack. Yeah, I'm a multitasking Mom!:D




VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 4:42:03 AM 12/24/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...
VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 5:28:50 AM 12/24/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 6:09:24 AM 12/24/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 7:28:02 AM 12/24/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 8:04:44 AM 12/24/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...
VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 12:20:54 PM 12/24/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 1:28:21 PM 12/24/2007
Listing files found while scanning....
No infected files were found.

LadyGrey
12-24-2007, 04:32 PM
Fresh HiJackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:40 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\HiJackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4882da28] rundll32.exe "C:\WINDOWS\system32\ttpuvheh.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 6021 bytes

Budfred
12-24-2007, 06:57 PM
Try a HJT fix and see if that does it... If not, we get out the big guns...

Open a HJT scan and put checks by:

O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O4 - HKLM\..\Run: [4882da28] rundll32.exe "C:\WINDOWS\system32\ttpuvheh.dll",b

Close all open windows except HJT and press Fix checked...

Reboot and post a fresh HJT log...

I still think the best bet would be to nuke and rebuild with Win2k... That said, be sure to let this person know that any transactions he has done online with this computer were probably compromised and he will need to notify accounts, change passwords and so on...

LadyGrey
12-25-2007, 06:46 PM
:D YOU DID IT!!!
I fixed those two items and NO MORE ERROR on startup.
Starts up faster and better now. No errors at all!
You are a genius!!! Thank you so much!!
I called the young man this evening and told him he had better get hold of his bank and cards and anything else as all his personal information is now out and about, name, accounts, passwords, all of it. So he better take some steps to protect himself quick!
Here's the new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:58 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\walmart.TOSHIBA-USER\Desktop\HiJackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 5797 bytes

Budfred
12-25-2007, 08:24 PM
The log looks good... You might want to install the latest Java update before getting it back to this guy... Hopefully it will stay clean longer this time around...

If I were a genius, I would have tried fixing those things with HJT a while ago... :p

LadyGrey
12-25-2007, 09:34 PM
Budfred you are such a dear! You are a genius no two ways about it! I can't thank you enough for sticking with me. I get so determined and don't want to give up. I'm ok with the everyday clean ups, like I've been taught to handle, but when I get something like this it is so nice to have some one and some where to turn for help! If I google the programs we used will it take me to sites where I can find out what they do and when and why to use them? You said that if this last try didn't work we were gonna pull out the big guns? I thought we WERE using the big guns!!:D :D Shows you how little I know and how much more I have to learn! What the devil was that file any way?? I will do all the updates tomorrow and get it back to him on thursday.
This young man works with my hubby and I told hubby to tell him that if I see that computer again in such a shape after all this trouble then I WILL zero the drive and start over!!:D :D
I so hope you had a very Merry Christmas and Santa brought you everything you wished for!
Many thanks,
LG;)

mjc
12-25-2007, 10:07 PM
Nah...those were just still pea shooters.

The big guns (http://www.navy.mil/navydata/ships/battleships/newjersey/nj-1984beirut.jpg) weren't even warmed up...

Budfred
12-25-2007, 11:03 PM
It would probably be a good idea to clear those tools out of there, some anyway... For ComboFix, do this:

Click Start > Run > type in ComboFix /u
Note the space, it needs to be there.

It deletes all the files that CF drops in the system, deletes CF itself and its folders, deletes qoobox, vundofix backups, dss folder (C:\deckard), delete otmoveit folder, and regbackups created by erunt through cf.

It resets clock settings, hidden file extensions, hide system files, resets System Restore.

Then delete SDFix and SmitfraudFix...

I am afraid learning how to use the tools is a bit more complex than this post allows and requires access to hidden forums... If you want to learn, you can join Boot Camp or one of the other online schools...

And yes, there are a few more powerful tools I don't use unless all else fails... The less they are used, the less likely the criminals will find a way around them...