# gadcom.exe, SHeur2, Twain.exe trojans and popups



## S2K (Nov 23, 2008)

For the past few days, AVG has been giving me alerts that my computer is infected. It's alerted me to various files such as gadcom.exe, SHeur2.AXX, msansspc.dll, A0006309.dll, A0006113.dll, khFYrOfE.dll, Twain.exe, and Virtumonde. Each time, I click the "Heal" button, but after 15 minutes or so, I get another warning.

Last night, I ran HijackThis and fixed the bad files identified by hijackthis.de. I also ran Ad-Aware and Spybot, which both removed probably a dozen nasty things. Most things are related to dll files or the SHeur2 trojan. Usually, these various programs will fix any little problem I have with my computer, but this time it's bad. I'm afraid I don't know enough about this stuff to get rid of the serious problems.

Today, things seemed to be perfectly fine until I got an AVG virus alert relating to Twain.exe. This is the first time I've gotten that one and soon after healing, I started getting ads popping up in a new browser window. One time, a million new tabs started opening and I had to kill the browser. Now, I'm getting more virus alerts for SHeur2, but this time it's called SHeur2.CRJ instead of SHeur2.AXX. Also, that damn gadcom.exe thing appeared back in my "C:\Documents and Settings\Administrator\Application Data" directory.

In case it matters, I'm running Windows XP Version 2002 Service Pack 3 on a laptop.

If anyone can help, I'd be extremely grateful.

Thanks,

Pat

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:46 PM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetModule\GetModule29.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [GetModule29] C:\Program Files\GetModule\GetModule29.exe
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Administrator\Application Data\Twain\Twain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://vaexpress.orbital.com/iNotes6W.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213918087521
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
--
End of file - 13295 bytes


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

bumpity bump


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

pmub


----------



## S2K (Nov 23, 2008)

bump again. ...just using my desktop until I can figure out what's wrong with my laptop, so no hurry. I still get AVG virus warnings every once and a while if I connect to the internet. Doesn't matter how many times I run AVG scan, Ad-Aware or Spybot. I need something else, but I'm afraid to just start running stuff that I'm not familiar with because I don't want to mess up my computer worse. Anyone have any ideas what I should try?


----------



## S2K (Nov 23, 2008)

to the top


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

bump. My computer is still messed up  I can run Spybot and Ad-Aware and remove a bunch of problems, but every time I connect to the internet, they come back. I need something better. Any ideas?

For now, I'm just using my desktop. I know it can take a while to get help from one of the experts, so I'm waiting patiently


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

ttt


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

b...


----------



## S2K (Nov 23, 2008)

...u...


----------



## S2K (Nov 23, 2008)

...m...


----------



## S2K (Nov 23, 2008)

...p


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

bump


----------



## S2K (Nov 23, 2008)

bump


----------



## dvk01 (Dec 14, 2002)

I think we are going to have problems fixing something that has been happening for over 1 month but lets try

first step

Please download Malwarebytes' Anti-Malware to your desktop
from HERE or  HERE 

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded. 
Once the program has loaded, select Perform quick scan, then click Scan. 
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. 
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert) 
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot


----------



## S2K (Nov 23, 2008)

Thanks for the response Derek!!!

Here is my log:

Malwarebytes' Anti-Malware 1.31
Database version: 1585
Windows 5.1.2600 Service Pack 3
12/31/2008 1:03:22 PM
mbam-log-2008-12-31 (13-03-22).txt
Scan type: Quick Scan
Objects scanned: 73106
Time elapsed: 10 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\khfCspPI.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfcsppi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcvnvj0eg61 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule31 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\khfCspPI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mlJDursp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wpv321228549770.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv431227390984.cpx (Trojan.Agent) -> Quarantined and deleted successfully.


----------



## dvk01 (Dec 14, 2002)

next stage

Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns


----------



## S2K (Nov 23, 2008)

Hi Derek,

Thanks for your help! Here is the ComboFix log. I'll post the new HijackThis log next.

ComboFix 08-12-31.01 - Administrator 2009-01-01 3:18:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1548 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Tasks\ucchwsww.job
c:\windows\Temp\tmp3.tmp
.
((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.
2009-01-01 03:04 . 2009-01-01 03:05 1,355 --a------ c:\windows\imsins.BAK
2008-12-31 12:44 . 2008-12-31 12:44 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 12:44 . 2008-12-31 12:44 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 12:44 . 2008-12-31 12:44 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-31 12:44 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 12:44 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 16:00 . 2008-12-29 22:00 d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 21:25 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-01 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-23 02:13 --------- d-----w c:\documents and settings\Administrator\Application Data\Twain
2008-11-22 04:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-22 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 02:32 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 02:31 --------- d-----w c:\program files\Lavasoft
2008-11-22 02:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-22 02:30 --------- d-----w c:\documents and settings\Tin Tran\Application Data\Lavasoft
2008-11-14 00:32 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-11-13 23:51 --------- d-----w c:\program files\Azureus
2008-06-29 02:18 256 ----a-w c:\documents and settings\Administrator\pool.bin
2007-08-25 18:02 0 ----a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-09-13 17:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 14:14 258048]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-28 126976]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-25 299008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-30 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-30 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-30 118784]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-16 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\agrsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 06:28 24576 c:\windows\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2006-04-24 c:\windows\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-24 c:\windows\system32\TPSODDCtl.exe]
"TFNF5"="TFNF5.exe" [2006-03-16 c:\windows\system32\TFNF5.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 c:\windows\system32\TOSDCR.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-11-12 82026]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-04-09 671744]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-08-18 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 19:48 40448 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\OrCAD\\OrCAD_10.3\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_10.3\\tools\\bin\\cdsNameServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2006-08-18 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-17 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-17 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-17 76040]
R2 FdRedir;FdRedir;\??\c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 33024]
R2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [2007-04-09 3712]
R2 smihlp;SMI helper driver;\??\c:\program files\Protector Suite QL\smihlp.sys [2006-05-05 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-06-28 98816]
.
Contents of the 'Scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - 
.
**************************************************************************
disk not found C:\
please note that you need administrator rights to perform deep scan
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,10,97,7f,e1,18,\
8b,bb,34,c8,28,51,af,b0,29,a3,98,e7,20,e8,72,bf,57,a3,25,e2,63,26,f1,3f,c8,\
ff,68,de,35,c3,b7,d8,05,12,4d,c8,28,51,af,b0,29,a3,98,28,4b,a9,98,79,bd,d9,\
3a,fc,ef,d3,1e
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,e6,bc,4c,b1,82,\
0f,eb,b8,71,3b,04,66,8b,46,0d,96,b0,c5,98,ef,87,50,34,59,6a,9c,d6,61,af,45,\
84,18,27,7c,de,c3,76,51,22,13,71,3b,04,66,8b,46,0d,96,08,81,0e,ef,df,33,74,\
c7,8a,8b,43,14
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,7d,ec,fe,cd,c4,\
b0,80,33,25,da,ec,7e,55,20,c9,26,1f,da,66,4b,12,01,ba,7b,ff,7c,85,e0,43,d4,\
0e,fe,f5,3e,4b,55,42,8f,b5,0a,ff,7c,85,e0,43,d4,0e,fe,9b,5c,b0,fc,a0,9c,1e,\
ab,db,b0,6c,c8
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,31,ff,40,16,13,\
8f,86,79,3e,1e,9e,e0,57,5a,93,61,76,6d,14,fd,5c,b1,12,47,86,8c,21,01,be,91,\
eb,e7,6f,2c,dc,75,d8,38,6b,8c,6b,65,49,6a,7e,99,74,f7,82,0d,f9,b8,2d,6f,fb,\
69,1f,8b,05,26
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,a6,63,7f,9c,c6,\
5b,92,a4,cd,44,cd,b9,a6,33,6c,cd,4e,f3,42,14,c4,46,ca,1c,f5,1d,4d,73,a8,13,\
5c,05,91,2b,e9,3c,1a,0c,89,d2,f5,1d,4d,73,a8,13,5c,05,56,7b,0c,18,51,90,b2,\
ab,ac,1a,03,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,1d,5c,81,ae,7f,\
d3,2b,b6,b0,18,ed,a7,3f,8d,37,a4,74,40,3d,4e,aa,b1,12,07,df,20,58,62,78,6b,\
cf,c8,ed,71,10,7c,1c,d3,36,45,50,93,e5,ab,ec,6a,4e,ab,fc,5b,62,39,7d,c0,bc,\
74,28,36,7f,cd
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,f7,0e,39,92,92,\
6d,cc,8c,31,77,e1,ba,b1,f8,68,02,57,71,5d,1d,1b,1c,17,2e,fb,a7,78,e6,12,2f,\
9a,ea,14,29,27,1a,04,08,bc,91,fb,a7,78,e6,12,2f,9a,ea,8f,88,f1,86,5a,14,bf,\
25,1b,9a,2b,cc
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,4d,0e,94,db,48,\
a5,bc,fb,83,6c,56,8b,a0,85,96,ab,dd,40,84,9e,8c,dc,35,5a,01,3a,48,fc,e8,04,\
4a,f1,c3,2c,97,ce,04,6d,60,e0,01,3a,48,fc,e8,04,4a,f1,81,82,52,8c,0c,ed,31,\
40,51,a0,fc,f8
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,61,11,72,08,c2,\
7d,ea,5f,51,fa,6e,91,28,9e,14,cc,de,b8,61,53,24,89,9e,62,f6,0f,4e,58,98,5b,\
89,c9,cd,a7,5f,eb,ad,7a,e6,97,f6,0f,4e,58,98,5b,89,c9,bb,4f,b6,a3,db,31,70,\
68,b0,e7,52,c2
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,61,36,6b,4e,b9,\
44,c9,44,b1,cd,45,5a,a8,c4,f8,b9,c2,10,29,16,da,96,ad,25,3d,ce,ea,26,2d,45,\
aa,78,1f,af,0f,19,88,0a,77,6c,b1,cd,45,5a,a8,c4,f8,b9,72,f7,bd,fb,67,d3,12,\
20,2b,0d,8a,ac
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,bf,72,fd,df,83,\
bd,d2,1e,e3,0e,66,d5,eb,bc,2f,6b,72,21,b9,fe,58,1a,b5,b1,2a,b7,cc,b5,b9,7f,\
41,e7,f8,95,4e,dc,25,26,70,61,e3,0e,66,d5,eb,bc,2f,6b,8f,18,45,91,8e,f6,11,\
b2,a7,14,a8,a8
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,62,05,ea,43,e8,\
de,5d,f0,fa,ea,66,7f,d4,3b,6b,70,35,ec,48,3c,55,21,53,b8,6c,43,2d,1e,aa,22,\
2f,9c,2e,1e,59,54,e8,22,00,f7,05,73,21,dd,54,d8,4a,c5,b2,68,c0,79,e7,82,d3,\
da,e5,c2,f3,92
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll
c:\program files\Protector Suite QL\mysafe.dll
- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\dllhost.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-01 3:24:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-01 08:24:52
Pre-Run: 37,476,352,000 bytes free
Post-Run: 37,501,935,616 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect/sos /forceresetreg
317 --- E O F --- 2009-01-01 08:06:05


----------



## S2K (Nov 23, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:18 AM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://vaexpress.orbital.com/iNotes6W.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213918087521
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
--
End of file - 12598 bytes


----------



## S2K (Nov 23, 2008)

How's everything look?


----------



## dvk01 (Dec 14, 2002)

Sorry, seem to have missed the replies

it looks ok 

have all problems stopped


----------



## S2K (Nov 23, 2008)

I don't know. I haven't been using it since it seemed to get worse every time I connect to the internet. I'll start using it again and let you know in a few days if it's better. Assuming it acts normal, can I consider this issue to be solved or is there anything else I need to do?


----------



## dvk01 (Dec 14, 2002)

let us know how it is so we can clear out teh tools we used if it is oK or start looking for fixes if it still has problems


----------



## S2K (Nov 23, 2008)

Hi Derek,

It seems to be working good now. For about a day, it was running really slow... the mouse would take forever to move and then it would only move in short jumps. I rebooted it every time it started acting up and the problem would go away. It's been running perfectly fine for over a week now so I'm not too worried about it.


----------



## dvk01 (Dec 14, 2002)

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









then 
Turn off system restore by following instructions here 
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## S2K (Nov 23, 2008)

Thanks Derek! I finally got around to updating all of my old software. Man, there was a lot! I think everything is finally updated, but scunia keeps reporting a crap load of outdated flash and java. Why the heck do I have 9 different versions of outdated Java RTE on my computer? Even though I updated it, Scunia still says I have all these outdated versions. Is this important or can I ignore it? I think my computer is good now...can I mark this thread solved?

Anyway, I really appreciate your help. I donated $20(USD) to the Hedgehog Rescue program as a small token of my appreciation. Thanks again!

-Pat


----------



## dvk01 (Dec 14, 2002)

go to add/remove programs & uninstalll everything that says java except the latest which will be 1.6.0.11 or 12 

tell us where secunia thinks the flash one is as that is a common left over from old versions


----------



## S2K (Nov 23, 2008)

I think everything's good now. I uninstalled all the old versions of Java. I had three versions of flash installed (Adobe Flash 9, Adobe Flash 10, and Macromedia Flash). I uninstalled Adobe Flash 9 and now Scunia is happy.

Thanks once again for your help. Should I mark this thread solved now?


----------

