Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter #1
Logfile of HijackThis v1.99.1
Scan saved at 10:18:31 AM, on 9/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\Hmzeet.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\byckqq.exe
C:\Program Files\ohra\mbsi.exe
C:\WINDOWS\System32\?ti2evxx.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\QkcA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\BG\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.93.144.2:800
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5B8E11E0-E280-42DC-8434-79821CC151B6} - C:\WINDOWS\System32\odvgq.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SDWin32 Class - {9E5EABEE-D678-400D-A40B-63C8B0DC2F3A} - C:\WINDOWS\System32\bfbbk.dll
O2 - BHO: (no name) - {D0CC2924-E0CB-EC43-EB09-B9BE4F0B3096} - C:\WINDOWS\System32\onj.dll
O2 - BHO: (no name) - {EFF90188-9B60-CBE5-16B3-C2D929FD0F95} - C:\WINDOWS\System32\tcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 16
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wXOVA4] "C:\WINDOWS\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\atzapi.exe reg_run
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Hmzeet.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [eebpqbn] C:\WINDOWS\System32\byckqq.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uuse] C:\Program Files\ohra\mbsi.exe
O4 - HKCU\..\Run: [Qtcic] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://www.client.dbm.com/v51/ie/controls/CoreportSsoClient.cab
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\mnswch.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QkcA\command.exe
O23 - Service: CWShredder Service - InterMute, Inc. - D:\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello,

Before we start, I want you to understand one thing first. You have a very bad infection which is very difficult to remove. It requires a lot of work - both from you & me together. I'm gonna request for your full cooperation during such time. You should not at any time skip any of the steps outlined herewith nor do any of the fix outside out the order as I've laid out. Doing so may render the fix to be ineffective

Please take note of any problems you encounter during the fix & post them when you have completed the fix.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

WinPfind.zip

TrackQoo.zip

I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/
Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido.

Download Lavasoft's Ad-Aware & it's recently updated plug-in - VX2 Cleaner

Install both using the default options & then update Ad-Aware with the latest definitions.
Click on Add-ons in the lefthand column & select - VX2 Cleaner V2.0
Click Run Tool >> "OK"
If something is found, click "Clean" as in the directions given.
Click "Close", and exit Ad-Aware.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • SurfSideKick 3 (let me know if ou cannot find this entry)
    winCMAPP
    cxtpls
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\QkcA\command.exe
    C:\WINDOWS\System32\Hmzeet.exe
    C:\WINDOWS\System32\byckqq.exe
    C:\Program Files\ohra\mbsi.exe
    C:\WINDOWS\System32\?ti2evxx.exe
    C:\WINDOWS\System32\odvgq.dll
    C:\WINDOWS\System32\bfbbk.dll
    C:\WINDOWS\System32\onj.dll
    C:\WINDOWS\System32\tcl.dll
    C:\WINDOWS\system32\cxtpls_loader.EXE
    C:\WINDOWS\System32\atzapi.exe
    C:\WINDOWS\System32\pshwr.exe
    C:\WINDOWS\System32\repairs.dll
    C:\WINDOWS\system32\mnswch.dll
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Command Service (cmdService)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: SDWin32 Class - {5B8E11E0-E280-42DC-8434-79821CC151B6} - C:\WINDOWS\System32\odvgq.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SDWin32 Class - {9E5EABEE-D678-400D-A40B-63C8B0DC2F3A} - C:\WINDOWS\System32\bfbbk.dll
O2 - BHO: (no name) - {D0CC2924-E0CB-EC43-EB09-B9BE4F0B3096} - C:\WINDOWS\System32\onj.dll
O2 - BHO: (no name) - {EFF90188-9B60-CBE5-16B3-C2D929FD0F95} - C:\WINDOWS\System32\tcl.dll
O4 - HKLM\..\Run: [wXOVA4] "C:\WINDOWS\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\atzapi.exe reg_run
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Hmzeet.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [eebpqbn] C:\WINDOWS\System32\byckqq.exe r
O4 - HKCU\..\Run: [Uuse] C:\Program Files\ohra\mbsi.exe
O4 - HKCU\..\Run: [Qtcic] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\mnswch.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QkcA\command.exe



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\winCMAPP\
    C:\Program Files\SurfSideKick 3\
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch Ad-Aware & click on the Start button
Select "Perform smart system scan" and click Next.
Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK".


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


As you reboot, Ad-Aware will start up
Click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:
  • HiJackThis log
    [*] L2Mfix's log
    [*] Online Scan
    [*] Ewido
    [*] WinPfind
    [*] TrackQoo1.vbs
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
9 Posts
Discussion Starter #3
The laptop owner took the laptop before I could finish everything on your list she is supposed to bring it back on Friday (she needed to write some papers for class), so here is what I have. Thank You for all of your help!!

Logfile of HijackThis v1.99.1
Scan saved at 4:27:12 PM, on 9/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\System32\comaddin.exe
C:\WINDOWS\System32\cyuoaie.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ohra\mbsi.exe
C:\WINDOWS\System32\?ti2evxx.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.93.144.2:800
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 16
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [65da78dd5b25] C:\WINDOWS\System32\comaddin.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [dlrfmz] C:\WINDOWS\System32\cyuoaie.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uuse] C:\Program Files\ohra\mbsi.exe
O4 - HKCU\..\Run: [Qtcic] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: nacn.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://www.client.dbm.com/v51/ie/controls/CoreportSsoClient.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

L2Mfix 1.04a

Running From:
C:\l2mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:57:14 PM, 9/14/2005
+ Report-Checksum: BE01EE53

+ Scan result:

HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
[704] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[752] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[764] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[940] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[992] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1644] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1888] C:\WINDOWS\System32\catsrv92.exe -> Spyware.UrlSpy : Cleaned with backup
[288] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[332] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[524] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[584] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[728] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1292] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1448] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1468] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1608] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1720] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1772] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1828] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1992] C:\WINDOWS\System32\catsrv92.exe -> Spyware.UrlSpy : Error during cleaning
[260] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[360] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[968] C:\WINDOWS\System32\comaddin.exe -> Spyware.UrlSpy : Cleaned with backup
[2260] C:\WINDOWS\System32\cyuoaie.exe -> Trojan.Agent.cp : Cleaned with backup
[2608] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2632] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2672] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2764] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2788] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2860] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\quarantine\svcproc.exe.Vir -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.0 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.1 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.10 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.11 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.2 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.3 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.4 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.5 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.6 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.7 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.8 -> Trojan.Stervis.g : Error during cleaning
C:\quarantine\svcproc.exe.Vir.9 -> Trojan.Stervis.g : Error during cleaning
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046407.exe -> Spyware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046408.exe -> TrojanDownloader.Agent.tf : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046410.dll -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046411.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046413.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046420.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046421.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046423.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046433.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046435.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046437.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046461.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046462.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0046464.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0047461.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0047462.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0047464.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0048461.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0048462.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP564\A0048464.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0049458.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0049462.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0049463.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0049466.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050461.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050462.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050464.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050484.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050487.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050488.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050765.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050767.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050769.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{5C713970-6601-459F-9C7A-C8AECE52E115}\RP565\A0050805.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\system32\atzapi.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\browser0.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\system32\catsrv92.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\system32\comaddin.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\system32\cyuoaie.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\datadx.dll -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\WINDOWS\system32\icnirok.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\WINDOWS\system32\puypa.dat -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End
 

·
Premium Member
Joined
·
14,311 Posts
Where are the rest of the logs we asked for (WinPFind, Trackqoo)?
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top