• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
hizson

Cant get rid of spyware

29 posts in this topic

I hope that I am posting this in the right forum, Im new to the site and not sure where to post this. I have picked up something that is killing my computer, draining ram and constantly hitting me with pop ups. I am running windows xp home and using Ad-Aware SE Personal Build 1.06r1 and have updated definitions prior to my latest scan. The following is the scan report.

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Monday, September 11, 2006 10:06:57 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R122 08.09.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):7 total references

Tracking Cookie(TAC index:3):13 total references

Windows(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

9-11-2006 10:06:57 AM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\jere\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 584

ThreadCreationTime : 9-11-2006 4:04:10 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 648

ThreadCreationTime : 9-11-2006 4:04:11 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 676

ThreadCreationTime : 9-11-2006 4:04:12 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 720

ThreadCreationTime : 9-11-2006 4:04:12 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 732

ThreadCreationTime : 9-11-2006 4:04:12 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 888

ThreadCreationTime : 9-11-2006 4:04:13 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 948

ThreadCreationTime : 9-11-2006 4:04:13 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 984

ThreadCreationTime : 9-11-2006 4:04:13 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1044

ThreadCreationTime : 9-11-2006 4:04:13 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1216

ThreadCreationTime : 9-11-2006 4:04:14 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1532

ThreadCreationTime : 9-11-2006 4:04:15 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:12 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1560

ThreadCreationTime : 9-11-2006 4:04:15 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:13 [acs.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1660

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

 

 

#:14 [igfxtray.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1720

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 3.0.0.4332

ProductVersion : 7.0.0.4332

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : igfxTray Module

InternalName : IGFXTRAY

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : IGFXTRAY.EXE

 

#:15 [hkcmd.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1728

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 3.0.0.4332

ProductVersion : 7.0.0.4332

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : HKCMD.EXE

 

#:16 [igfxpers.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1736

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 3.0.0.4332

ProductVersion : 7.0.0.4332

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : persistence Module

InternalName : PERSISTENCE

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : IGFXPERS.EXE

 

#:17 [ltmoh.exe]

FilePath : C:\Program Files\ltmoh\

ProcessID : 1752

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 1.73

ProductVersion : 1.73

ProductName : LtMoh Application

CompanyName : Agere Systems

FileDescription : LtMoh MFC Application

InternalName : LtMoh

LegalCopyright : Agere Copyright © 2001-2004

LegalTrademarks : Agere Systens

OriginalFilename : LtMoh.EXE

 

#:18 [agrsmmsg.exe]

FilePath : C:\WINDOWS\

ProcessID : 1788

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 2.1.49 2.1.49 12/20/2004 15:10:02

ProductVersion : 2.1.49 2.1.49 12/20/2004 15:10:02

ProductName : Agere SoftModem Messaging Applet

CompanyName : Agere Systems

FileDescription : SoftModem Messaging Applet

InternalName : smdmstat.exe

LegalCopyright : Copyright © Agere Systems 1998-2000

OriginalFilename : smdmstat.exe

 

#:19 [apoint.exe]

FilePath : C:\Program Files\Apoint2K\

ProcessID : 1804

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 6.0.2.186

ProductVersion : 6.0.2.186

ProductName : Alps Pointing-device Driver

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver

InternalName : Alps Pointing-device Driver

LegalCopyright : Copyright © 1999-2004 Alps Electric Co., Ltd.

OriginalFilename : Apoint.exe

 

#:20 [00thotkey.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1812

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 1, 1, 0, 0

ProductVersion : 6, 3, 0, 0

ProductName : TOSHIBA THotkey

CompanyName : TOSHIBA Corporation

FileDescription : THotkey

InternalName : THotkey

LegalCopyright : Copyright © 1999 -2004 TOSHIBA Corporation

OriginalFilename : THotkey.exe

 

#:21 [tfnf5.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1868

ThreadCreationTime : 9-11-2006 4:04:16 PM

BasePriority : Normal

FileVersion : 2, 9, 0, 0

ProductVersion : 2, 9, 0, 0

ProductName : TOSHIBA Hotkey Utility for Display Devices

CompanyName : TOSHIBA Corp.

FileDescription : TFnF5

InternalName : TFnF5

LegalCopyright : Copyright © 2001-2004

OriginalFilename : TFnF5.Exe

Comments : Hotkey (Fn+F5) for Display Devices

 

#:22 [touched.exe]

FilePath : C:\Program Files\TOSHIBA\TouchED\

ProcessID : 1876

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 2, 5, 1, 0

ProductVersion : 2, 5, 1, 0

ProductName : TouchPad On/Off Utility

CompanyName : TOSHIBA Corporation

FileDescription : TouchPad On/Off Utility

InternalName : TouchED

LegalCopyright : Copyright 1998-2002 TOSHIBA Corporation. All rights reserved.

OriginalFilename : TouchED.exe

 

#:23 [smoothview.exe]

FilePath : C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\

ProcessID : 1884

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 2, 0, 0, 23

ProductVersion : 2, 0, 0, 23

ProductName : TOSHIBA Zooming Utility

CompanyName : TOSHIBA Corporation

FileDescription : SmoothView

InternalName : SmoothView

LegalCopyright : Copyright © 2003 TOSHIBA Corporation. All rights reserved.

OriginalFilename : SmoothView.exe

Comments : TOSHIBA Zooming Utility

 

#:24 [tfncky.exe]

FilePath : C:\Program Files\TOSHIBA\TOSHIBA Controls\

ProcessID : 1892

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 3.21.02

ProductVersion : 3.21.00

ProductName : TFncKy

CompanyName : TOSHIBA Corporation

FileDescription : TFncKy

InternalName : TFncKy

LegalCopyright : Copyright © 2001-2005 TOSHIBA Corporation. All rights reserved.

OriginalFilename : TFncKy.EXE

 

#:25 [ndstray.exe]

FilePath : C:\Program Files\TOSHIBA\ConfigFree\

ProcessID : 1908

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

 

 

#:26 [tfswctrl.exe]

FilePath : C:\WINDOWS\system32\dla\

ProcessID : 1916

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 1.04.08a

CompanyName : Sonic Solutions

FileDescription : Drive Letter Access Component

LegalCopyright : Copyright © 2004 Sonic Solutions

 

#:27 [pinger.exe]

FilePath : C:\toshiba\ivp\ism\

ProcessID : 1976

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 3.7.0.0

ProductVersion : 3.7.0.0

ProductName : Software Upgrades

CompanyName : TOSHIBA Corporation

FileDescription : TOSHIBA Pinger

InternalName : PINGER

LegalCopyright : © 1997-2005 TOSHIBA Corporation

OriginalFilename : PINGER.EXE

 

#:28 [qttask.exe]

FilePath : C:\Program Files\QuickTime\

ProcessID : 2008

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 6.5

ProductVersion : QuickTime 6.5

ProductName : QuickTime

CompanyName : Apple Computer, Inc.

InternalName : QuickTime Task

LegalCopyright : © Apple Computer, Inc. 2001-2004

OriginalFilename : QTTask.exe

 

#:29 [bartshel.exe]

FilePath : C:\Program Files\PeoplePC\ISP6330\Browser\

ProcessID : 164

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 6, 3, 1, 285

ProductVersion : 6, 3, 0, 0

ProductName : PeoplePC BartShell Module

CompanyName : PeoplePC

FileDescription : BartShell Module

InternalName : BartShell

LegalCopyright : Copyright © 2006 PeoplePC

OriginalFilename : BartShel.exe

 

#:30 [mcvsescn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ProcessID : 180

ThreadCreationTime : 9-11-2006 4:04:17 PM

BasePriority : Normal

FileVersion : 10, 0, 0, 20

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan E-mail Scan Module

InternalName : mcvsescn

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : mcvsescn.EXE

Comments : McAfee VirusScan E-mail Scan Module

 

#:31 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 232

ThreadCreationTime : 9-11-2006 4:04:18 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:32 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 336

ThreadCreationTime : 9-11-2006 4:04:18 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:33 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 436

ThreadCreationTime : 9-11-2006 4:04:18 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:34 [tpsbattm.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 448

ThreadCreationTime : 9-11-2006 4:04:18 PM

BasePriority : Normal

FileVersion : 1, 0, 3, 0

ProductVersion : 7, 0, 0, 0

ProductName : TOSHIBA Power Saver

CompanyName : TOSHIBA Corporation

InternalName : TPSBattM

LegalCopyright : Copyright © 1998-2005 TOSHIBA Corporation

OriginalFilename : TPSBattM.exe

 

#:35 [dwdsregt.exe]

FilePath : C:\windows\system32\

ProcessID : 488

ThreadCreationTime : 9-11-2006 4:04:18 PM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

LegalCopyright : © 2004

 

#:36 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_06\bin\

ProcessID : 368

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

 

 

#:37 [toscdspd.exe]

FilePath : C:\Program Files\TOSHIBA\TOSCDSPD\

ProcessID : 108

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

 

 

#:38 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 604

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:39 [995632.exe]

FilePath : C:\DOCUME~1\jere\LOCALS~1\Temp\

ProcessID : 616

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

 

 

#:40 [992560.exe]

FilePath : C:\DOCUME~1\jere\LOCALS~1\Temp\

ProcessID : 628

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

 

 

#:41 [cproc.exe]

FilePath : C:\WINDOWS\system32\crunner\

ProcessID : 644

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

 

 

#:42 [aspi109379.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 736

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

 

 

#:43 [apntex.exe]

FilePath : C:\Program Files\Apoint2K\

ProcessID : 768

ThreadCreationTime : 9-11-2006 4:04:19 PM

BasePriority : Normal

FileVersion : 5.0.1.15

ProductVersion : 5.0.1.15

ProductName : Alps Pointing-device Driver for Windows NT/2000/XP

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP

InternalName : Alps Pointing-device Driver for Windows NT/2000/XP

LegalCopyright : Copyright © 1998-2003 Alps Electric Co., Ltd.

OriginalFilename : ApntEx.exe

 

#:44 [iam.exe]

FilePath : C:\Program Files\CallWave\

ProcessID : 1068

ThreadCreationTime : 9-11-2006 4:04:20 PM

BasePriority : Normal

FileVersion : 3.07.8 (4-April-2005)

ProductVersion : 3.07.8 (4-April-2005)

ProductName : CallWave Service

CompanyName : CallWave, Inc.

FileDescription : Internet Answering Machine

InternalName : CallApp

LegalCopyright : Copyright © 1999-2003 CallWave, Inc.

OriginalFilename : CallApp.exe

 

#:45 [cfsvcs.exe]

FilePath : C:\Program Files\TOSHIBA\ConfigFree\

ProcessID : 1092

ThreadCreationTime : 9-11-2006 4:04:20 PM

BasePriority : Normal

FileVersion : 6, 0, 0, 1

ProductVersion : 6, 0, 0, 0

ProductName : ConfigFree

CompanyName : TOSHIBA CORPORATION

FileDescription : Service of ConfigFree.

InternalName : CFSvcs.exe

LegalCopyright : ©copyright TOSHIBA CORPORATION 2003-2005

LegalTrademarks : ConfigFree

OriginalFilename : CFSvcs.exe

Comments : Service of ConfigFree.

 

#:46 [ramasst.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1172

ThreadCreationTime : 9-11-2006 4:04:22 PM

BasePriority : Normal

FileVersion : 1, 1, 0, 0

ProductVersion : 1, 1, 0, 0

CompanyName : Matsushita Electric Industrial Co., Ltd.

FileDescription : CD Burning of Windows XP disabling tool for DVD MULTI Drive

LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2004

OriginalFilename : RAMASST.EXE

 

#:47 [dvdramsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1380

ThreadCreationTime : 9-11-2006 4:04:24 PM

BasePriority : Normal

FileVersion : 3, 0, 0, 0

ProductVersion : 3, 0, 0, 0

CompanyName : Matsushita Electric Industrial Co., Ltd.

FileDescription : DVD-RAM Utility Helper Service

LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2004

OriginalFilename : DVDRAMSV.EXE

 

#:48 [swupdtmr.exe]

FilePath : c:\TOSHIBA\IVP\swupdate\

ProcessID : 1644

ThreadCreationTime : 9-11-2006 4:04:27 PM

BasePriority : Normal

 

 

#:49 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2064

ThreadCreationTime : 9-11-2006 4:04:27 PM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:50 [ppshared.exe]

FilePath : C:\PROGRA~1\PeoplePC\ISP6330\Browser\

ProcessID : 2108

ThreadCreationTime : 9-11-2006 4:04:27 PM

BasePriority : Normal

FileVersion : 6, 3, 1, 6

ProductVersion : 6, 3, 0, 0

ProductName : PPShared Module

CompanyName : PeoplePC

FileDescription : PPShared Module

InternalName : PPShared

LegalCopyright : Copyright © 2006 PeoplePC

OriginalFilename : PPShared.EXE

 

#:51 [bartshel.exe]

FilePath : C:\Program Files\PeoplePC\ISP6330\Browser\

ProcessID : 3060

ThreadCreationTime : 9-11-2006 4:05:55 PM

BasePriority : Normal

FileVersion : 6, 3, 1, 285

ProductVersion : 6, 3, 0, 0

ProductName : PeoplePC BartShell Module

CompanyName : PeoplePC

FileDescription : BartShell Module

InternalName : BartShell

LegalCopyright : Copyright © 2006 PeoplePC

OriginalFilename : BartShel.exe

 

#:52 [peoplepc.exe]

FilePath : C:\Program Files\PeoplePC Accelerated\

ProcessID : 176

ThreadCreationTime : 9-11-2006 4:06:41 PM

BasePriority : Normal

 

 

#:53 [yahoomessenger.exe]

FilePath : C:\Program Files\Yahoo!\Messenger\

ProcessID : 2504

ThreadCreationTime : 9-11-2006 4:08:21 PM

BasePriority : Normal

FileVersion : 8,0,0,701

ProductVersion : 8,0,0,701

ProductName : Yahoo! Messenger

CompanyName : Yahoo! Inc.

FileDescription : Yahoo! Messenger

LegalCopyright : © 1998-2006 Yahoo! Inc. All rights reserved.

 

#:54 [firefox.exe]

FilePath : C:\PROGRA~1\MOZILL~1\

ProcessID : 2688

ThreadCreationTime : 9-11-2006 4:08:28 PM

BasePriority : Normal

 

 

#:55 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ProcessID : 2428

ThreadCreationTime : 9-11-2006 4:39:25 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : IEXPLORE.EXE

 

#:56 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 3948

ThreadCreationTime : 9-11-2006 5:00:16 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 7

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Windows Object Recognized!

Type : RegData

Data :

TAC Rating : 3

Category : Vulnerability

Comment :

Rootkey : HKEY_USERS

Object : .DEFAULT\software\microsoft\windows\currentversion\policies\system

Value : DisableTaskMgr

Data :

 

Windows Object Recognized!

Type : RegData

Data :

TAC Rating : 3

Category : Vulnerability

Comment :

Rootkey : HKEY_USERS

Object : S-1-5-18\software\microsoft\windows\currentversion\policies\system

Value : DisableTaskMgr

Data :

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 9

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:18

Value : Cookie:[email protected]/

Expires : 12-31-2020 5:00:00 PM

LastSync : Hits:18

UseCount : 0

Hits : 18

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 12-31-2020 5:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:8

Value : Cookie:[email protected]/

Expires : 12-31-2020 5:00:00 PM

LastSync : Hits:8

UseCount : 0

Hits : 8

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 9-9-2011 5:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:11

Value : Cookie:[email protected]/

Expires : 12-31-2020 5:00:00 PM

LastSync : Hits:11

UseCount : 0

Hits : 11

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:16

Value : Cookie:[email protected]/

Expires : 9-2-2007 2:37:12 AM

LastSync : Hits:16

UseCount : 0

Hits : 16

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 6-9-2022 10:05:42 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:4

Value : Cookie:[email protected]/

Expires : 12-31-2037 5:00:00 PM

LastSync : Hits:4

UseCount : 0

Hits : 4

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:8

Value : Cookie:[email protected]/

Expires : 9-10-2008 6:36:18 AM

LastSync : Hits:8

UseCount : 0

Hits : 8

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/

Expires : 5-17-2033 8:33:20 PM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:6

Value : Cookie:[email protected]/

Expires : 12-31-2020 5:00:00 PM

LastSync : Hits:6

UseCount : 0

Hits : 6

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:27

Value : Cookie:[email protected]/

Expires : 9-8-2016 6:21:10 AM

LastSync : Hits:27

UseCount : 0

Hits : 27

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 6-21-2009 5:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 13

Objects found so far: 22

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 22

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

54 entries scanned.

New critical objects:0

Objects found so far: 22

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 22

 

10:30:36 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:23:38.906

Objects scanned:132534

Objects identified:15

Objects ignored:0

New critical objects:15

 

 

 

 

Can anyone help me get rid of whatever is affecting my machine? Yhank you

 

Jere

Share this post


Link to post
Share on other sites

Hi

 

Tracking cookies are easy to remove with Ad-aware and MRU List Objects are not malicious. However, there are some odd items on your system. Could you try this please.

 

First boot into safe mode, if you are not familiar with this see this Microsoft article for details:

 

http://support.microsoft.com/default.aspx?...kb;EN-US;315222

 

If you have not booted in safe mode before the screen will look different as Windows is not loading all the Windows components.

 

 

Next logon and please clear the temp files.

 

press start then select Run and in the box type:

 

cleanmgr

 

Then click the OK button to start Disk Cleanup.

 

If it prompts for drive select C: then when the window opens check these three items i.e. the radio button is pressed in.

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Then click the OK button and yes to confirm removal.

 

Now reboot the PC and logon as normal. Run HijackThis and post the log file. See this post for details on how to do this:

 

http://www.lavasoftsupport.com/index.php?showtopic=216

 

Many thanks

Share this post


Link to post
Share on other sites

Thank you Ad Astra,

 

I hope I did this right and that the following is what you requested:

 

Logfile of HijackThis v1.99.1

Scan saved at 4:12:22 PM, on 9/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\00THotkey.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\windows\system32\stonedrv.exe

C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\aspi109379.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\windows\system32\dwdsregt.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\crunner\cproc.exe

C:\Program Files\CallWave\IAM.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\PeoplePC Accelerated\PeoplePC.exe

C:\Documents and Settings\jere\My Documents\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soulwinner.org/start

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsu19.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)

O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION

O4 - HKLM\..\Run: [loaddr] C:\vcdsojv.exe

O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKLM\..\Run: [lgh3f61f] RUNDLL32.EXE w5e31a0d.dll,n 0043f61b000000055e31a0d

O4 - HKLM\..\Run: [ngh3f621] RUNDLL32.EXE w5e3e107.dll,n 0043f61d000000025e3e107

O4 - HKLM\..\Run: [ogh3f622] RUNDLL32.EXE w5e323b2.dll,n 0043f61e000000055e323b2

O4 - HKLM\..\Run: [ms061348175214] C:\WINDOWS\ms061348175214.exe

O4 - HKLM\..\Run: [{F8-8E-E2-24-ZN}] C:\windows\system32\dwdsregt.exe ELT001

O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinopex.exe ELT001

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oodsregl.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinopex.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Refresh Pa≥ with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.mmohsix.com

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1197E88E-3CC7-4C84-AE0A-99389765F509}: NameServer = 205.171.3.65 205.171.2.65

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

 

 

 

Again thanks for the help.

 

Jere

Share this post


Link to post
Share on other sites

Hi Jere,

 

I'm here to assist with the result of the HijackThis scan as you have a large number of random named processes and files running.

 

You have a number of suspicious files I'd like to examine further to determine what it is and the best way to remove it.

 

Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from Jere at LS ),

fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

 

Files to attach for upload:

 

C:\WINDOWS\system32\nsu19.dll

 

C:\vcdsojv.exe

 

c:\windows\system32\stonedrv.exe

 

C:\windows\system32\dwdsregt.exe

 

C:\WINDOWS\system32\pwinopex.exe

 

C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

 

C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

 

C:\WINDOWS\system32\crunner\cproc.exe (Do you know what crunner is? If not, upload all files in that folder/directory)

 

C:\WINDOWS\system32\oodsregl.exe

 

C:\WINDOWS\system32\pwinopex.exe

 

You'll need to do a search to find the location of these last few. Once found please upload these too:

 

w5e31a0d.dll

 

w5e3e107.dll

 

w5e323b2.dll

 

ms061348175214.exe

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.

..................................

When you are done uploading the files, please come back to this topic here and follow these instruction next to produce a different log I need to see.

 

Open HijackThis and instead of scan, choose *Open Misc Tools Section*

 

Next, choose *Open Uninstall Manager*

 

When done, press the *save list* button.

 

This will create a list and notepad should popup with a text file. Please copy and paste the contents of that file back here please.

 

We can then start to map a process to best remove these problems.

Share this post


Link to post
Share on other sites

Thank you CalamityJane for the help that your willing to offer, it is much appreciated. I have tried to do as you requested but am having major issues getting it done. I have registered and tried to upload the files you asked to see but this is where the problems start. My computer freezes when I click on the file that is to be attatched to the upload.

 

 

Is there another way for me to get these files to you? I havent tried yet byt maybe I can FTP them to one of my web sites and you could access them from there? Any suggestions you have would be greatly appreciated.

 

Thank you again.

 

Jere

Share this post


Link to post
Share on other sites

Hi,

 

I do have another method, yes.

 

I'm going to nuke them with a tool and then have you password the backups the tool makes and then you should be able to upload them.

 

I have the location for ms061348175214.exe (it's in the C:\Windows directory)

 

But if you could please tell me the location of these files, I can write up that list and instructions.

 

w5e31a0d.dll

 

w5e3e107.dll

 

w5e323b2.dll

Share this post


Link to post
Share on other sites

Super! Give me a few minutes to write this up.

 

I'm going to leave out crunner, since I don't know what that is. Do you?

 

C:\WINDOWS\system32\crunner\cproc.exe

 

It looks like it might be something legit from searches I've done on it.

Share this post


Link to post
Share on other sites

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to delete:

C:\WINDOWS\system32\nsu19.dll

C:\vcdsojv.exe

c:\windows\system32\stonedrv.exe

C:\windows\system32\dwdsregt.exe

C:\WINDOWS\system32\pwinopex.exe

C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

C:\WINDOWS\ms061348175214.exe

C:\WINDOWS\system32\oodsregl.exe

C:\WINDOWS\system32\pwinopex.exe

C:\WINDOWS\system32\w5e31a0d.dll

C:\WINDOWS\system32\w5e3e107.dll

C:\WINDOWS\system32\w5e323b2.dll

 

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

............................

Navigate to: C:\avenger\backup.zip.

 

1. Double-click the compressed folder that you want to password protect.

2. On the File menu, click Add a Password.

3. In the Password box, type the password: infected.

Type the same password in the Confirm Password box, and then click OK.

 

Go here to upload the file as an attachment

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from Jere at LS ),

fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

 

File to attach for upload:

C:\avenger\backup.zip

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files - you can post a a guest.

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with the results and any further steps needed to remove them, if any.

Share this post


Link to post
Share on other sites

Hi Jane,

 

Here are the files you requested.

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\aptskyxv

 

*******************

 

Script file located at: \??\C:\Program Files\joknhowk.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

File C:\WINDOWS\system32\nsu19.dll not found!

Deletion of file C:\WINDOWS\system32\nsu19.dll failed!

 

Could not process line:

C:\WINDOWS\system32\nsu19.dll

Status: 0xc0000034

 

 

 

File C:\vcdsojv.exe not found!

Deletion of file C:\vcdsojv.exe failed!

 

Could not process line:

C:\vcdsojv.exe

Status: 0xc0000034

 

File c:\windows\system32\stonedrv.exe deleted successfully.

File C:\windows\system32\dwdsregt.exe deleted successfully.

File C:\WINDOWS\system32\pwinopex.exe deleted successfully.

File C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe deleted successfully.

File C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe deleted successfully.

File C:\WINDOWS\ms061348175214.exe deleted successfully.

File C:\WINDOWS\system32\oodsregl.exe deleted successfully.

 

 

File C:\WINDOWS\system32\pwinopex.exe not found!

Deletion of file C:\WINDOWS\system32\pwinopex.exe failed!

 

Could not process line:

C:\WINDOWS\system32\pwinopex.exe

Status: 0xc0000034

 

File C:\WINDOWS\system32\w5e31a0d.dll deleted successfully.

File C:\WINDOWS\system32\w5e3e107.dll deleted successfully.

File C:\WINDOWS\system32\w5e323b2.dll deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

 

 

 

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:56:25 PM, on 9/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\aspi109379.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\00THotkey.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\QuickTime\qttask.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe

C:\WINDOWS\system32\crunner\cproc.exe

C:\Program Files\CallWave\IAM.exe

C:\WINDOWS\system32\RAMASST.exe

c:\windows\system32\dwdsregt.exe

C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe

C:\Program Files\Messenger\msmsgs.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\PeoplePC Accelerated\PeoplePC.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\jere\My Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soulwinner.org/start

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsg6D.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)

O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION

O4 - HKLM\..\Run: [loaddr] C:\vcdsojv.exe

O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKLM\..\Run: [lgh3f61f] RUNDLL32.EXE w5e31a0d.dll,n 0043f61b000000055e31a0d

O4 - HKLM\..\Run: [ngh3f621] RUNDLL32.EXE w5e3e107.dll,n 0043f61d000000025e3e107

O4 - HKLM\..\Run: [ogh3f622] RUNDLL32.EXE w5e323b2.dll,n 0043f61e000000055e323b2

O4 - HKLM\..\Run: [ms061348175214] C:\WINDOWS\ms061348175214.exe

O4 - HKLM\..\Run: [{F8-8E-E2-24-ZN}] c:\windows\system32\dwdsregt.exe ELT001

O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinnpex.exe ELT001

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\omdsregn.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnpex.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Refresh Pa≥ with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.mmohsix.com

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1197E88E-3CC7-4C84-AE0A-99389765F509}: NameServer = 205.171.3.65 205.171.2.65

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Share this post


Link to post
Share on other sites

Thanks, Jere,

 

I got them just fine. I missed one and the BHO has changed it's name. I'd like to try that one more time please to try to capture the BHO and the missed file at least, so I can submit them for detection.

 

2. Copy all the text contained bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to delete:

 

C:\WINDOWS\system32\aspi109379.exe

C:\WINDOWS\system32\omdsregn.exe

C:\WINDOWS\system32\owinnpex.exe

C:\WINDOWS\system32\nsg6D.dll

c:\windows\system32\dwdsregt.exe

C:\WINDOWS\system32\aspi109379.exe

 

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

 

Upload the C:\avenger\backup.zip to the Spykiller upload topic you started earlier here:

http://www.thespykiller.co.uk/forum/index.php?topic=2559.0

........................

One those earlier files was a remote access trojan. You should be aware of the risks

 

http://www.sophos.com/virusinfo/analyses/trojcosiamk.html

Troj/Cosiam-K Trojan

Summary

 

Side effects

 

* Allows others to access the computer

* Drops more malware

* Installs itself in the Registry

 

What is a backdoor or remote access trojan?

Read this article.

Danger: Remote Access Trojans

http://www.microsoft.com/technet/security/...o/virusrat.mspx

 

When should I re-format? How should I reinstall?

http://www.dslreports.com/faq/10063

 

Open HijackThis and do a *system scan only*

 

Checkmark these entries in the list, then press the *fix checked* button

 

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsg6D.dll

 

O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)

 

O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

 

O4 - HKLM\..\Run: [loaddr] C:\vcdsojv.exe

 

O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

 

O4 - HKLM\..\Run: [lgh3f61f] RUNDLL32.EXE w5e31a0d.dll,n 0043f61b000000055e31a0d

 

O4 - HKLM\..\Run: [ngh3f621] RUNDLL32.EXE w5e3e107.dll,n 0043f61d000000025e3e107

 

O4 - HKLM\..\Run: [ogh3f622] RUNDLL32.EXE w5e323b2.dll,n 0043f61e000000055e323b2

 

O4 - HKLM\..\Run: [ms061348175214] C:\WINDOWS\ms061348175214.exe

 

O4 - HKLM\..\Run: [{F8-8E-E2-24-ZN}] c:\windows\system32\dwdsregt.exe ELT001

 

O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

 

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinnpex.exe ELT001

 

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

 

O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

 

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\jere\LOCALS~1\Temp\995632.exe

 

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\jere\LOCALS~1\Temp\992560.exe

 

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\omdsregn.exe

 

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnpex.exe

 

O15 - Trusted Zone: *.elitemediagroup.net

 

O15 - Trusted Zone: *.mmohsix.com

 

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

 

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner -

C:\WINDOWS\system32\aspi109379.exe

 

Reboot your PC

 

Scan once more and post a fresh HijackThis log please.

Share this post


Link to post
Share on other sites

Hi Jere,

 

Have you run the HijackThis steps yet? Can you post a fresh Hijackthis log after the reboot?

Share this post


Link to post
Share on other sites

Jane,

 

Sorry for the delay.....the latest file is included.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:58:17 AM, on 9/13/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\acs.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\00THotkey.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\crunner\cproc.exe

C:\Program Files\CallWave\IAM.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe

C:\Documents and Settings\jere\My Documents\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soulwinner.org/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.soulwinner.org/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soulwinner.org/start

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://live2honorgod.com/Jere

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe (file missing)

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Share this post


Link to post
Share on other sites

No problem, Jere. Delays are not a problem here, just didn't know how you were making out.

 

That last log looks pretty good. Some remnants to clean up I'll post further down on how to fix.

 

I still don't know what that crunner is. Do you have something like that listed in Add/Remove programs in the Control Panel? I don't have any evidence it is malware, but you should at least be aware of what it is and what it does anyway.

 

If you want to upload some of the files in that folder to the Spykiller uploads topic, I'll be happy to look at it for you

C:\WINDOWS\system32\crunner

....................

Open HijackThis and do a *system scan only*

When it finishes, checkmark these entries and then press the *fix checked* button

 

O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

 

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi109379.exe (file missing)

 

Let me know how your computer is acting now?

Share this post


Link to post
Share on other sites

Hi Jane,

 

I have uploaded the crunner files for you...two are exe files. The computer is running much better now and seems to be back to normal. Its not freezing up and there are no more ads popping up all the time. I honestly have no clue hoe you can know what to do to fix this like you did but I am very greatful.

 

I havent looked into formatting the computer yet because i didnt know if I should do that before we were done doing what you had to do. Should I still do this?

 

Thansk for all your help Jane and if you have paypal Id love to pass along a little thank you gift.

 

Jere

Share this post


Link to post
Share on other sites

Hi Jere,

 

I got the files, not sure what it is. Only BitDefender thinks it is Clickspring AdWare. I've submitted the file to numerous AV/AS/AT vendors for an analysis by email. I'll wait to see if anyone else finds this is Clickspring.

 

These were the initial scan results. I'll get more in reply to my email submission.

 

Complete scanning result of "cupdater.exe", received in VirusTotal at 09.13.2006, 23:52:37 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.16 09.13.2006 no virus found

Authentium 4.93.8 09.13.2006 no virus found

Avast 4.7.844.0 09.13.2006 no virus found

AVG 386 09.13.2006 no virus found

BitDefender 7.2 09.13.2006 Adware.Clickspring.AA

CAT-QuickHeal 8.00 09.13.2006 no virus found

ClamAV devel-20060426 09.13.2006 no virus found

eTrust-InoculateIT 23.72.123 09.13.2006 no virus found

eTrust-Vet 30.3.3076 09.13.2006 no virus found

DrWeb 4.33 09.13.2006 no virus found

Ewido 4.0 09.13.2006 no virus found

Fortinet 2.82.0.0 09.13.2006 no virus found

F-Prot 3.16f 09.13.2006 no virus found

F-Prot4 4.2.1.29 09.13.2006 no virus found

Ikarus 0.2.65.0 09.13.2006 no virus found

Kaspersky 4.0.2.24 09.13.2006 no virus found

McAfee 4851 09.13.2006 no virus found

Microsoft 1.1560 09.13.2006 no virus found

NOD32v2 1.1754 09.13.2006 no virus found

Norman 5.80.02 09.13.2006 no virus found

Panda 9.0.0.4 09.13.2006 no virus found

Sophos 4.09.0 09.13.2006 no virus found

Symantec 8.0 09.13.2006 no virus found

TheHacker 5.9.8.210 09.13.2006 no virus found

UNA 1.83 09.13.2006 no virus found

VBA32 3.11.1 09.13.2006 no virus found

VirusBuster 4.3.7:9 09.13.2006 no virus found

 

Aditional Information

File size: 16384 bytes

MD5: 6dcf86ad71e2ad74280f5b8ca9502ed1

SHA1: d4afa91961f4fa57add1945f1c2e0c4200be46ff

 

.................

Complete scanning result of "cproc.exe", received in VirusTotal at 09.14.2006, 00:02:22 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.16 09.13.2006 no virus found

Authentium 4.93.8 09.13.2006 no virus found

Avast 4.7.844.0 09.13.2006 no virus found

AVG 386 09.13.2006 no virus found

BitDefender 7.2 09.13.2006 Adware.Clickspring.AA

CAT-QuickHeal 8.00 09.13.2006 no virus found

ClamAV devel-20060426 09.13.2006 no virus found

DrWeb 4.33 09.13.2006 no virus found

eTrust-InoculateIT 23.72.123 09.13.2006 no virus found

eTrust-Vet 30.3.3076 09.13.2006 no virus found

Ewido 4.0 09.13.2006 no virus found

Fortinet 2.82.0.0 09.13.2006 no virus found

F-Prot 3.16f 09.13.2006 no virus found

F-Prot4 4.2.1.29 09.13.2006 no virus found

Ikarus 0.2.65.0 09.13.2006 no virus found

Kaspersky 4.0.2.24 09.13.2006 no virus found

McAfee 4851 09.13.2006 no virus found

Microsoft 1.1560 09.13.2006 no virus found

NOD32v2 1.1754 09.13.2006 no virus found

Norman 5.90.23 09.13.2006 no virus found

Panda 9.0.0.4 09.13.2006 no virus found

Sophos 4.09.0 09.13.2006 no virus found

Symantec 8.0 09.13.2006 no virus found

TheHacker 5.9.8.210 09.13.2006 no virus found

UNA 1.83 09.13.2006 no virus found

VBA32 3.11.1 09.13.2006 no virus found

VirusBuster 4.3.7:9 09.13.2006 no virus found

 

Aditional Information

File size: 20480 bytes

MD5: bd16c16a42d3a3f10d6f7afecf7110ff

SHA1: 26b3e22c668866f265f3b909f91bfbc75988cea9

Share this post


Link to post
Share on other sites

Im curious as to what you get back about this. I have not installed this program and am quite sure it didnt come preloaded when i bouth the computer a few months back.

 

Thanks again jane for all you help.

 

 

Jere

Share this post


Link to post
Share on other sites

Good morning Jere,

 

I have two responses here from my email submissions. Both Kaspersky and AntiVir are calling this new malware (TR/Dldr.MSIL.Agent.C), so let's delete it.

 

Open HijackThis and do a *system scan only*

When it finishes, checkmark this entry in the list. Then press the *fix checked* button.

 

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

 

Then delete this entire folder:

 

C:\WINDOWS\system32\crunner

Share this post


Link to post
Share on other sites

Jane,

 

Agin thanks for the extra work.

 

Ive run HJT and deleted that directory. Everything should be clean now right?

 

Jere

Share this post


Link to post
Share on other sites

Update your Adaware to the latest definitions

SE1R123 14.09.2006

 

And do a full system scan. Post a fresh log.

 

Then, let's do some final cleanups and you probably need to get an online AV scan. I can give you some good free ones.

 

Delete the Avenger Backup files, they won't be needed any longer.

 

You can go ahead and delete any special tools we used (Avenger, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.

 

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr

Wait while Windows scans your system for files to delete.

Make sure these 3 are checkmarked and press *ok* to delete them.

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

......................

Then get an online AV scan (or two) in case something bypassed your resident scanner.

 

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

 

Ewido free online scanner

http://www.ewido.net/en/onlinescan/

 

Trend Micro (PC-cillin) - Free on-line Scan

http://housecall.antivirus.com

 

Panda's Active Scan

http://www.pandasoftware.com/products/activescan.htm

 

Save any logs if any infected files are found so we can help you remove any that remain.

 

Once I'm sure we've gotten your computer cleaned up, I'll leave you with some prevention recommendations :(

Share this post


Link to post
Share on other sites

Thank you Jane,

 

I will work on the things youve listed over the week end and pot the new log on monday.

 

Much appreciated,

 

 

Jere

Share this post


Link to post
Share on other sites

Jane,

 

Ive got it all done and the adaware file is as follows.

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Saturday, September 16, 2006 11:38:17 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R123 14.09.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

9-16-2006 11:38:17 AM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1781173357-4041900530-4193989041-1006\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 588

ThreadCreationTime : 9-16-2006 6:36:50 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 652

ThreadCreationTime : 9-16-2006 6:36:51 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 676

ThreadCreationTime : 9-16-2006 6:36:52 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 720

ThreadCreationTime : 9-16-2006 6:36:52 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 732

ThreadCreationTime : 9-16-2006 6:36:52 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 892

ThreadCreationTime : 9-16-2006 6:36:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 952

ThreadCreationTime : 9-16-2006 6:36:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 992

ThreadCreationTime : 9-16-2006 6:36:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1048

ThreadCreationTime : 9-16-2006 6:36:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1216

ThreadCreationTime : 9-16-2006 6:36:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1500

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:12 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1604

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:13 [acs.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1648

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

 

 

#:14 [cfsvcs.exe]

FilePath : C:\Program Files\TOSHIBA\ConfigFree\

ProcessID : 1716

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

FileVersion : 6, 0, 0, 1

ProductVersion : 6, 0, 0, 0

ProductName : ConfigFree

CompanyName : TOSHIBA CORPORATION

FileDescription : Service of ConfigFree.

InternalName : CFSvcs.exe

LegalCopyright : ©copyright TOSHIBA CORPORATION 2003-2005

LegalTrademarks : ConfigFree

OriginalFilename : CFSvcs.exe

Comments : Service of ConfigFree.

 

#:15 [dvdramsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1732

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

FileVersion : 3, 0, 0, 0

ProductVersion : 3, 0, 0, 0

CompanyName : Matsushita Electric Industrial Co., Ltd.

FileDescription : DVD-RAM Utility Helper Service

LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2004

OriginalFilename : DVDRAMSV.EXE

 

#:16 [swupdtmr.exe]

FilePath : c:\TOSHIBA\IVP\swupdate\

ProcessID : 1820

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

 

 

#:17 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1892

ThreadCreationTime : 9-16-2006 6:36:56 PM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:18 [wscntfy.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1028

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Security Center Notification App

InternalName : wscntfy.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wscntfy.exe

 

#:19 [igfxtray.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1072

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 3.0.0.4332

ProductVersion : 7.0.0.4332

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : igfxTray Module

InternalName : IGFXTRAY

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : IGFXTRAY.EXE

 

#:20 [hkcmd.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1088

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 3.0.0.4332

ProductVersion : 7.0.0.4332

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : HKCMD.EXE

 

#:21 [igfxpers.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1128

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 3.0.0.4332

ProductVersion : 7.0.0.4332

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : persistence Module

InternalName : PERSISTENCE

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : IGFXPERS.EXE

 

#:22 [ltmoh.exe]

FilePath : C:\Program Files\ltmoh\

ProcessID : 1136

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 1.73

ProductVersion : 1.73

ProductName : LtMoh Application

CompanyName : Agere Systems

FileDescription : LtMoh MFC Application

InternalName : LtMoh

LegalCopyright : Agere Copyright © 2001-2004

LegalTrademarks : Agere Systens

OriginalFilename : LtMoh.EXE

 

#:23 [agrsmmsg.exe]

FilePath : C:\WINDOWS\

ProcessID : 1148

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 2.1.49 2.1.49 12/20/2004 15:10:02

ProductVersion : 2.1.49 2.1.49 12/20/2004 15:10:02

ProductName : Agere SoftModem Messaging Applet

CompanyName : Agere Systems

FileDescription : SoftModem Messaging Applet

InternalName : smdmstat.exe

LegalCopyright : Copyright © Agere Systems 1998-2000

OriginalFilename : smdmstat.exe

 

#:24 [apoint.exe]

FilePath : C:\Program Files\Apoint2K\

ProcessID : 1160

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 6.0.2.186

ProductVersion : 6.0.2.186

ProductName : Alps Pointing-device Driver

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver

InternalName : Alps Pointing-device Driver

LegalCopyright : Copyright © 1999-2004 Alps Electric Co., Ltd.

OriginalFilename : Apoint.exe

 

#:25 [00thotkey.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1168

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 1, 1, 0, 0

ProductVersion : 6, 3, 0, 0

ProductName : TOSHIBA THotkey

CompanyName : TOSHIBA Corporation

FileDescription : THotkey

InternalName : THotkey

LegalCopyright : Copyright © 1999 -2004 TOSHIBA Corporation

OriginalFilename : THotkey.exe

 

#:26 [tfnf5.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1240

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 2, 9, 0, 0

ProductVersion : 2, 9, 0, 0

ProductName : TOSHIBA Hotkey Utility for Display Devices

CompanyName : TOSHIBA Corp.

FileDescription : TFnF5

InternalName : TFnF5

LegalCopyright : Copyright © 2001-2004

OriginalFilename : TFnF5.Exe

Comments : Hotkey (Fn+F5) for Display Devices

 

#:27 [touched.exe]

FilePath : C:\Program Files\TOSHIBA\TouchED\

ProcessID : 1320

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 2, 5, 1, 0

ProductVersion : 2, 5, 1, 0

ProductName : TouchPad On/Off Utility

CompanyName : TOSHIBA Corporation

FileDescription : TouchPad On/Off Utility

InternalName : TouchED

LegalCopyright : Copyright 1998-2002 TOSHIBA Corporation. All rights reserved.

OriginalFilename : TouchED.exe

 

#:28 [smoothview.exe]

FilePath : C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\

ProcessID : 1372

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 2, 0, 0, 23

ProductVersion : 2, 0, 0, 23

ProductName : TOSHIBA Zooming Utility

CompanyName : TOSHIBA Corporation

FileDescription : SmoothView

InternalName : SmoothView

LegalCopyright : Copyright © 2003 TOSHIBA Corporation. All rights reserved.

OriginalFilename : SmoothView.exe

Comments : TOSHIBA Zooming Utility

 

#:29 [tfncky.exe]

FilePath : C:\Program Files\TOSHIBA\TOSHIBA Controls\

ProcessID : 1384

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 3.21.02

ProductVersion : 3.21.00

ProductName : TFncKy

CompanyName : TOSHIBA Corporation

FileDescription : TFncKy

InternalName : TFncKy

LegalCopyright : Copyright © 2001-2005 TOSHIBA Corporation. All rights reserved.

OriginalFilename : TFncKy.EXE

 

#:30 [ndstray.exe]

FilePath : C:\Program Files\TOSHIBA\ConfigFree\

ProcessID : 1404

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

 

 

#:31 [tfswctrl.exe]

FilePath : C:\WINDOWS\system32\dla\

ProcessID : 1412

ThreadCreationTime : 9-16-2006 6:36:59 PM

BasePriority : Normal

FileVersion : 1.04.08a

CompanyName : Sonic Solutions

FileDescription : Drive Letter Access Component

LegalCopyright : Copyright © 2004 Sonic Solutions

 

#:32 [oasclnt.exe]

FilePath : C:\Program Files\McAfee.com\VSO\

ProcessID : 1796

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 10, 0, 0, 24

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan OAS Client

InternalName : OasClnt

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : OasClnt.exe

Comments : McAfee VirusScan OAS Client

 

#:33 [mcagent.exe]

FilePath : C:\PROGRA~1\mcafee.com\agent\

ProcessID : 1860

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 6, 0, 0, 3

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee SecurityCenter Agent

InternalName : mcagent

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : mcagent.exe

 

#:34 [wmiprvse.exe]

FilePath : C:\WINDOWS\system32\wbem\

ProcessID : 1624

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : Wmiprvse.exe

 

#:35 [mcupdate.exe]

FilePath : C:\PROGRA~1\mcafee.com\agent\

ProcessID : 2072

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 6, 0, 0, 8

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee SecurityCenter Update Engine

InternalName : mcupdate

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : mcupdate.exe

 

#:36 [tpsbattm.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2092

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 1, 0, 3, 0

ProductVersion : 7, 0, 0, 0

ProductName : TOSHIBA Power Saver

CompanyName : TOSHIBA Corporation

InternalName : TPSBattM

LegalCopyright : Copyright © 1998-2005 TOSHIBA Corporation

OriginalFilename : TPSBattM.exe

 

#:37 [pinger.exe]

FilePath : C:\toshiba\ivp\ism\

ProcessID : 2108

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 3.7.0.0

ProductVersion : 3.7.0.0

ProductName : Software Upgrades

CompanyName : TOSHIBA Corporation

FileDescription : TOSHIBA Pinger

InternalName : PINGER

LegalCopyright : © 1997-2005 TOSHIBA Corporation

OriginalFilename : PINGER.EXE

 

#:38 [mcvsshld.exe]

FilePath : C:\PROGRA~1\mcafee.com\vso\

ProcessID : 2148

ThreadCreationTime : 9-16-2006 6:37:00 PM

BasePriority : Normal

FileVersion : 10, 0, 0, 22

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan ActiveShield Resource

InternalName : McVsShld

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : McVsShld.exe

Comments : McAfee VirusScan ActiveShield Resource

 

#:39 [qttask.exe]

FilePath : C:\Program Files\QuickTime\

ProcessID : 2172

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

FileVersion : 6.5

ProductVersion : QuickTime 6.5

ProductName : QuickTime

CompanyName : Apple Computer, Inc.

InternalName : QuickTime Task

LegalCopyright : © Apple Computer, Inc. 2001-2004

OriginalFilename : QTTask.exe

 

#:40 [apntex.exe]

FilePath : C:\Program Files\Apoint2K\

ProcessID : 2192

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

FileVersion : 5.0.1.15

ProductVersion : 5.0.1.15

ProductName : Alps Pointing-device Driver for Windows NT/2000/XP

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP

InternalName : Alps Pointing-device Driver for Windows NT/2000/XP

LegalCopyright : Copyright © 1998-2003 Alps Electric Co., Ltd.

OriginalFilename : ApntEx.exe

 

#:41 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_06\bin\

ProcessID : 2224

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

 

 

#:42 [mcvsescn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ProcessID : 2236

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

FileVersion : 10, 0, 0, 20

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan E-mail Scan Module

InternalName : mcvsescn

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : mcvsescn.EXE

Comments : McAfee VirusScan E-mail Scan Module

 

#:43 [toscdspd.exe]

FilePath : C:\Program Files\TOSHIBA\TOSCDSPD\

ProcessID : 2276

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

 

 

#:44 [bartshel.exe]

FilePath : C:\Program Files\PeoplePC\ISP6330\Browser\

ProcessID : 2308

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

FileVersion : 6, 3, 1, 285

ProductVersion : 6, 3, 0, 0

ProductName : PeoplePC BartShell Module

CompanyName : PeoplePC

FileDescription : BartShell Module

InternalName : BartShell

LegalCopyright : Copyright © 2006 PeoplePC

OriginalFilename : BartShel.exe

 

#:45 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2320

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:46 [msnmsgr.exe]

FilePath : C:\Program Files\MSN Messenger\

ProcessID : 2344

ThreadCreationTime : 9-16-2006 6:37:01 PM

BasePriority : Normal

FileVersion : 8.0.0812.00

ProductVersion : 8.0.0812

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Messenger

InternalName : msnmsgr.exe

LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.

OriginalFilename : msnmsgr.exe

 

#:47 [ppshared.exe]

FilePath : C:\PROGRA~1\PeoplePC\ISP6330\Browser\

ProcessID : 2456

ThreadCreationTime : 9-16-2006 6:37:02 PM

BasePriority : Normal

FileVersion : 6, 3, 1, 6

ProductVersion : 6, 3, 0, 0

ProductName : PPShared Module

CompanyName : PeoplePC

FileDescription : PPShared Module

InternalName : PPShared

LegalCopyright : Copyright © 2006 PeoplePC

OriginalFilename : PPShared.EXE

 

#:48 [iam.exe]

FilePath : C:\Program Files\CallWave\

ProcessID : 2472

ThreadCreationTime : 9-16-2006 6:37:02 PM

BasePriority : Normal

FileVersion : 3.07.8 (4-April-2005)

ProductVersion : 3.07.8 (4-April-2005)

ProductName : CallWave Service

CompanyName : CallWave, Inc.

FileDescription : Internet Answering Machine

InternalName : CallApp

LegalCopyright : Copyright © 1999-2003 CallWave, Inc.

OriginalFilename : CallApp.exe

 

#:49 [ramasst.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2484

ThreadCreationTime : 9-16-2006 6:37:03 PM

BasePriority : Normal

FileVersion : 1, 1, 0, 0

ProductVersion : 1, 1, 0, 0

CompanyName : Matsushita Electric Industrial Co., Ltd.

FileDescription : CD Burning of Windows XP disabling tool for DVD MULTI Drive

LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2004

OriginalFilename : RAMASST.EXE

 

#:50 [mcvsftsn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ProcessID : 2792

ThreadCreationTime : 9-16-2006 6:37:07 PM

BasePriority : Normal

FileVersion : 10, 0, 0, 19

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan Instant Messenger Scan Module

InternalName : mcvsftsn

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : mcvsftsn.EXE

Comments : McAfee VirusScan Instant Messenger Scan Module

 

#:51 [msmsgs.exe]

FilePath : C:\Program Files\Messenger\

ProcessID : 2952

ThreadCreationTime : 9-16-2006 6:37:10 PM

BasePriority : Normal

FileVersion : 4.7.3001

ProductVersion : Version 4.7.3001

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Windows Messenger

InternalName : msmsgs

LegalCopyright : Copyright © Microsoft Corporation 2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msmsgs.exe

 

#:52 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 724

ThreadCreationTime : 9-16-2006 6:37:42 PM

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:53 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 3276

ThreadCreationTime : 9-16-2006 6:38:10 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

54 entries scanned.

New critical objects:0

Objects found so far: 2

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

11:45:25 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:07:07.985

Objects scanned:136637

Objects identified:0

Objects ignored:0

New critical objects:0

 

 

I havent done an onlince scan yet because unfortunately i only have dial up and its soooooo slow. Ill have to do that tonight.

 

Thanks

 

jere

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0