Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WINFIXER 2005, Winantispyware, travel HELP! [RESOLVED]

Started by sweetbeast , Sep 18 2005 09:48 PM

  • This topic is locked This topic is locked

#1
sweetbeast
Posted 18 September 2005 - 09:48 PM

sweetbeast

    New Member

  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:43:26 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Registration\sodbc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095736772968
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: sodbc - C:\WINDOWS\Registration\sodbc.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Excal
Posted 24 September 2005 - 10:22 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi sweetbeast and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
sweetbeast
Posted 25 September 2005 - 01:47 PM

sweetbeast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for helping me. I have not resolved the problem! Here is my latest log:




Logfile of HijackThis v1.99.1
Scan saved at 12:46:06 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Registration\sodbc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095736772968
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: sodbc - C:\WINDOWS\Registration\sodbc.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Excal
Posted 25 September 2005 - 07:29 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Registration\sodbc.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\Registration\cbdos.* This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Registration\sodbc.dll
    O20 - Winlogon Notify: sodbc - C:\WINDOWS\Registration\sodbc.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#5
sweetbeast
Posted 25 September 2005 - 09:29 PM

sweetbeast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Excal,
Well...I had limited success with your direction. Here's what happened:

I ran KillVundo.bat in safemode and typed in both file paths. After the second "Enter, F6, Enter" I received a warning window from my Norton AntiVirus program about Malicious files. I had a choice to ignore it or eliminate it; I chose to ignore it once. The program continued. After running HijackThis and creating a log, I was unable to identify and click "fix checked" for the two items you identified (02-BHO:MSEvents Object- {B8B55274..... and 020- Winlogon Notify: sodbc=.....). I then rebooted the computer, ran CleanUp as directed and ActiveScan.

When I tried to re-run KillVundo.bat, the second file path was not accepted and I got a message that the computer could not find a certain file (I forget the name but I think it was sodbc.dll).

Below are the results of the ActiveScan, new HiJackThis log and the vundofix.txt file.

Please let me know what additional steps I need to take. THANK YOU!!



Incident Status Location
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts


Logfile of HijackThis v1.99.1
Scan saved at 8:10:57 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095736772968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: sodbc - C:\WINDOWS\Registration\sodbc.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




CleanUp! started on 09/25/05 19:48:32.
...
Visited: Todd@http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html&prune_day=5&sort_by=Z-A&sort_key=last_post&topicfilter=all&st=50 - deleted
Visited: Todd@http://cgi1.ebay.com/ws/eBayISAPI.dll?MakeTrack&item=8336882025 - deleted
Visited: Todd@http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=search&CODE=getnew&active=1 - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php? - deleted
Visited: Todd@http://202.67.220.230/trafc/redir.php?cmp=te_sports&nid=md&lid=sports.yahoo.com - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=Stats&CODE=who&t=64563 - deleted
Visited: Todd@http://www.stevengould.org/downloads/cleanup/CleanUp40.exe - deleted
Visited: Todd@http://www.google.com/search?hl=en&lr=&q=westlake+braves+youth++football+spruce - deleted
Visited: Todd@http://search.ebay.com/search/search.dll?sofocus=bs&sbrftog=1&catref=C6&fstype=1&from=R10&satitle=tod+7.5&sacat=-1%26catref%3DC6&bs=Search&sargn=-1%26saslc%3D2&sadis=200&fpos=ZIP%2FPostal&ftrt=1&ftrv=1&saprclo=&saprchi=&fsop=1&fsoo=1 - deleted
Visited: Todd@http://www.google.com/search?hl=en&q=silhouette+eyeweartitan - deleted
Visited: Todd@http://cgi1.ebay.com/ws/eBayISAPI.dll?MakeTrack&item=8337621314 - deleted
Visited: Todd@http://www.tic-tock.com/php//DisplayWatch.php3?WRIST_WATCH_ID=16998 - deleted
Visited: Todd@http://www.tic-tock.com/php//DisplayWatch.php3?WRIST_WATCH_ID=16526 - deleted
Visited: Todd@http://cgi.ebay.com/HICKEY-FREEMAN-NAVY-WOOL-SPORTS-JACKET-SZ-38-SHORT_W0QQitemZ5428228000QQcategoryZ3002QQssPageNameZWDVWQQrdZ1QQcmdZViewItem - deleted
Visited: Todd@http://forums.anandtech.com/messageview.aspx?catid=32&threadid=1689724&STARTPAGE=2&enterthread=y - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=Search&f= - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=Search&CODE=show&searchid=9b7b80efbe15e0d285e8dcb4872feaa7&search_in=posts&result_type=topics&highlite= - deleted
Visited: Todd@res://C:\PROGRA~1\NORTON~1\NAVComUI.DLL/CommonUIProgress.htm - deleted
Visited: Todd@http://www.tic-tock.com/PatekPhilippeWristWatchContemporary.htm - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=Search&f= - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=Search&CODE=show&searchid=630dd4845ae4e95f29c3acaa056a9d74&search_in=posts&result_type=topics&highlite= - deleted
Visited: Todd@http://mlb.mlb.com/mlb/gameday/gd2005mini.html?2005_09_25_bosmlb_balmlb_1&partnerID=mlb - deleted
Visited: Todd@http://mlb.mlb.com/mlb/gameday/gd2005.html?2005_09_25_phimlb_cinmlb_1 - deleted
Visited: Todd@http://listings.ebay.com/_W0QQsocmdZListingItemList?sofocus=bs&sbrftog=1&from=R2&socmd=ListingItemList&fstype=1&catref=C3&satitle=zegna+15&sacat=15680%26catref%3DC6&bs=Search&a53=-24&a54=-24&a94=-24&gcs=24&pfid=25&reqtype=2&pfmode=1&alist=a53%2Ca54%2Ca57%2Ca94%2Ca3801&pf_query=zegna+15&sargn=-1%26saslc%3D2&sadis=200&fpos=ZIP%2FPostal&ftrt=1&ftrv=1&saprclo=&saprchi=&fsop=1%26fsoo%3D1&coaction=compare&copagenum=1&coentrypage=search&fgtp= - deleted
Visited: Todd@http://click.linksynergy.com/fs-bin/swat?lsnsig=5v821kL90tE&id=7Yivp0Wg1w8&offerid=63029.10000366&type=3&subid=0 - deleted
Visited: Todd@https://webmail.pas.earthlink.net/wam/MsgMove?addAddresses=true&x=-824204898 - deleted
Visited: Todd@http://www.amxtravel.com/stage/?aid=vm_md_amxtravel&lid=fares - deleted
Visited: Todd@http://www.westlakebulldogs.com/Organization/Board.htm - deleted
Visited: Todd@http://www.5000mpegs.com/analmovies/0588_carla_ass[bleep]ed/thumbpost.html - deleted
Visited: Todd@http://www.totitans.com - deleted
Visited: Todd@http://search.ebay.com/search/search.dll?sofocus=bs&sbrftog=1&from=R10&fstype=1&catref=C6&satitle=thomas+pink+men+15&sacat=-1%26catref%3DC6&bs=Search&sargn=-1%26saslc%3D2&sadis=200&fpos=ZIP%2FPostal&ftrt=1&ftrv=1&saprclo=&saprchi=&fsop=1%26fsoo%3D1&coaction=compare&copagenum=1&coentrypage=search - deleted
Visited: Todd@http://search.store.yahoo.com/cgi-bin/nsearch?catalog=yhst-50264111673463&query=shape+6074&Image.x=15&Image.y=14 - deleted
Visited: Todd@http://cgi.ebay.com/EXCELLENT-THOMAS-PINK-WHITE-SEA-ISLAND-COTTON-SHIRT-15_W0QQitemZ8336128510QQcategoryZ38401QQssPageNameZWDVWQQrdZ1QQcmdZViewItem - deleted
Visited: Todd@http://cgi.ebay.com/Ermenegildo-Zegna-Mens-Denim-Jeans-size-31_W0QQitemZ7714673547QQcategoryZ11483QQssPageNameZWDVWQQrdZ1QQcmdZViewItem - deleted
Visited: Todd@http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=13674 - deleted
Visited: Todd@http://www.thetechguide.com/forum/index.php?showtopic=20026&mode=threaded - deleted
Visited: Todd@http://www.geekstogo.com/forum/Problem_with_winfixer_2005-t65870.html - deleted
Visited: Todd@http://click.linksynergy.com/fs-bin/click?id=vWibBwTimgE&offerid=80634.10000045&type=3&subid=0 - deleted
Visited: Todd@http://mlb.mlb.com/mlb/gameday/gd2005.html?2005_09_25_bosmlb_balmlb_1 - deleted
Visited: Todd@http://search.ebay.com/search/search.dll?sofocus=bs&sbrftog=1&from=R10&fstype=1&catref=C6&satitle=pink+15&sacat=-1%26catref%3DC6&bs=Search&a53=-24&a57=-24&a54=-24&a94=-24&gcs=25&pfid=26&reqtype=1&pfmode=1&alist=a53%2Ca57%2Ca54%2Ca94%2Ca3801&pf_query=pink+15&sargn=-1%26saslc%3D2&sadis=200&fpos=ZIP%2FPostal&ftrt=1&ftrv=1&saprclo=&saprchi=&fsop=1%26fsoo%3D1&coaction=compare&copagenum=1&coentrypage=search - deleted
Visited: Todd@http://search.ebay.com/search/search.dll?sofocus=bs&sbrftog=1&fstype=1&catref=C6&from=R10&satitle=gemeinhardt+flute+m3+&sacat=-1%26catref%3DC6&bs=Search&sargn=-1%26saslc%3D2&sadis=200&fpos=ZIP%2FPostal&ftrt=1&ftrv=1&saprclo=&saprchi=&fsop=1%26fsoo%3D1&coaction=compare&copagenum=1&coentrypage=search&fgtp= - deleted
Visited: Todd@http://www.geekstogo.com/forum/index.php?act=Post&CODE=02&f=37&t=64563 - deleted
Visited: Todd@http://www.obagi.com/article/forpatients/obaginu-dermsystem/obaginu-dermsystem.html - deleted
Visited: Todd@file:///C:/Documents%20and%20Settings/Todd/Desktop/VundoFix/vundofix.txt - deleted
C:\Documents and Settings\Todd\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Cookies\todd@1070847646[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@2o7[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@80503492[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@anandtech[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@atwola[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@barrons[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@bluestreak[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@burstnet[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@castlecops[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@ccbill[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@clickability[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@comcast[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@connextra[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@cpvfeed[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@dcsigvpg110000oyioyaka1kl_7j7v[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@dcskz8vvr00000c9f3oy3ybgs_3d5h[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@dell[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@earthlink[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@ebay[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@ft[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@geekstogo[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@google[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@infodense[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@mlb[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@moviemonster[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@nytimes[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@obalduyam[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@onestoponlineshop[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@pctools[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@questionmarket[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@revsci[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@rtm[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@scrippsnetworksprivacy[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@scrippsnewspapersprivacy[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@scripps[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@ubbthreads[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@venturacountystar[1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@wsj[2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][2].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\[email protected][1].txt - deleted
C:\Documents and Settings\Todd\Cookies\todd@yahoo[2].txt - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/pagead/conversion/1070847646/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/hc/80503492 - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/rtm - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/dcskz8vvr00000c9f3oy3ybgs_3d5h/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/dcsigvpg110000oyioyaka1kl_7j7v/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ubbthreads/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
Cookie:[email protected]/ - deleted
C:\Documents and Settings\Todd\Recent\VundoFix (2).lnk - deleted
C:\Documents and Settings\Todd\Recent\vundofix.lnk - deleted
C:\Documents and Settings\Default User\Recent\ARCSOFT.lnk - deleted
C:\Documents and Settings\Default User\Recent\Setup.lnk - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\AIM3.tmp.arf - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\JETD8BC.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\MPC1.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\Perflib_Perfdata_85c.dat currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF17C6.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF217.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF2354.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF2AF9.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF4656.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF49E0.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF4B4C.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF4FE9.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF5466.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF67F3.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF699A.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF6D3B.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF729.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF9B35.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF9D07.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFA507.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFB13C.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFC060.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFD123.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFD2F3.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFD8B7.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFDF9A.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFE8CE.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFEEEB.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DFF63.tmp - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\hsperfdata_Todd\ - deleted
C:\DOCUME~1\Todd\LOCALS~1\Temp\JETD8BC.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\Perflib_Perfdata_85c.dat currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF4656.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Todd\LOCALS~1\Temp\~DF729.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\locals~1\tempor~1\Content.IE5\CD2NSXMV\%26prune_day%3D5%26sort_by%3DZ-A%26sort_key%3Dlast_post%26topicfilter%3Dall%26st%3D50&cc=100&u_h=900&u_w=1440&u_ah=870&u_aw=1440&u_cd=32&u_tz=-420&u_his=5&u_java=true currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\MSHist012005092520050926\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\Temp\JETD8BC.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\Temp\Perflib_Perfdata_85c.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\Temp\~DF4656.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\Temp\~DF729.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\CD2NSXMV\%26prune_day%3D5%26sort_by%3DZ-A%26sort_key%3Dlast_post%26topicfilter%3Dall%26st%3D50&cc=100&u_h=900&u_w=1440&u_ah=870&u_aw=1440&u_cd=32&u_tz=-420&u_his=5&u_java=true currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\NetworkService\Cookies\index.dat - deleted
C:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\index.dat - deleted
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\ACRORD32.EXE-0781811F.pf - deleted
C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf - deleted
C:\WINDOWS\Prefetch\ANNUAL~1.SCR-0C923717.pf - deleted
C:\WINDOWS\Prefetch\AUPDATE.EXE-2253CB60.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP.EXE-3438663A.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP40.EXE-212D5566.pf - deleted
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf - deleted
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf - deleted
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf - deleted
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf - deleted
C:\WINDOWS\Prefetch\GCASDTSERV.EXE-04B13CAF.pf - deleted
C:\WINDOWS\Prefetch\GCASINSTALLHELPER.EXE-08D85A8C.pf - deleted
C:\WINDOWS\Prefetch\GCASSERV.EXE-3660CD4E.pf - deleted
C:\WINDOWS\Prefetch\GCASSWUPDATER.EXE-06378256.pf - deleted
C:\WINDOWS\Prefetch\GIANTANTISPYWAREMAIN.EXE-0F089A5A.pf - deleted
C:\WINDOWS\Prefetch\GIANTANTISPYWAREUPDATER.EXE-01DFD337.pf - deleted
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-0D776E28.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS[1].EXE-05E300FC.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf - deleted
C:\WINDOWS\Prefetch\IVPSVMGR.EXE-20A69266.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf - deleted
C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf - deleted
C:\WINDOWS\Prefetch\MICROSOFTANTISPYWAREINSTALL.E-169F79A6.pf - deleted
C:\WINDOWS\Prefetch\MIM.EXE-117570E3.pf - deleted
C:\WINDOWS\Prefetch\MMCOMP~1.EXE-32321D3B.pf - deleted
C:\WINDOWS\Prefetch\MMDIAG.EXE-094F7072.pf - deleted
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf - deleted
C:\WINDOWS\Prefetch\NAVW32.EXE-24F56911.pf - deleted
C:\WINDOWS\Prefetch\NDETECT.EXE-16E64095.pf - deleted
C:\WINDOWS\Prefetch\NMAIN.EXE-2BA406E0.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\OPSCAN.EXE-1D42E8EC.pf - deleted
C:\WINDOWS\Prefetch\OUTLOOK.EXE-21C6162B.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-17F8F9E3.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-188DF14E.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf - deleted
C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\WINDOWS\Prefetch\WINWORD.EXE-37F6AE09.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA6.pf - deleted
C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf - deleted
'Run MRU' list - removed from the registry.
Paint Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.0 recovered 5.3 MB of disk space from 1009 files.
CleanUp! finished on 09/25/05 19:48:37.
  • 0

#6
Excal
Posted 25 September 2005 - 09:56 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
How are things running, everything looks really good.

Open HijackThis-> Click Config-> Click Misc Tools-> Click Open Hosts File Manager-> Click Open in Notepad->

Copy&Paste the entire Contents of that Notepad Page to your Next Post!


Post back with a HijackThis log from Normal Mode and the Hosts File log!
  • 0

#7
sweetbeast
Posted 25 September 2005 - 11:51 PM

sweetbeast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Excal,
Thanks for the quick response. Things seem to be running faster, and I haven't received any WinFixer, etc. popups, however, I need to use the computer a bit more to see if one is still lurking (they've been intermittent).

To your request, here is the HiJackThis file and the host file log. (The host file log doesn't really seem to have anything interesting in it!)

HiJackThis Log below:
Logfile of HijackThis v1.99.1
Scan saved at 10:46:10 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\ltmoh\Ltmoh.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095736772968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: sodbc - C:\WINDOWS\Registration\sodbc.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




Host File log below:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
  • 0

#8
Excal
Posted 26 September 2005 - 05:45 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Just wanted to make sure it had indeed cleaned the host file :)

Great job, it appears your computer is clean :tazz:

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#9
sweetbeast
Posted 26 September 2005 - 10:37 PM

sweetbeast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Excal,
THANK YOU! You are awesome. My computer is running free of the scourge that's been bugging me for weeks. (I just don't understand the mentality of the people that create those malicious programs...we should put them in a cage in Times Square and throw rotten fruit at them!) Just kidding. Anyway, I gave you a little support $ through PayPal. Keep up the good work my friend.
Sweetbeast
  • 0

#10
Excal
Posted 26 September 2005 - 10:57 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Thanks!!! and your welcome :)

good luck and safe surfing :)

:tazz:

Excal
  • 0

#11
Excal
Posted 19 October 2005 - 06:28 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP