|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-8-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Help please...Log inside...Go to the Tech-Forums Discussion Home PagePosted by: mooch392 Hi there, My computer is giving me al sorts of trouble I would appreciate it if someone could take a look at my hijackthis log, I think my computer is riddled with virus's! Logfile of HijackThis v1.99.0 Scan saved at 10:41:55 PM, on 4/13/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\System32\TFNF5.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\TDispVol.exe C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AOL 8.0a\aoltray.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Voyetra\AudioSurgeon 5\asurscsi.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10MT 2.EXE C:\toshiba\ivp\ism\ivpsvmgr.exe C:\Program Files\AOL 8.0a\waol.exe C:\Program Files\AOL 8.0a\shellmon.exe C:\Documents and Settings\shane\Desktop\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://g.msn.com/0SEENUS/SAOS01[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://g.msn.com/0SEENUS/SAOS01[/url] N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\shane\Application Data\Mozilla\Profiles\default\wtz1i7sk.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine:// C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\shane\Application Data\Mozilla\Profiles\default\wtz1i7sk.slt\prefs.js) O1 - Hosts: 64.233.167.104 [url]www.sophos.com[/url] O1 - Hosts: 64.233.167.104 [url]www.mcafee.com[/url] O1 - Hosts: 64.233.167.104 [url]www.viruslist.com[/url] O1 - Hosts: 64.233.167.104 [url]www.f-secure.com[/url] O1 - Hosts: 64.233.167.104 [url]www.avp.com[/url] O1 - Hosts: 64.233.167.104 [url]www.kaspersky.com[/url] O1 - Hosts: 64.233.167.104 [url]www.networkassociates.com[/url] O1 - Hosts: 64.233.167.104 [url]www.ca.com[/url] O1 - Hosts: 64.233.167.104 [url]www.my-etrust.com[/url] O1 - Hosts: 64.233.167.104 [url]www.nai.com[/url] O1 - Hosts: 64.233.167.104 [url]www.trendmicro.com[/url] O1 - Hosts: 64.233.167.104 [url]www.grisoft.com[/url] O1 - Hosts: 64.233.167.104 sophos.com O1 - Hosts: 64.233.167.104 mcafee.com O1 - Hosts: 64.233.167.104 viruslist.com O1 - Hosts: 64.233.167.104 f-secure.com O1 - Hosts: 64.233.167.104 kaspersky.com O1 - Hosts: 64.233.167.104 kaspersky-labs.com O1 - Hosts: 64.233.167.104 avp.com O1 - Hosts: 64.233.167.104 networkassociates.com O1 - Hosts: 64.233.167.104 ca.com O1 - Hosts: 64.233.167.104 mast.mcafee.com O1 - Hosts: 64.233.167.104 my-etrust.com O1 - Hosts: 64.233.167.104 download.mcafee.com O1 - Hosts: 64.233.167.104 dispatch.mcafee.com O1 - Hosts: 64.233.167.104 secure.nai.com O1 - Hosts: 64.233.167.104 nai.com O1 - Hosts: 64.233.167.104 us.mcafee.com O1 - Hosts: 64.233.167.104 rads.mcafee.com O1 - Hosts: 64.233.167.104 trendmicro.com O1 - Hosts: 64.233.167.104 grisoft.com O1 - Hosts: 64.233.167.104 sandbox.norman.no O1 - Hosts: 64.233.167.104 [url]www.pandasoftware.com[/url] O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03 O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\pmickey32.dll,_mainRD O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\formatsys.exe O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\serbw.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE O4 - Global Startup: AOL 8.0 Tray-Symbol.lnk = C:\Program Files\AOL 8.0a\aoltray.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.belkin.com O16 - DPF: Ulster Bank AnyTime - [url]https://anytime3.ulsterbank.com/asp/AnyTime.cab[/url] O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url] O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://tdserver.bitstream.com/tdserver.cab[/url] O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url] O16 - DPF: {6FAB0E5B-8AE4-4A98-9C1E-C34305AC195A} (UniVoice Control) - [url]http://www.webcamnow.com/voice/UniVoice.cab[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - [url]http://go.securelive.com/speed/uk/WebInstall.dll[/url] O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - [url]http://www.webcamnow.com/broadcast/ActiveXWebCam.cab[/url] O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - [url]http://www.webcamnow.com/voice/voice.cab[/url] O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab[/url] O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{F6C149E8-B416-4660-B910-75708CD4FC4E}: NameServer = 205.188.146.145 O23 - Service: asurscsi - Voyetra Turtle Beach, Inc. - C:\Program Files\Voyetra\AudioSurgeon 5\asurscsi.exe O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Tmesbs32 - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe Posted by: mooch392 Can anyone please help me, my computer is gone mad and I need it for work. Any help would be greatly appreciated!! Thanks, Shane Posted by: Lobos Hi there, and welcome The following items are malware and must be fixed The following explains how to remove items from your computer that are malware. These must be fices now! [LIST][*]You are running an out-of-date version of HijackThis; can you please download a new copy (there is a link in my signature), unzip it, and replace your existing copy with the new version. [*]Please set your system to show all files; [URL=http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5]please see here[/URL] if you're unsure how to do this. [*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake: [B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://g.msn.com/0SEENUS/SAOS01[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/ymsgr...://my.yahoo.com[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://g.msn.com/0SEENUS/SAOS01[/url] O1 - Hosts: 64.233.167.104 [url]www.sophos.com[/url] O1 - Hosts: 64.233.167.104 [url]www.mcafee.com[/url] O1 - Hosts: 64.233.167.104 [url]www.viruslist.com[/url] O1 - Hosts: 64.233.167.104 [url]www.f-secure.com[/url] O1 - Hosts: 64.233.167.104 [url]www.avp.com[/url] O1 - Hosts: 64.233.167.104 [url]www.kaspersky.com[/url] O1 - Hosts: 64.233.167.104 [url]www.networkassociates.com[/url] O1 - Hosts: 64.233.167.104 [url]www.ca.com[/url] O1 - Hosts: 64.233.167.104 [url]www.my-etrust.com[/url] O1 - Hosts: 64.233.167.104 [url]www.nai.com[/url] O1 - Hosts: 64.233.167.104 [url]www.trendmicro.com[/url] O1 - Hosts: 64.233.167.104 [url]www.grisoft.com[/url] O1 - Hosts: 64.233.167.104 sophos.com O1 - Hosts: 64.233.167.104 mcafee.com O1 - Hosts: 64.233.167.104 viruslist.com O1 - Hosts: 64.233.167.104 f-secure.com O1 - Hosts: 64.233.167.104 kaspersky.com O1 - Hosts: 64.233.167.104 kaspersky-labs.com O1 - Hosts: 64.233.167.104 avp.com O1 - Hosts: 64.233.167.104 networkassociates.com O1 - Hosts: 64.233.167.104 ca.com O1 - Hosts: 64.233.167.104 mast.mcafee.com O1 - Hosts: 64.233.167.104 my-etrust.com O1 - Hosts: 64.233.167.104 download.mcafee.com O1 - Hosts: 64.233.167.104 dispatch.mcafee.com O1 - Hosts: 64.233.167.104 secure.nai.com O1 - Hosts: 64.233.167.104 nai.com O1 - Hosts: 64.233.167.104 us.mcafee.com O1 - Hosts: 64.233.167.104 rads.mcafee.com O1 - Hosts: 64.233.167.104 trendmicro.com O1 - Hosts: 64.233.167.104 grisoft.com O1 - Hosts: 64.233.167.104 sandbox.norman.no O1 - Hosts: 64.233.167.104 [url]www.pandasoftware.com[/url] O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\pmickey32.dll,_mainRD O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\formatsys.exe O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\serbw.exe O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - [url]http://go.securelive.com/speed/uk/WebInstall.dll[/url][/B] Click on Fix Checked when finished and exit HijackThis. [*]Reboot into Safe Mode: please [URL=http://www.xtra.co.nz/help/0,,6156-1377929,00.html#4]see here[/URL] if you are not sure how to do this. Using Windows Explorer, locate the following files/folders, and delete them: [B] C:\WINDOWS\System32\[b]serbw.exe[/b] << This file C:\WINDOWS\System32\[b]formatsys.exe[/b] << This file C:\WINDOWS\[b]msmbw.exe[/b] << This file c:\windows\[b]pmickey32.dll[/b] << This file [/B]Exit Explorer, and reboot as normal afterwards. [COLOR=RED]If you were unable to find any of the files[/COLOR] then please follow these additional instructions: Download [URL=http://www.bleepingcomputer.com/files/killbox.php]Pocket Killbox[/URL] and unzip it; save it to your Desktop. Run it, and click the radio button that says [B]Delete a file on reboot[/B]. For each of the files you could not delete, paste them one at a time into the [B]full path of file to delete[/B] box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot. [/LIST][/LIST] Post back a fresh HijackThis log and we will take another look. Posted by: mooch392 Hi there, thanks a lot for taking time out to have a look at my problem I went through the steps you gave me but I was unable to locate the files in safe mode so I tried your other option with the "killbox" and I dont know if it made a differance....I have also noticed an unrecognised icon on my desktop that is called "thumbs" and it is kind of transparent, dont know if this helps, anyway here is my latest log...... Shane. Logfile of HijackThis v1.99.1 Scan saved at 6:13:43 PM, on 4/19/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\System32\TFNF5.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\TDispVol.exe C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AOL 8.0a\aoltray.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Voyetra\AudioSurgeon 5\asurscsi.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\shane\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 213.244.15.6:3128 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\shane\Application Data\Mozilla\Profiles\default\wtz1i7sk.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine:// C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\shane\Application Data\Mozilla\Profiles\default\wtz1i7sk.slt\prefs.js) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03 O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE O4 - Global Startup: AOL 8.0 Tray-Symbol.lnk = C:\Program Files\AOL 8.0a\aoltray.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.belkin.com O16 - DPF: Ulster Bank AnyTime - [url]https://anytime3.ulsterbank.com/asp/AnyTime.cab[/url] O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url] O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://tdserver.bitstream.com/tdserver.cab[/url] O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url] O16 - DPF: {6FAB0E5B-8AE4-4A98-9C1E-C34305AC195A} (UniVoice Control) - [url]http://www.webcamnow.com/voice/UniVoice.cab[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - [url]http://www.webcamnow.com/broadcast/ActiveXWebCam.cab[/url] O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - [url]http://www.webcamnow.com/voice/voice.cab[/url] O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab[/url] O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url] O23 - Service: asurscsi - Voyetra Turtle Beach, Inc. - C:\Program Files\Voyetra\AudioSurgeon 5\asurscsi.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Posted by: Lobos I can't see anything in your log right now Please run these two online scans. Make sure they are set to clean automatically: [URL=http://housecall.trendmicro.com/]TrendMicro's HouseCall[/URL] [URL=http://www.pandasoftware.com/activescan/]ActiveScan[/URL] You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found. Then scan again with HijackThis and post another log. Lobos Posted by: Warez Monster Remove entries at your own risk There is a few things that were missed 2.EXE running process. (2.EXE) Backdoor Trojaner, Beispiel Win32/Aicau.Downloader This is a nasty process! You should fix it and try to delete it manually! Probably safe.! According to our database this process runs normally in c:\! Check if you know this process and arrange a viruscheck where required Entries found in this registry zone are potentially nasty. This application ([9394EDE7-C8B5-483E-8773-474BF36AF6E4] - Result: 9394EDE7-C8B5-483E-8773-474BF36AF6E4) has been checked O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) Unknown service. (Service (file missing)) Unnecessary (deactivated) entry that can be fixed Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |