1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: different spywares infecting my system

Discussion in 'Virus & Other Malware Removal' started by harry-mountain, Oct 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    i think i have some spyware infecting my system. i had the B.S 2.0 pop-ups coming up but my desktop background did not change. i ran the smitfraudfix but the report didnt say that it found anything. when i rebooted the system in normal mode it appeared that the b.s. 2.0 was gone but now i have internet explorer popups for a bunch of different crazy things like a "horror-fest" and a www.ewoss.net internet search for water skiing and for internet speed monitor. please help me.
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!


    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  3. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    thank you for your response. here's the log file:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:21:04, on 2007/11/04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\conime.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vmware-ufad.exe,
    O3 - Toolbar: AzbyClubツールバー(&A) - {3DB1C21B-A7E0-4C3F-B39E-E00DD8792D90} - C:\Program Files\@nifty toolbar\ntoolbar.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [PUSCKAPLEXE] C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCKAPLEXE.exe
    O4 - HKLM\..\Run: [LoadPUSCDaemon] C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCDaemon.exe
    O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [FMVランチャー] C:\fjuty\wallbtn\FMVLauncher.exe
    O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\chitose\updatenv.exe
    O4 - HKLM\..\Run: [WLANNER] "C:\Program Files\FUJITSU\Mr.WLANner\mwlanrun.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
    O4 - HKLM\..\Run: [{37-75-5C-C8-ZN}] C:\windows\system32\kkdsrngk.exe CHD001
    O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinlldq.exe CHD001
    O4 - HKLM\..\Run: [vulsfafk] rundll32.exe "C:\Program Files\wrczovmt\kbqhcjsr.dll",Init
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O4 - HKLM\..\Run: [wttfjtvo] C:\Program Files\Ebxtmjzk\wttfjtvo.exe
    O4 - HKLM\..\Run: [vwvcrmde] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vwvcrmde.dll"
    O4 - HKLM\..\Run: [04e37567] rundll32.exe "C:\WINDOWS\system32\tnivrtdh.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
    O8 - Extra context menu item: @nifty: @searchで検索 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/atsearch.htm
    O8 - Extra context menu item: @nifty: ページを日本語に翻訳 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/en_to_jp.htm
    O8 - Extra context menu item: @nifty: 選択範囲を日本語に翻訳 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/en_to_jp_txt.htm
    O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
    O17 - HKLM\System\CCS\Services\Tcpip\..\{154EAFD0-1405-4679-8817-F213C87FDB4F}: NameServer = 85.255.113.139,85.255.112.210
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A4B8EDF-2141-4014-B8E6-29C2564E2D37}: NameServer = 85.255.113.139,85.255.112.210
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ABB75B-2609-4E40-ACCA-3C306E2486D5}: NameServer = 85.255.113.139,85.255.112.210
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D70D5BFC-0C22-4F33-80FA-B04574124D2B}: NameServer = 85.255.113.139,85.255.112.210
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1174CD2-3D63-48F7-AABA-8B6BB7431586}: NameServer = 85.255.113.139,85.255.112.210
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.139 85.255.112.210
    O17 - HKLM\System\CS1\Services\Tcpip\..\{154EAFD0-1405-4679-8817-F213C87FDB4F}: NameServer = 85.255.113.139,85.255.112.210
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.139 85.255.112.210
    O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
    O21 - SSODL: htJFYtCUPcM - {04E375C9-AE49-DF63-1E48-30E24C07BDB6} - C:\WINDOWS\system32\sev.dll
    O21 - SSODL: PagingSYS - {009541A0-3B00-1F1C-00F3-040224001C01} - C:\Program Files\Common Files\PagingSYS.dll
    O23 - Service: Atheros 設定サービス (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ferrdrbg.exe
    O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
    O23 - Service: MS Internet Countermeasures Framework2b (ICF) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Security Service (IMVQ) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logicool Co., Ltd. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logicool Co., Ltd. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: Morrin Thumbnail Synchronized Service 5 (MrnTS_Sync5) - 株式会社モーリン - C:\Program Files\Common Files\Creoapp\MrnTS_Sync5.exe
    O23 - Service: MyMedia Server - DigiOn - C:\Program Files\Fujitsu\MyMedia\MyMedia Server Tool\MyMediaServer.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: PSS Core - Matsushita Electric Industry Co., LTD. - C:\Program Files\Common Files\Panasonic\PSSCore.exe
    O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
    O23 - Service: Mr.WLANner Service (Xwlanner) - FUJITSU LIMITED - C:\Program Files\Fujitsu\Mr.WLANner\Xwlanner.exe

    --
    End of file - 9374 bytes
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    This machine is a mess. The best thing to do is copy your data to a cd or thumb drive and do a full format and reload.

    Should you decide to attempt cleaning it here are some steps.

    I don't see any anti-virus software running.
    Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free.


    Please print these instructions for reference, as you will have to restart your computer during the fix.

    Please download FixWareout from Here or Here.

    Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
    1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    2. The fix will begin; follow the prompts.
    3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
    4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    5. Once the desktop loads a text file will open (report.txt).
      Please post the C:\fixwareout\report.txt ) in your next reply.


    Download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    NOTE: if you have downloaded VundoFix before delete that version and download it again.


    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  5. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    here's the log from foxwareout

    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    ~~~~~ Misc files.
    C:\WINDOWS\System32\atmtd.dll Deleted
    C:\WINDOWS\System32\atmtd.dll._ Deleted
    ....
    ~~~~~ Checking for older varients.
    ....
    ~~~~~ Other
    C:\WINDOWS\Temp\kdjny.ren 75841 2007/06/13

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
    "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
    "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
    "LoadFUJ02E3"="C:\\Program Files\\Fujitsu\\FUJ02E3\\FUJ02E3.exe"
    "igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
    "RTHDCPL"="RTHDCPL.EXE"
    "SkyTel"="SkyTel.EXE"
    "Alcmtr"="ALCMTR.EXE"
    "AGRSMMSG"="AGRSMMSG.exe"
    "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
    "ATSwpNav"="\"C:\\Program Files\\Fingerprint Sensor\\ATSwpNav\" -run"
    "IndicatorUtility"="C:\\Program Files\\Fujitsu\\IndicatorUtility\\IndicatorUty.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
    "LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Fujitsu Quick Touch\\QuickTouch.exe"
    "LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
    "PUSCKAPLEXE"="C:\\Program Files\\Fujitsu\\PowerUtility\\schedule\\PUSCKAPLEXE.exe"
    "LoadPUSCDaemon"="C:\\Program Files\\Fujitsu\\PowerUtility\\schedule\\PUSCDaemon.exe"
    "IMJPMIG9.0"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\IME\\IMJP9\\IMJPMIG.EXE /Preload /Migration32"
    "OmniPass"="C:\\Program Files\\Softex\\OmniPass\\scureapp.exe"
    "FMVランチャー"="C:\\fjuty\\wallbtn\\FMVLauncher.exe"
    "FJUPDNV_Chitose"="C:\\Program Files\\Fujitsu\\chitose\\updatenv.exe"
    "WLANNER"="\"C:\\Program Files\\FUJITSU\\Mr.WLANner\\mwlanrun.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
    "LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
    "winshow"="\"C:\\WINDOWS\\winshow.exe\""
    "runner1"="C:\\WINDOWS\\tsitra27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A"
    "plite731"="C:\\WINDOWS\\plite731.exe"
    "{37-75-5C-C8-ZN}"="C:\\windows\\system32\\kkdsrngk.exe CHD001"
    "SystemSv12"="C:\\WINDOWS\\system32\\newmaxxsv234.exe"
    "spoolsvv"="C:\\WINDOWS\\system32\\spoolsvv.exe"
    "ExploreUpdSched"="C:\\WINDOWS\\system32\\pwinlldq.exe CHD001"
    "vulsfafk"="rundll32.exe \"C:\\Program Files\\wrczovmt\\kbqhcjsr.dll\",Init"
    "startdrv"="C:\\WINDOWS\\Temp\\startdrv.exe"
    "SC2"="C:\\Program Files\\SecCenter\\scprot4.exe"
    "wttfjtvo"="C:\\Program Files\\Ebxtmjzk\\wttfjtvo.exe"
    "vwvcrmde"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\vwvcrmde.dll\""
    "04e37567"="rundll32.exe \"C:\\WINDOWS\\system32\\tnivrtdh.dll\",b"
    "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
    6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~
     
  6. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    here's the log from vundo:


    VundoFix V6.5.11

    Checking Java version...

    Java version is 1.5.0.7
    Old versions of java are exploitable and should be removed.

    Scan started at 16:06:43 2007/11/04

    Listing files found while scanning....

    No infected files were found.


    PLEASE NOTE that i was having significant trouble with getting the programs to work aporpriately in normal mode so i had to switch to safe mode. in safe mode i couldn't open the logs created in normal mode. i had run vundo prior to this in normal mode and it had found two files that it erased but when i reran it in safe mode the new log that found nothing replaced the old log that showed that it had found and removed 2 files.
     
  7. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    here is the hijack this log for after vundofix:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:16:11, on 2007/11/04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\spoolzv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vmware-ufad.exe,C:\WINDOWS\system32\vmware-ufad.exe,C:\WINDOWS\system32\codeblocks.exe,C:\WINDOWS\system32\makehm.exe,C:\WINDOWS\system32\windres.exe,
    O3 - Toolbar: AzbyClubツールバー(&A) - {3DB1C21B-A7E0-4C3F-B39E-E00DD8792D90} - C:\Program Files\@nifty toolbar\ntoolbar.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [PUSCKAPLEXE] C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCKAPLEXE.exe
    O4 - HKLM\..\Run: [LoadPUSCDaemon] C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCDaemon.exe
    O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [FMVランチャー] C:\fjuty\wallbtn\FMVLauncher.exe
    O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\chitose\updatenv.exe
    O4 - HKLM\..\Run: [WLANNER] "C:\Program Files\FUJITSU\Mr.WLANner\mwlanrun.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
    O4 - HKLM\..\Run: [{37-75-5C-C8-ZN}] C:\windows\system32\kkdsrngk.exe CHD001
    O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinlldq.exe CHD001
    O4 - HKLM\..\Run: [vulsfafk] rundll32.exe "C:\Program Files\wrczovmt\kbqhcjsr.dll",Init
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O4 - HKLM\..\Run: [wttfjtvo] C:\Program Files\Ebxtmjzk\wttfjtvo.exe
    O4 - HKLM\..\Run: [vwvcrmde] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vwvcrmde.dll"
    O4 - HKLM\..\Run: [04e37567] rundll32.exe "C:\WINDOWS\system32\tnivrtdh.dll",b
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
    O8 - Extra context menu item: @nifty: @searchで検索 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/atsearch.htm
    O8 - Extra context menu item: @nifty: ページを日本語に翻訳 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/en_to_jp.htm
    O8 - Extra context menu item: @nifty: 選択範囲を日本語に翻訳 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/en_to_jp_txt.htm
    O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
    O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
    O21 - SSODL: htJFYtCUPcM - {04E375C9-AE49-DF63-1E48-30E24C07BDB6} - C:\WINDOWS\system32\sev.dll
    O21 - SSODL: PagingSYS - {009541A0-3B00-1F1C-00F3-040224001C01} - C:\Program Files\Common Files\PagingSYS.dll
    O23 - Service: Atheros 設定サービス (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ferrdrbg.exe
    O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
    O23 - Service: MS Internet Countermeasures Framework2b (ICF) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Security Service (IMVQ) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logicool Co., Ltd. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logicool Co., Ltd. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: Morrin Thumbnail Synchronized Service 5 (MrnTS_Sync5) - 株式会社モーリン - C:\Program Files\Common Files\Creoapp\MrnTS_Sync5.exe
    O23 - Service: MyMedia Server - DigiOn - C:\Program Files\Fujitsu\MyMedia\MyMedia Server Tool\MyMediaServer.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: PSS Core - Matsushita Electric Industry Co., LTD. - C:\Program Files\Common Files\Panasonic\PSSCore.exe
    O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
    O23 - Service: Mr.WLANner Service (Xwlanner) - FUJITSU LIMITED - C:\Program Files\Fujitsu\Mr.WLANner\Xwlanner.exe

    --
    End of file - 8416 bytes
     
  8. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    i'm sorry, i found a copy of the the vundofix file showing the 2 deleted files:

    VundoFix V6.5.11

    Checking Java version...

    Java version is 1.5.0.7
    Old versions of java are exploitable and should be removed.

    Scan started at 7:07:02 2007/11/04

    Listing files found while scanning....

    C:\WINDOWS\system32\cavskowd.dll
    C:\WINDOWS\system32\ssqnkkl.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\cavskowd.dll
    C:\WINDOWS\system32\cavskowd.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ssqnkkl.dll
    C:\WINDOWS\system32\ssqnkkl.dll Has been deleted!

    Performing Repairs to the registry.
    Done!
     
  9. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    here's the combofix log:

    ComboFix 07-11-01.1** - Administrator 2007-11-04 16:20:19.1 - NTFSx86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.2.932.1.1041.18.285 [GMT 9:00]
    Running from: E:\ComboFix.exe
    .
    ADS - svchost.exe: deleted 73728 bytes in 2 streams.
     
  10. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    here's the hijack log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:42:08, on 2007/11/04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\system32\svcd\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Creoapp\MrnTS_Sync5.exe
    C:\Program Files\Fujitsu\MyMedia\MyMedia Server Tool\MyMediaServer.exe
    C:\WINDOWS\system32\o2flash.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Common Files\Panasonic\PSSCore.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Fujitsu\Mr.WLANner\Xwlanner.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
    C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCKAPLEXE.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\conime.exe
    C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCDaemon.exe
    C:\Program Files\Softex\OmniPass\scureapp.exe
    C:\Program Files\Fujitsu\chitose\updatenv.exe
    C:\Program Files\FUJITSU\Mr.WLANner\mwlanrun.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\Program Files\Apoint2K\HidFind.exe
    C:\WINDOWS\plite731.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\windows\system32\kkdsrngk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Ebxtmjzk\wttfjtvo.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\WINDOWS\system32\cssrss.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Web Buying\v1.8.5\webbuying.exe
    C:\PROGRA~1\COMMON~1\ASEMBL~1\winword.exe
    C:\Documents and Settings\Owner\My Documents\Αdobe\еxplorer.exe
    C:\Program Files\WinAble\winable.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe
    C:\WINDOWS\system32\pwinlldq.exe
    C:\PROGRA~1\COMMON~1\kuzz\kuzzm.exe
    C:\Program Files\QdrModule\QdrModule9.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\4.tmp
    C:\DOCUME~1\Owner\LOCALS~1\Temp\15.tmp
    C:\Program Files\Fujitsu\EzRedo\clockexes\Clock15\EzClock.exe
    C:\Program Files\Fujitsu\EzRedo\clockexes\Clock15\EzClockC.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
    C:\PROGRA~1\@NIFTY~1\localsrv.exe
    C:\Program Files\Windows Live Toolbar\msn_sl.exe
    C:\PROGRA~1\@NIFTY~1\CommSrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vmware-ufad.exe,C:\WINDOWS\system32\vmware-ufad.exe,C:\WINDOWS\system32\codeblocks.exe,C:\WINDOWS\system32\makehm.exe,C:\WINDOWS\system32\windres.exe,
    O3 - Toolbar: AzbyClubツールバー(&A) - {3DB1C21B-A7E0-4C3F-B39E-E00DD8792D90} - C:\Program Files\@nifty toolbar\ntoolbar.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [PUSCKAPLEXE] C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCKAPLEXE.exe
    O4 - HKLM\..\Run: [LoadPUSCDaemon] C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCDaemon.exe
    O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [FMVランチャー] C:\fjuty\wallbtn\FMVLauncher.exe
    O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\chitose\updatenv.exe
    O4 - HKLM\..\Run: [WLANNER] "C:\Program Files\FUJITSU\Mr.WLANner\mwlanrun.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
    O4 - HKLM\..\Run: [{37-75-5C-C8-ZN}] C:\windows\system32\kkdsrngk.exe CHD001
    O4 - HKLM\..\Run: [vulsfafk] rundll32.exe "C:\Program Files\wrczovmt\kbqhcjsr.dll",Init
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKLM\..\Run: [wttfjtvo] C:\Program Files\Ebxtmjzk\wttfjtvo.exe
    O4 - HKLM\..\Run: [vwvcrmde] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vwvcrmde.dll"
    O4 - HKLM\..\Run: [04e37567] rundll32.exe "C:\WINDOWS\system32\tnivrtdh.dll",b
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinlldq.exe CHD001
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
    O4 - HKCU\..\Run: [Otse] "C:\PROGRA~1\COMMON~1\ASEMBL~1\winword.exe" -vt yazb
    O4 - HKCU\..\Run: [Idaadv] "C:\Documents and Settings\Owner\My Documents\Αdobe\еxplorer.exe"
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
    O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
    O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe
    O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
    O4 - HKCU\..\Run: [kuzz] C:\PROGRA~1\COMMON~1\kuzz\kuzzm.exe
    O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: @nifty: @searchで検索 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/atsearch.htm
    O8 - Extra context menu item: @nifty: ページを日本語に翻訳 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/en_to_jp.htm
    O8 - Extra context menu item: @nifty: 選択範囲を日本語に翻訳 - res://C:\Program Files\@nifty toolbar\ntoolbar.dll/en_to_jp_txt.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: 新しいバックグラウンドのタブで開く - res://C:\Program Files\Windows Live Toolbar\Components\ja-jp\msntabres.dll.mui/229?55f5e5e799de486fb4d77ece52d1f882
    O8 - Extra context menu item: 新規作成した最前面のタブ内で開く - res://C:\Program Files\Windows Live Toolbar\Components\ja-jp\msntabres.dll.mui/230?55f5e5e799de486fb4d77ece52d1f882
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
    O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
    O21 - SSODL: htJFYtCUPcM - {04E375C9-AE49-DF63-1E48-30E24C07BDB6} - C:\WINDOWS\system32\sev.dll
    O23 - Service: Atheros 設定サービス (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Security Service (IMVQ) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logicool Co., Ltd. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logicool Co., Ltd. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: Morrin Thumbnail Synchronized Service 5 (MrnTS_Sync5) - 株式会社モーリン - C:\Program Files\Common Files\Creoapp\MrnTS_Sync5.exe
    O23 - Service: MyMedia Server - DigiOn - C:\Program Files\Fujitsu\MyMedia\MyMedia Server Tool\MyMediaServer.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: PSS Core - Matsushita Electric Industry Co., LTD. - C:\Program Files\Common Files\Panasonic\PSSCore.exe
    O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
    O23 - Service: Mr.WLANner Service (Xwlanner) - FUJITSU LIMITED - C:\Program Files\Fujitsu\Mr.WLANner\Xwlanner.exe

    --
    End of file - 12092 bytes
     
  11. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    i'm also still having major problems with internet explorer. it will automatically open undesired pages and/or shut down all open windows (including the one i may be typing into) at any given moment. it took me numerous attmepts to try and get this info into the forum. so thank you again for your help.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I don't see any anti-virus software running.
    Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • Open the c:\SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found: [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.
     
  13. harry-mountain

    harry-mountain Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    11
    thank you for your help - i did a full reformat and reload and purchased norton. everything is running perfectly now.
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Good choice! Thanks for letting me know.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/644365

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice