1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

WinAntivirus Pro 2007

Discussion in 'Virus & Other Malware Removal' started by chavygravy18, Oct 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. chavygravy18

    chavygravy18 Thread Starter

    Joined:
    Oct 11, 2007
    Messages:
    4
    :confused:

    I have had WinAntiVirus Pro popups before and someone removed them, but now it's back again. The keep coming whenever i' on the internet. I don't recall any known processes in my Task Manager that would be that and it isnt installed on my computer. I've been looking around the internet for ways to get rid of them manually, but I think need some more direct help to do this..

    I have Hijack this v.2.0. Is there something else i should download, or anything specifically i should look for?

    Thanks a lot
     
  2. chavygravy18

    chavygravy18 Thread Starter

    Joined:
    Oct 11, 2007
    Messages:
    4
    I just ran a scan on HJT: Is there anything here i should delete?

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 9:14:12 PM, on 10/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\svchost.exe
    c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Documents and Settings\Chavis\Desktop\HiJackThis_v2.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\rierkqym.dll
    O2 - BHO: (no name) - {D97D9770-7F15-4219-8C29-DBEF8AC6F2D7} - C:\WINDOWS\system32\awtsq.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\aictclmd.dll",sitypnow
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188347172108
    O20 - Winlogon Notify: iifecbc - C:\WINDOWS\SYSTEM32\iifecbc.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 9060 bytes
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :


    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    =====================
    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others as they were.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me regardless of what it finds with a new HijackThis log.

    This will take some time!!!!!!!!
     
  4. chavygravy18

    chavygravy18 Thread Starter

    Joined:
    Oct 11, 2007
    Messages:
    4
    Thanks for the response,

    I downloaded Combofix, and when i went to run the program all i got were error messages:

    Freeware implementation of REG.EXE has encountered a problem and needs to close.

    After several of those it left me an alert saying:

    Not Admin! Need Administrator privileges to run this tool.

    Any thoughts?

    Thanks again for the help
     
  5. chavygravy18

    chavygravy18 Thread Starter

    Joined:
    Oct 11, 2007
    Messages:
    4
    Sweet, everything worked out now,

    Here are the Log files:

    ComboFix 07-10-12.4 - Chavis 2007-10-11 23:28:31.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.93 [GMT -4:00]
    Running from: C:\Documents and Settings\Chavis\Desktop\ComboFix(3).exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\check_LSA7.txt
    C:\Program Files\ISM
    C:\temp\0c2
    C:\temp\0c2\tmpFF.log
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\brr
    C:\temp\brr\tmpZTF.log
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\aictclmd.dll
    C:\WINDOWS\system32\b02FdUe
    C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
    C:\WINDOWS\system32\dmlctcia.ini
    C:\WINDOWS\system32\h1
    C:\WINDOWS\system32\p1
    C:\WINDOWS\system32\q21
    C:\WINDOWS\system32\qstwa.bak1
    C:\WINDOWS\system32\qstwa.bak1
    C:\WINDOWS\system32\qstwa.bak2
    C:\WINDOWS\system32\qstwa.bak2
    C:\WINDOWS\system32\qstwa.ini2
    C:\WINDOWS\system32\qstwa.ini2
    C:\WINDOWS\system32\qstwa.tmp
    C:\WINDOWS\system32\qstwa.tmp
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\X1
    C:\WINDOWS\system32\X11
    C:\WINDOWS\system32\X3
    C:\WINDOWS\system32\X3\wr725.exe
    C:\WINDOWS\system32\X7

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 203.-03-28 to 203.0.5.00 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2004-10-28 14:57 76 ---ha-w C:\Program Files\Desktop.ini
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 01:10]
    "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 19:43]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 19:00 C:\WINDOWS\agrsmmsg.exe]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 20:46]
    "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 17:12]
    "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 15:17]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 18:47]
    "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 13:21]
    "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
    "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 03:11]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-02 16:41]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 07:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys
    R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
    R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
    R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
    R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
    R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
    S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
    S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
    S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b668b13e-9821-11db-980e-009096cbb18d}]
    AutoRun\command - E:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-05 18:38:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-07-25 15:45:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1093459357.job"
    - C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
    "2007-10-09 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Chavis.job"
    - C:\Program Files\Norton AntiVirus\Navw32.exe
    "2007-09-17 16:07:00 C:\WINDOWS\Tasks\WebReg 20040825120759.job"
    - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
    .
    **************************************************************************

    catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-11 23:38:11
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-11 23:41:06 - machine was rebooted
    .
    --- E O F ---


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/11/2007 at 11:17 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3323
    Trace Rules Database Version: 1324

    Scan type : Complete Scan
    Total Scan Time : 00:48:55

    Memory items scanned : 577
    Memory threats detected : 3
    Registry items scanned : 5931
    Registry threats detected : 37
    File items scanned : 36326
    File threats detected : 62

    Trojan.WinFixer
    C:\WINDOWS\SYSTEM32\AWTSQ.DLL
    C:\WINDOWS\SYSTEM32\AWTSQ.DLL
    HKLM\Software\Classes\CLSID\{D97D9770-7F15-4219-8C29-DBEF8AC6F2D7}
    HKCR\CLSID\{D97D9770-7F15-4219-8C29-DBEF8AC6F2D7}
    HKCR\CLSID\{D97D9770-7F15-4219-8C29-DBEF8AC6F2D7}\InprocServer32
    HKCR\CLSID\{D97D9770-7F15-4219-8C29-DBEF8AC6F2D7}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D97D9770-7F15-4219-8C29-DBEF8AC6F2D7}

    Adware.Vundo Variant
    C:\WINDOWS\SYSTEM32\IIFECBC.DLL
    C:\WINDOWS\SYSTEM32\IIFECBC.DLL
    HKLM\Software\Classes\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}
    HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}
    HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}\InprocServer32
    HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}\InprocServer32#ThreadingModel
    HKLM\Software\Classes\CLSID\{89AD4D75-2429-462e-BD4E-443F233F6033}
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iifecbc
    HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}

    Trojan.Downloader-NewJuan/VM
    C:\WINDOWS\SYSTEM32\RIERKQYM.DLL
    C:\WINDOWS\SYSTEM32\RIERKQYM.DLL

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{3C4C6E0B-89F0-4470-BBC8-6E958C92F712}
    HKCR\CLSID\{3C4C6E0B-89F0-4470-BBC8-6E958C92F712}
    HKCR\CLSID\{3C4C6E0B-89F0-4470-BBC8-6E958C92F712}
    HKCR\CLSID\{3C4C6E0B-89F0-4470-BBC8-6E958C92F712}\InProcServer32
    HKCR\CLSID\{3C4C6E0B-89F0-4470-BBC8-6E958C92F712}\InProcServer32#ThreadingModel
    C:\PROGRAM FILES\COMMON FILES\MESO83122.DLL
    HKLM\Software\Classes\CLSID\{B654D573-EB5F-45F8-BDD5-E1DF396B58BC}
    HKCR\CLSID\{B654D573-EB5F-45F8-BDD5-E1DF396B58BC}
    HKCR\CLSID\{B654D573-EB5F-45F8-BDD5-E1DF396B58BC}
    HKCR\CLSID\{B654D573-EB5F-45F8-BDD5-E1DF396B58BC}\InProcServer32
    HKCR\CLSID\{B654D573-EB5F-45F8-BDD5-E1DF396B58BC}\InProcServer32#ThreadingModel
    C:\PROGRAM FILES\COMMON FILES\MESO4444.DLL
    HKLM\Software\Classes\CLSID\{C3F43BBB-4C3F-48FA-9E1B-10A4567F44B8}
    HKCR\CLSID\{C3F43BBB-4C3F-48FA-9E1B-10A4567F44B8}
    HKCR\CLSID\{C3F43BBB-4C3F-48FA-9E1B-10A4567F44B8}
    HKCR\CLSID\{C3F43BBB-4C3F-48FA-9E1B-10A4567F44B8}\InProcServer32
    HKCR\CLSID\{C3F43BBB-4C3F-48FA-9E1B-10A4567F44B8}\InProcServer32#ThreadingModel

    Adware.Tracking Cookie
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][3].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][1].txt
    C:\Documents and Settings\Chavis\Cookies\[email protected][2].txt

    Trojan.Security Toolbar
    C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

    Trojan.Malware
    HKCR\NVideoCodek.Chl
    HKCR\NVideoCodek.Chl\CLSID

    Adware.IST/ISTBar (Slotch Bar)
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest

    Adware.AdSponsor/ISM
    HKU\S-1-5-21-4114752628-95263986-3184902215-1006\Software\BndDrive

    Trojan.Agent-Deinstall
    C:\DOCUMENTS AND SETTINGS\CHAVIS\LOCAL SETTINGS\TEMP\WAVESNET.EXE
    C:\WINDOWS\SYSTEM32\H1\WR12DRVER.EXE

    Adware.eZula
    C:\WINDOWS\SYSTEM32\GTACABMK.EXE

    Trojan.Unknown Origin
    C:\WINDOWS\SYSTEM32\Q21\ADED83122.EXE
    C:\WINDOWS\SYSTEM32\TS.ICO
    C:\WINDOWS\SYSTEM32\X1\KMHP83122.EXE
    C:\WINDOWS\TTC-4444.EXE

    Trojan.ZQuest-Installer
    C:\WINDOWS\TK58.EXE

    Trojan.Downloader-Gen/TSITRA
    C:\WINDOWS\TSITRA1000106.EXE
    C:\WINDOWS\TSITRA572.EXE

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:45:53 PM, on 10/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\svchost.exe
    c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\Chavis\Desktop\HiJackThis_v2.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188347172108
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 8698 bytes
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/636828

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice