|
|
rockwiz
new user
Reg'd: Thu
Posts: 6
|
|
I apologize in using the same thread.. but I've had the same problem and followed the same procedure.. unfortunately, I haven't been able to move past the administrative issues. It seems like the spyware has been removed as I'm not getting any more problems with the laptop.. but I cannot fix the administrative issues anymore, and cannot save any files in restrictive directories liek Program Files.
Can you help?
here is my latest hijackthis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:39, on 2008-04-23
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shoptoshiba.ca/welcome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.montrealwebcam.com
O16 - DPF: {597F9140-0DC6-4657-A162-76EC0E7AEE81} (ActiveBroadcast Control) - http://www.meetstream.com/activex/28081/activebroadcast.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {BFD90062-6B5E-4F8F-87B1-5F022C14E32F} (ActiveReceiver Control) - http://www.meetstream.com/activex/28081/activereceiver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA30EC32-668B-4B60-B13C-4C84EB90C3C9} (ActiveID Control) - http://www.meetstream.com/activex/28081/activeid.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 9487 bytes
and this was the last ComboFix log
ComboFix 08-04-22.5 - Marco 2008-04-23 19:05:20.3 - NTFSx86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6000.0.1252.1.1036.18.1220 [GMT -4:00]
Endroit: C:\Users\Marco\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-23 to 2008-04-23 ))))))))))))))))))))))))))))))))))))
.
Pas de nouveau fichier créé dans cet espace de temps
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 20:46 --------- d-----w C:\Program Files\Trend Micro
2008-04-20 19:46 --------- d-----w C:\Users\Marco\AppData\Roaming\mIRC
2008-04-19 19:35 --------- d-----w C:\Users\Marco\AppData\Roaming\LimeWire
2008-04-18 22:00 --------- d-----w C:\Program Files\NeroInstall.bak
2008-04-18 21:59 --------- d-----w C:\Users\Marco\AppData\Roaming\Nero
2008-04-18 21:58 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-18 21:56 --------- d-----w C:\ProgramData\Nero
2008-04-18 21:56 --------- d-----w C:\Program Files\Nero
2008-04-18 21:04 --------- d-----w C:\Program Files\ImpotRapide 2007
2008-04-18 13:02 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-18 04:29 --------- d-----w C:\Users\Martine\AppData\Roaming\ATI
2008-04-18 02:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 02:27 --------- d-----w C:\Program Files\WON
2008-04-18 02:19 --------- d-----w C:\ProgramData\Apple Computer
2008-04-18 02:19 --------- d-----w C:\Program Files\QuickTime
2008-04-18 02:18 --------- d-----w C:\ProgramData\Apple
2008-04-18 02:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-18 01:56 --------- d-----w C:\Users\Marco\AppData\Roaming\Lavasoft
2008-04-18 01:38 --------- d-----w C:\Program Files\Lavasoft RegHance
2008-04-18 01:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-18 01:33 --------- d-----w C:\Program Files\LimeWire
2008-04-18 01:32 --------- d-----w C:\Program Files\mIRC
2008-04-18 01:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-18 01:18 --------- d-----w C:\Program Files\Writer's Cafe
2008-04-18 01:14 --------- d-----w C:\Program Files\BlogJet
2008-04-18 01:11 --------- d-----w C:\Program Files\Web Page Maker V2
2008-04-18 01:06 --------- d-----w C:\Users\Marco\AppData\Roaming\Ipswitch
2008-04-18 01:06 --------- d-----w C:\Program Files\Ipswitch
2008-04-18 01:03 --------- d-----w C:\ProgramData\Lavasoft
2008-04-18 01:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 21:08 43,520 ----a-w C:\Windows\System32\CmdLineExt03.dll
2008-04-17 00:32 --------- d-----w C:\Users\Marco\AppData\Roaming\Intuit Canada
2008-04-17 00:31 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-17 00:31 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-17 00:30 --------- d-----w C:\ProgramData\Intuit Canada
2008-04-16 23:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-16 23:32 --------- d-----w C:\Program Files\Hp
2008-04-16 23:20 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-04-16 23:19 --------- d-----w C:\Users\Marco\AppData\Roaming\Microsoft Web Folders
2008-04-16 22:53 --------- d-----w C:\Program Files\Alwil Software
2008-04-16 21:49 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-16 08:22 --------- d-----w C:\Users\Marco\AppData\Roaming\ATI
2008-04-16 08:20 --------- d-----w C:\ProgramData\Toshiba
2008-04-16 08:20 --------- d-----w C:\Program Files\TOSHIBA
2008-04-16 08:20 --------- d-----w C:\Program Files\Common Files\Toshiba Shared
2008-04-16 08:19 --------- d-----w C:\ProgramData\Roaming
2008-04-16 08:19 --------- d-----w C:\Program Files\ltmoh
2008-04-16 08:18 --------- d-----w C:\ProgramData\Intel
2008-04-16 08:18 --------- d-----w C:\Program Files\Intel
2008-04-16 08:13 --------- d-sh--w C:\ProgramData\Modèles
2008-04-16 08:13 --------- d-sh--w C:\ProgramData\Menu Démarrer
2008-04-16 08:13 --------- d-sh--w C:\ProgramData\Favoris
2008-04-16 08:13 --------- d-sh--w C:\ProgramData\Bureau
2008-04-16 08:13 --------- d-sh--w C:\Program Files\Fichiers communs
2008-04-16 02:17 --------- d-----w C:\Users\Marco\AppData\Roaming\TOSHIBA
2008-04-15 22:05 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-15 22:05 --------- d-----w C:\Program Files\Windows Live
2008-04-15 22:00 --------- d-----w C:\ProgramData\WLInstaller
2008-04-15 21:23 174 --sha-w C:\Program Files\desktop.ini
2008-04-15 21:18 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-15 21:18 --------- d-----w C:\Program Files\Windows Mail
2008-04-15 21:18 --------- d-----w C:\Program Files\Windows Calendar
2008-04-15 21:14 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-04-15 21:14 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-04-15 21:14 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-04-15 21:14 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-04-15 21:14 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-04-15 21:14 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-04-15 21:14 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-04-15 21:14 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-04-15 21:14 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-04-15 21:13 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-04-15 21:13 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-04-15 21:13 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-04-15 21:13 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-04-15 21:13 299,008 ----a-w C:\Windows\System32\wlansec.dll
2008-04-15 21:13 289,280 ----a-w C:\Windows\System32\wlanmsm.dll
2008-04-15 21:13 2,923,520 ----a-w C:\Windows\explorer.exe
2008-04-15 21:13 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-15 21:13 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-04-15 21:10 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-04-15 21:10 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-04-15 21:09 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-04-15 21:09 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-04-15 21:09 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-04-15 21:09 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-04-15 21:09 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-04-15 21:08 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-04-15 21:08 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-04-15 21:08 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-04-15 21:08 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-04-15 21:08 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-04-15 21:08 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-04-15 21:08 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-04-15 21:08 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-04-15 21:08 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-04-15 21:07 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-04-15 21:07 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-15 21:07 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-15 21:07 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-23_17.56.05,69 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 21:49:55 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-23 23:03:11 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-23 21:48:24 828,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-04-23 23:01:54 828,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-23 21:49:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-23 23:03:14 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-23 21:49:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-23 23:03:14 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-23 21:51:16 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-23 22:59:11 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-23 21:51:59 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-23 23:05:18 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-23 23:05:18 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-04-23 21:53:01 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-23 22:59:11 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-23 21:51:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-23 23:05:13 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-23 21:50:59 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-23 22:03:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-23 21:50:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-23 22:03:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-23 21:50:59 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-23 22:03:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-23 21:48:03 103,924 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-23 22:09:30 103,924 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-23 21:48:03 117,572 ----a-w C:\Windows\System32\perfc00C.dat
+ 2008-04-23 22:09:30 117,572 ----a-w C:\Windows\System32\perfc00C.dat
- 2008-04-23 21:48:03 610,142 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-23 22:09:30 610,142 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-23 21:48:03 690,832 ----a-w C:\Windows\System32\perfh00C.dat
+ 2008-04-23 22:09:30 690,832 ----a-w C:\Windows\System32\perfh00C.dat
- 2008-04-23 21:52:18 5,392 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-754959004-2149648827-1362092406-1000_UserData.bin
+ 2008-04-23 23:05:43 5,870 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-754959004-2149648827-1362092406-1000_UserData.bin
- 2008-04-23 21:52:18 61,170 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-23 23:05:42 61,514 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-23 21:52:17 45,036 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-23 23:05:38 45,140 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-15 16:58 1232896]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 13:01 413696]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-29 11:31 1006264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-06-06 11:02 77824]
"NDSTray.exe"="NDSTray.exe" []
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"HWSetup"="\HWSetup.exe" [ ]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 01:11 4489216 C:\Windows\RtHDVCpl.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 16:40 413696]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-05-23 15:57 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 06:32 898344]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-08 22:23 191552]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 06:00 204800]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-08 22:23 191552]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DCBF09EE-3ECA-4007-B375-AD5B6B73C518}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{F2E28BA2-68BB-4465-897D-E11AAE9EE358}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{2DB43B3C-B906-4BA4-8400-32A62C22EE2A}C:\\program files\\mirc\\mirc.exe"= UDP:C:\program files\mirc\mirc.exe:mIRC
"UDP Query User{CE32C3DE-D16E-4516-957F-5797507BD92E}C:\\program files\\mirc\\mirc.exe"= TCP:C:\program files\mirc\mirc.exe:mIRC
"TCP Query User{01F94962-334D-4E5A-B59A-046ED3266C50}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{25319E49-BB9E-48A4-9ABE-83158887C115}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{0330E9EF-7DBC-4677-9F4A-1277F9502024}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"UDP Query User{DDA1309A-5526-492D-986D-401CD568EF4F}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"TCP Query User{5B5F79AB-AE8A-48B9-A429-9777A4D3103F}C:\\program files\\web page maker v2\\webpagemaker.exe"= UDP:C:\program files\web page maker v2\webpagemaker.exe:WebPageMaker
"UDP Query User{5A3007EC-B2F6-4632-952A-CF3463296DD3}C:\\program files\\web page maker v2\\webpagemaker.exe"= TCP:C:\program files\web page maker v2\webpagemaker.exe:WebPageMaker
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 16:25]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-04-27 20:13]
R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 14:32]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-05-17 20:12]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-06-21 05:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 10:19]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 19:07:54
Windows 6.0.6000 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????R?C?b??? ??? ?? ???0???P?
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-23 19:08:43
ComboFix-quarantined-files.txt 2008-04-23 23:08:34
ComboFix2.txt 2008-04-23 21:56:27
ComboFix3.txt 2008-04-23 21:38:28
Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
236 --- E O F --- 2008-04-22 20:31:22
Edited by Hello_There (Thu Apr 24 2008 06:09 AM)
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29232
Loc: belfast
|
|
Welcome to the Webuser forum. 
Quote:
and this was the last ComboFix log
How many times have you run combofix ?
do you still have the log from the first time you ran it ?
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
 
You don't stop laughing when you get old, you get old when you stop laughing!
|
rockwiz
new user
Reg'd: Thu
Posts: 6
|
|
Hello bricat,
Thank you for your reply. I ran combofix three times. I ran into the same issues as the previous person you helped with this same trojan. I did not run it in safe mode, and it does seem to have been removed. I doubt I have the first combofix, but I do have the first HJT log. I'll check when I get back home to my computer. I'll also download the software you recommend and run it. I do not see any of the symptoms (registry modif at startup) that I was seeing previously, and none of the software I currently have (avast, spybot, Ad-Aware, windows Defender) are picking up the virus. I have a feeling it's gone, but I wanted to make sure.
|
rockwiz
new user
Reg'd: Thu
Posts: 6
|
|
Here is the log from MBAM :
Malwarebytes' Anti-Malware 1.11
Version de la base de données: 682
Type de recherche: Examen rapide
Eléments examinés: 33309
Temps écoulé: 5 minute(s), 40 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 1
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)
Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)
Dossier(s) infecté(s):
(Aucun élément nuisible détecté)
Fichier(s) infecté(s):
(Aucun élément nuisible détecté)
I apologize that it is in French..
and all I could find was the first version of the HJT log.. I couldn`t find the first combofix log
Thanks for all your help
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29232
Loc: belfast
|
|
It looks like the first run of combofix removed it, and mbam has cleaned up.
that looks clean now.
combofix cleanup.
Time for some housekeeping
- Click START then RUN
- Now type Combofix /u in the runbox and click OK
[list] 
When shown the disclaimer, Select "2"[/list]
The above procedure will:
- Delete the following:[list]
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.[/list]
DISABLE SYSTEM RESTORE
To flush out infected restore points.
Then restart your system restore.(same page).then create a new restore point :-
click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.
this is to ensure that if you have to do a system restore in the future that you don't get all the infections reinstalled again.
Then :-
Download and scan with CCleaner - CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
- Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Then select "Cookies"
Move any cookies you wish to retain, e.g. login cookies, in the left-hand window to the right-hand window by highlighting them and clicking the right arrow in the centre.
- Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all entries in the Mozilla Firefox Section.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.
- Click the "Run Cleaner" button.
- A pop up box will appear advising this process will permanently delete files from your system.
- Click "OK" and it will scan and clean your system.
- Click "exit" when done.
then DEFRAG your C:\ drive.
to help speed up your system.
then let us know how the computer is running.
HOW DID I GET INFECTED
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
rockwiz
new user
Reg'd: Thu
Posts: 6
|
|
Thank you for all your help.
It just ease my mind that I now have a clean bill of health.
this forum (and especially yourself) is very helpful.
I cannot thank you enough.
The PC is running great.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29232
Loc: belfast
|
|
happy to help.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
|
3 registered and 31 anonymous users are browsing this forum.
Moderator: putasolutions, greysts, bricat, AndrewC, Joe_London, John_McKenna, Mouse, Hello_There, TheFatControlleR, Nanook, Noviciate
Print Topic
|
Forum Permissions
You cannot start new topics
You cannot reply to topics
HTML is disabled
Mark-up is enabled
|
Rating:
Topic views: 0
|
|
|
|
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
