hijacked homepage

Hello lonny Jones

Good News after the kill box and restart I went into prefetch and deleted all the sysinfo and stop.exe files and then restarted the comp.

All gone
I did a spywareblaster scan that one coolwebsearch (55) that kept disabling is now fixed did a adaware scan the 2 critical gone home page does not redirect to a-search\biz

I did a search on all those files you listed in your last post negative on all of them

so i think i hope it is all gone
Thank you very much for your patience and persistance


Just a quick one do I have to go back and change those checks back from when we went to show hidden files if so which ones

once again thank you

Just a quick one did I have to

 

Sorry I forgot to post a new log here it is



Logfile of HijackThis v1.98.2
Scan saved at 3:20:45 PM, on 25/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{F240609B-5E5F-476E-B7BB-DD5EB715A3FF}: NameServer = 203.0.178.191

 

Hi

Looks fine

post back with another log in a few days to be sure though please.

I would change it back if there are other users or kids on the PC
You might hide Hiajckthis and should probaly delete killbox.
Both could be dangerous in the wrong hands

Do those online scan !!


Regards

 

Hi Lonney Jones Here is my HJT LOg
a few days have passed and everything seems to be O.K

Thanks Again

Logfile of HijackThis v1.98.2
Scan saved at 10:47:10 PM, on 28/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F240609B-5E5F-476E-B7BB-DD5EB715A3FF}: NameServer = 203.0.178.191

 

Still Looks good
You might delete killbox.exe and the C:\!submit folder if you havent already.

 

Hi Lonney its Back here nis my HJT Log I,m not sure why the
F2 userinit is back it does not show up on spybot but does show up on adaware as

Running processes:
Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, 3 November 2004 12:42:32 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R16 28.10.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

\
ProcessID : 3304
ThreadCreationTime : 2-11-2004 4:42:26 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved



Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : aifind.info

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : aifind.info
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aifind.info

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : aifind.info
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aifind.info
Value : *

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2
Logfile of HijackThis v1.98.2
Scan saved at 12:57:14 AM, on 3/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\justin\My Documents\HijackThis.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iiNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{799F4E01-C5D9-454F-BD40-BC3EFEAA5FE3}: NameServer = 203.0.178.191

Thank you

 

Add these sites To the restricted zone in Internet explorer
www.A-Search*
and
www.zloeboogle.biz
On IE's toolbar go tools internet options >security
Hilight the restricted zone > sites and add them there
dont include the > mark
Do a file search for these files, tell us if found and where they are located
q548361.exe
_huytam_
pnpsvc.inf
pnpservice.inf
qcache.exe

 

Hi
Have added the sites to restricted zone also did a search of all those files came up with nothing at all.

Logfile of HijackThis v1.98.2
Scan saved at 9:18:37 AM, on 3/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\justin\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iiNet
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{799F4E01-C5D9-454F-BD40-BC3EFEAA5FE3}: NameServer = 203.0.178.191

 

Hi

Post a log from autoruns
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Run, In the "view" TOP menu,
select(check)
[X]show Appininit Dll's
[X]Show Services and
[ ]Hide signed Microsoft entries
And Uncheck the "Show all locations"

Be sure only those two are checked, Go
to "Entry" menu, 'Copy to clipboard' and paste it here!...
Note: The check boxes on the left should be left alone!
It's the top "view" menu only that's needed!

And a dllcompare log also
DllCompare : http://forums.subratam.org/index.php?showtopic=1725

 

Hi Lonney
Ran Autoruns checked boxes 2 as required here is the log

HKLM\System\CurrentControlSet\Services
+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ Browser Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ CFSvcs Service of ConfigFree. (Not verified) TOSHIBA CORPORATION c:\program files\toshiba\configfree\cfsvcs.exe
+ CryptSvc Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe
+ dmserver Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ Dnscache Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ DVD-RAM_Service Service of RAMAsst for Windows XP (Not verified) Matsushita Electric Industrial Co., Ltd. c:\windows\system32\dvdramsv.exe
+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\svchost.exe
+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe
+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe
+ MDM Manages local and remote debugging for Visual Studio debuggers (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\vs7debug\mdm.exe
+ Messenger Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ PccPfw Manages the Trend Micro Personal Firewall. (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\pccpfw.exe
+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe
+ RegSrvc RegSrvc Module (Not verified) Intel Corporation c:\windows\system32\regsrvc.exe
+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\svchost.exe
+ S24EventMonitor Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. (Not verified) Intel Corporation c:\windows\system32\s24evmon.exe
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\svchost.exe
+ ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe
+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\svchost.exe
+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\svchost.exe
+ Tmesrv TOSHIBA MobileExtension Service (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmesrv31.exe
+ Tmntsrv Enables scanning in real time. (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\tmntsrv.exe
+ tmproxy Manages the Trend Micro tmtdi module. (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\tmproxy.exe
+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\svchost.exe
+ uploadmgr Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Microsoft Corporation c:\windows\system32\svchost.exe
+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
+ winmgmt Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\windows\system32\svchost.exe
+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ Userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 000StTHK c:\windows\system32\000stthk.exe
+ 00THotkey THotkey (Not verified) TOSHIBA Corporation c:\windows\system32\00thotkey.exe
+ AGRSMMSG SoftModem Messaging Applet (Not verified) Agere Systems c:\windows\agrsmmsg.exe
+ Apoint Alps Pointing-device Driver (Not verified) Alps Electric Co., Ltd. c:\program files\apoint2k\apoint.exe
+ dla Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\tfswctrl.exe
+ HotKeysCmds hkcmd Module (Not verified) Intel Corporation c:\windows\system32\hkcmd.exe
+ IgfxTray igfxTray Module (Not verified) Intel Corporation c:\windows\system32\igfxtray.exe
+ pccguide.exe PCCGuide (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\pccguide.exe
+ PCClient.exe PCClient (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\pcclient.exe
+ PRONoMgr.exe PRONotifyMgr Module (Not verified) Intel(R) Corporation c:\program files\intel\prosetwireless\ncs\proset\pronomgr.exe
+ SigmaTel StacMon (Not verified) SigmaTel Inc. c:\program files\sigmatel\sigmatel ac97 audio drivers\stacmon.exe
+ SmoothView SmoothView (Not verified) TOSHIBA Corporation c:\program files\toshiba\toshiba zooming utility\smoothview.exe
+ TFncKy TFncKy (Not verified) TOSHIBA Corporation C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
+ TFNF5 TFnF5 (Not verified) TOSHIBA Corp. c:\windows\system32\tfnf5.exe
+ TM Outbreak Agent TrendMicro Outbreak agent (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\tmoagent.exe
+ TMERzCtl.EXE TMERzCtl (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmerzctl.exe
+ TMESRV.EXE TOSHIBA MobileExtension Service (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmesrv31.exe
+ TouchED TouchPad On/Off Utility (Not verified) TOSHIBA Corporation c:\program files\toshiba\touched\touched.exe
+ TPSMain C:\Program Files\TOSHIBA\Power Saver\TPSMain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Microsoft Office OneNote 2003 Quick Launch.lnk Microsoft Office OneNote Quick Launcher Microsoft Corporation c:\program files\microsoft office\office11\onenotem.exe
+ Microsoft Office.lnk Microsoft Office XP component (Not verified) Microsoft Corporation c:\program files\microsoft office\office10\osa.exe
+ RAMASST.lnk CD Burning of Windows XP disabling tool for DVD MULTI Drive (Not verified) Matsushita Electric Industrial Co., Ltd. c:\windows\system32\ramasst.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe
+ MSMSGS File not found: C:\Program Files\Messenger\msmsgs.exe


Thank you

 

And the Dllcompare log ?

Im not seeing what i was looking for in the auto runs log.

Make a new folder called PV
c:\pv
http://www.downloads.subratam.org/pv.zip
download then extract that file to that new folder
Open the folder double-click on the runme.bat file. Then press the number 5 for Winlogon and when its done it will open a notepad. Paste the contents of that notepad as a reply to this topic.

 

Hi Lonney
I have done what you asked I think I have done it right not sure here is the log


Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 503808 C:\WINDOWS\system32\winlogon.exe 5.1.2600.1557 (xpsp2_gdr.040517-1325) Windows NT Logon Application
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1560 (xpsp2_gdr.040517-1325) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
AUTHZ.dll 76cc0000 65536 C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.0 (xpclient.010817-1148) Authorization Framework
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) Windows XP USER API Client DLL
GDI32.dll 7f000000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) GDI Client DLL
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
NDdeApi.dll 75940000 28672 C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.0 (xpclient.010817-1148) Network DDE Share Management APIs
PROFMAP.dll 75930000 40960 C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
NETAPI32.dll 71c20000 319488 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.1106 (xpsp1.020828-1920) Process Status Helper
REGAPI.dll 76bc0000 57344 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Registry Configuration APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
SETUPAPI.dll 76670000 946176 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
SHLWAPI.dll 70a70000 430080 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Shell Light-weight Utility Library
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ODBC32.dll 7a0000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
SHSVCS.dll 76bd0000 126976 C:\WINDOWS\System32\SHSVCS.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Shell Services Dll
sfc.dll 76bb0000 16384 C:\WINDOWS\system32\sfc.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
sfc_os.dll 76c60000 167936 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows File Protection
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
WINSCARD.DLL 723d0000 106496 C:\WINDOWS\System32\WINSCARD.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft Smart Card API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
sxs.dll 75e90000 684032 C:\WINDOWS\System32\sxs.dll 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
cscdll.dll 76600000 110592 C:\WINDOWS\system32\cscdll.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
WlNotify.dll 75950000 102400 C:\WINDOWS\system32\WlNotify.dll 5.1.2600.1106 (xpsp1.020828-1920) Common DLL to receive Winlogon notifications
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
msv1_0.dll 76d10000 118784 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Authentication Package v1.0
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
LgNotify.dll 10000000 122880 c:\WINDOWS\System32\LgNotify.dll 8, 0, 0, 161 LogonNotify DLL
wldap32.dll 76f60000 180224 C:\WINDOWS\system32\wldap32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows NT MARTA provider
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
TGBRFV_5.dll 1870000 229376 C:\WINDOWS\System32\TGBRFV_5.dll
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53


Thank You

 

Sorry Lonney I did not see that dll compare log so I have done it now and it Found 1 here is the log

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\tgbrfv_5.dll Wed 3 Nov 2004 20:00:18 A..H. 73,728 72.00 K
________________________________________________

1,225 items found: 1,225 files (1 H/S), 0 directories.
Total of file sizes: 235,741,682 bytes 224.82 M

Administrator Account = True

--------------------End log---------------------

Thank You

 

Yep there it is tgbrfv_5.dll

First go start run and type in CMD Hit ok then paste or type in >
cd %systemroot%\system32
OK then
attrib -h -r -s tgbrfv_5.dll
Hit ok again, then exit

Lets try Killbox first if it doenst work we have other ideas

Download KillBox
http://download.broadbandmedic.com/Killbox.exe

Close all open programs, windows and browsers
double-click Killbox.exe

In the "Full path or file to delete" (paste the following)

C:\WINDOWS\SYSTEM32\tgbrfv_5.dll

Select the option "End explorer shell while killing file "
Next: press the Red X button
You should get a message that the file was either deleted or not.

Note: If your desktop does not come back, go to the KillBox Menu
under Tools and click "Start Explorer shell "

If you see the "could not delete" message ...
Repeat the above and use the "Delete on boot" option.


After you reboot run dllcompare and post once more if it finds anything

also please do a file search for
tgbrfv_ and tell us what and where any are found,, theres probaly a
tgbrfv_.exe or tgbrfv_5.exe

 

Hi Lonney
To be honest I am not 100% sure what I was supposed to do with the run CMD thing so could you please re explain it SORRY
OK I did the killbox could not delete so I did the delete on reboot and then did a compare dll and here it is
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\tgbrfv_5.dll Wed 3 Nov 2004 21:12:36 A..H. 73,728 72.00 K
________________________________________________

1,225 items found: 1,225 files (1 H/S), 0 directories.
Total of file sizes: 235,741,682 bytes 224.82 M

Administrator Account = True

--------------------End log---------------------

Also I have searched for tgbrfv on the computer and it does not seem to exist yet it came up in the dll compare log

Thank you

 

Hi
we are currently working on a similur infection at several other forums
download this zip ive attached at Subratam's to your desltop
unzip the files inside to the
C:\windows\system32 folder, then run the
"deletbadfileandzip.bat" by double left clicking on it
deletbadfileandzip.zip
Post the log that will open after rebooting and send me that zip to please.
It will be at this location C:\bad.zip
Reboot the PC
Run Dll compare again and post the log if it still finds any files

 

Hi Lonney

Here it is I think I have done this correct I downlaoded the delete program and when it said to extract all files I extracted them to windows system32 and here is the log I also rebooted and did another dll compare here are the results I hope I did it correct please let me know

Thank You
The batch file is run from C:\WINDOWS\system32
The bad dll is present
The renamed file has been moved successfully, Please email c:\bad.zip to Lonnyjones@xxxxxxx

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\tgbrfv_5.dll Wed 3 Nov 2004 22:31:10 A..H. 73,728 72.00 K
________________________________________________

1,225 items found: 1,225 files (1 H/S), 0 directories.
Total of file sizes: 235,741,682 bytes 224.82 M

Administrator Account = True

--------------------End log---------------------

 

You did great, do send that file please.

I see the file is still there so, I will be back hopefully with a better idea later today. Our other members might also have a few ideas, stay tuned.

 

Hi Lonney
Once again I dont know how to send the file When I go to C:\ there is a file under the windows file with a zip on it but I dont know how to copy or send it

 

It depends on what you use for an email program ?

this might help
Attaching a file to an email using Outlook Express
http://www.freeserve.com/help/beginnerguides/emailmadeeasy/emailattachfile.htm

this is the file to attach
C:\bad.zip