WinAnitVirus and Drive Cleaner help

Ok, I am getting popups from WinAntiVirus and Drive Cleaner that start in the from of a gray "window's message" window. When I close it using the "X" it still gives me a pop-up. I have Avast! Antivirus 4.7 home installed and Ad-aware 6.0 with Ad-watch 3.0 installed. When I run both of these programs, nothing out of the ordinary shows up. I have included a hijack this log. Please help me if you can.

Logfile of HijackThis v1.99.1
Scan saved at 4:05:40 AM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\{002D7F93-0746-1033-0511-060729200001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RRIM\aim.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\WINDOWS\system32\RAMASST.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Smith.BRIAN\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [toscdspd] TOSCDSPD.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29BB1743-E605-4195-94BF-36B6E5B20354}: NameServer = 85.255.114.93,85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{511F5966-5826-4843-A037-926E3BDCF6EF}: NameServer = 85.255.114.93,85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{5454CADA-277E-4EEC-A5E7-40FBAC4C785D}: NameServer = 85.255.114.93,85.255.112.122
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

 

Forgot to add that I did read other threads before posting this one and I ran vundofix.exe with no results. What I am really needing is for someone to help me with the hijackthis log and give any other advice that might be useful. Thank you for your time

 

Dupe

 

Welcome to WindowsBBS Forums.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch ".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic ".

• 
  Active: Switches Monitoring On or Off without closing
  Automatic: Switches Automatic Blocking On or Off

3. Uncheck (red X) both items.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HJT log file and also let me know if there are any problems with the system.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

ComboFix did not find any infected files. Here is the log.

Start Time= Fri 08/11/2006 17:41:59.00
Running from: C:\Documents and Settings\Brian Smith.BRIAN\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-11 04:28:26 77312 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe "
2006-08-08 22:34:14 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Mozilla "
2006-08-08 22:33:56 ( .D... ) "C:\Program Files\Mozilla Firefox "
2006-08-08 19:57:40 ( .D... ) "C:\Program Files\Common Files "
2006-08-04 23:05:48 ( .D... ) "C:\Program Files\Alwil Software "
2006-08-04 03:20:56 573492 ( ..SH. ) "C:\WINDOWS\system32\mljjj.dll "
2006-08-04 03:03:28 ( .D... ) "C:\Program Files\àppPatch "
2006-08-04 03:03:08 ( .D... ) "C:\Program Files\Cowabanga "
2006-08-04 03:03:04 ( .D... ) "C:\Program Files\ToolBar888 "
2006-08-04 03:03:04 ( .D... ) "C:\Program Files\Common Files\{002D7F93-0746-1033-0511-060729200001} "
2006-08-04 03:03:00 40973 ( ..SH. ) "C:\WINDOWS\system32\tuvwwts.dll "
2006-08-02 17:11:16 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Lavasoft "
2006-08-02 17:11:08 ( .D... ) "C:\Program Files\Lavasoft "
2006-07-31 18:28:12 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Sun "
2006-07-31 00:30:12 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\InterVideo "
2006-07-30 23:06:00 ( .D... ) "C:\Program Files\BitLord "
2006-07-30 22:04:50 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\AdobeUM "
2006-07-30 19:32:40 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Aim "
2006-07-30 19:31:02 ( .D... ) "C:\Program Files\RRIM "
2006-07-30 18:04:56 ( .D... ) "C:\Program Files\Norton AntiVirus "
2006-07-30 18:04:28 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Symantec "
2006-07-30 16:59:52 ( .D... ) "C:\Program Files\Common Files\Symantec Shared "
2006-07-30 16:39:24 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Ahead "
2006-07-30 16:38:40 ( .D... ) "C:\Program Files\Common Files\Ahead "
2006-07-30 16:38:38 ( .D... ) "C:\Program Files\Ahead "
2006-07-30 16:34:38 ( .D... ) "C:\Program Files\CloneDVD "
2006-07-30 15:19:34 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Macromedia "
2006-07-30 15:12:22 ( .DS.. ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Microsoft "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\You've Got Pictures Screensaver "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\toshiba "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Identities "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\AOL "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Adobe "
2006-07-30 01:44:50 ( .D... ) "C:\Program Files\Ares "
2006-07-29 22:49:32 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Intel "
2006-07-25 18:03:44 466944 ( A.... ) "C:\WINDOWS\system32\capicom.dll "


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-11 03:59 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-08-08 18:48 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-08 18:48 597,504 C:\WINDOWS\system32\aswBoot.exe
2006-08-04 19:21 1,063,309,312 C:\hiberfil.sys
2006-08-04 03:20 573,492 C:\WINDOWS\system32\mljjj.dll
2006-08-04 03:02 40,973 C:\WINDOWS\system32\tuvwwts.dll
2006-08-02 15:57 299,520 C:\WINDOWS\uninst.exe
2006-08-01 16:50 98,304 C:\WINDOWS\system32\msir3jp.dll
2006-08-01 16:50 9,216 C:\WINDOWS\system32\kbdnecAT.dll
2006-08-01 16:50 838,144 C:\WINDOWS\system32\chtbrkr.dll
2006-08-01 16:50 70,656 C:\WINDOWS\system32\korwbrkr.dll
2006-08-01 16:50 7,680 C:\WINDOWS\system32\kbdnecNT.dll
2006-08-01 16:50 7,168 C:\WINDOWS\system32\kbdnec95.dll
2006-08-01 16:50 7,168 C:\WINDOWS\system32\kbdibm02.dll
2006-08-01 16:50 7,168 C:\WINDOWS\system32\f3ahvoas.dll
2006-08-01 16:50 6,656 C:\WINDOWS\system32\kbdlk41a.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbdlk41j.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbdax2.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbd106n.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbd101a.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbd101.dll
2006-08-01 16:50 218,112 C:\WINDOWS\system32\c_g18030.dll
2006-08-01 16:50 1,677,824 C:\WINDOWS\system32\chsbrkr.dll
2006-08-01 16:49 811,064 C:\WINDOWS\system32\imjp81k.dll
2006-08-01 16:49 8,704 C:\WINDOWS\system32\kbdjpn.dll
2006-08-01 16:49 8,192 C:\WINDOWS\system32\kbdkor.dll
2006-08-01 16:49 76,288 C:\WINDOWS\system32\uniime.dll
2006-08-01 16:49 6,656 C:\WINDOWS\system32\c_is2022.dll
2006-08-01 16:49 6,144 C:\WINDOWS\system32\kbd106.dll
2006-08-01 16:49 6,144 C:\WINDOWS\system32\kbd101c.dll
2006-08-01 16:49 6,144 C:\WINDOWS\system32\kbd101b.dll
2006-08-01 16:49 5,632 C:\WINDOWS\system32\kbd103.dll
2006-07-30 19:31 344,064 C:\WINDOWS\system32\msvcr70.dll
2006-07-30 17:00 466,944 C:\WINDOWS\system32\capicom.dll
2006-07-30 16:38 569,344 C:\WINDOWS\system32\imagr5.dll
2006-07-30 16:38 544,768 C:\WINDOWS\system32\imagx5.dll
2006-07-30 16:38 38,912 C:\WINDOWS\system32\picn20.dll
2006-07-30 16:38 283,920 C:\WINDOWS\system32\ImagXpr5.dll
2006-07-30 16:38 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-07-30 16:38 106,496 C:\WINDOWS\system32\TwnLib20.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TFncKy "= "TFncKy.exe "
"TDispVol "= "TDispVol.exe "
"igfxtray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"igfxhkcmd "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"igfxpers "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"ehTray "= "C:\\WINDOWS\\ehome\\ehtray.exe "
"THotkey "= "C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"NDSTray.exe "= "NDSTray.exe "
"Tvs "= "C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe "
"TPSMain "= "TPSMain.exe "
"PadTouch "= "C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe "
"SmoothView "= "C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe "
"dla "= "C:\\WINDOWS\\system32\\dla\\DLACTRLW.exe "
"Pinger "= "c:\\toshiba\\ivp\\ism\\pinger.exe /run "
"IntelZeroConfig "= "\ "C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\" "
"IntelWireless "= "\ "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless "
"Ad-watch "= "C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"AIM "= "C:\\Program Files\\RRIM\\aim.exe -cnetwait.odl "
"toscdspd "= "TOSCDSPD.EXE "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{002D7F93-0746-1033-0511-060729200001} "= "\ "C:\\Program Files\\Common Files\\{002D7F93-0746-1033-0511-060729200001}\\Update.exe\" mc-110-12-0000272 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metamail Trust Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Metamail Trust Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\Metamail Trust Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\METAMA~1\\METAMA~2\\METAMA~1.EXE "
"item "= "Metamail Trust Manager "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AGRSMMSG "
"hkey "= "HKLM "
"command "= "AGRSMMSG.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Ares "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Ares\\Ares.exe\" -h "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "NeroCheck "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LexBceS "=dword:00000002
"SAVScan "=dword:00000003
"ose "=dword:00000003
"aspnet_state "=dword:00000003
"AOL TopSpeedMonitor "=dword:00000002
"AOL ACS "=dword:00000002




Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: Fri 08/11/2006 17:42:54.73
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

I will paste a copy of my hijackthis log in another post.

 

Here is the recent hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 5:47:47 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\{002D7F93-0746-1033-0511-060729200001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RRIM\aim.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\WINDOWS\system32\RAMASST.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Smith.BRIAN\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [toscdspd] TOSCDSPD.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29BB1743-E605-4195-94BF-36B6E5B20354}: NameServer = 85.255.114.93,85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{511F5966-5826-4843-A037-926E3BDCF6EF}: NameServer = 85.255.114.93,85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{5454CADA-277E-4EEC-A5E7-40FBAC4C785D}: NameServer = 85.255.114.93,85.255.112.122
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Thank you for taking the time to help me.

 

Wrong!!
It picked up several at first glance. I'll be doing some more looking thru the evening and post later on.

 

I am glad that someone is helping me with this because I guess I really don't know what I am looking for. I'll be checking back consistantly so if you don't have time to help any tonight it is ok. It does not seem to me to be a really big problem, it is just something I want to take care of before it becomes one. Thanks

 

Funny thing I just had some of these infections the other weekend. They all removed with a variety of freeware scanners.

Lets get busy.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.


We will be doing some registry editing so please follow directions for backing up your registry.

Be sure Adwatch is still disabled please, I see it running in that last HJT log file.

First download Ewido Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
   
   Do not run a scan yet.
   
   Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
   You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible. It must not be contained on your desktop.
   
   Reboot, into safe mode, this way:
   Turn on the computer
   Immediately begin tapping the <F8> key.
   Use the arrow keys to highlight Safe Mode and press the <Enter> key.
   
   Also, enable the 'Show Hidden Folders' option, like this:
   Click Start.
   Open My Computer.
   Select the Tools menu and click Folder Options.
   Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
   Uncheck the Hide protected operating system files (recommended) option.
   Click Yes to confirm.
   Click OK.
   
   Please go to Add/Remove, and if found, uninstall the following:
   àppPatch
   Cowabanga
   ToolBar888
   Ares
   
   By using ANY form of P2P file sharing, you will be continuously open to infections EVERY time you DL something. I strongly recommend you remove all instances of it from your machine.
   
   Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es):
   C:\Program Files\Common Files\{002D7F93-0746-1033-0511-060729200001}\Update.exe
   
   • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
   • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
   • ewido will now begin the scanning process, be patient this may take a little time.
     Once the scan is complete do the following:
   • If you have any infections you will prompted, then select "Apply all actions "
   • Next select the "Reports" icon at the top.
   • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
   
   Run Hijackthis and look over the following entries I have listed and if present, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
   
   O1 - Hosts: localhost 127.0.0.1
   
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{29BB1743-E605-4195-94BF-36B6E5B20354}: NameServer = 85.255.114.93,85.255.112.122
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{511F5966-5826-4843-A037-926E3BDCF6EF}: NameServer = 85.255.114.93,85.255.112.122
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{5454CADA-277E-4EEC-A5E7-40FBAC4C785D}: NameServer = 85.255.114.93,85.255.112.122
   
   O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
   
   O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
   
   O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.93 85.255.112.122
   
   
   O20 - AppInit_DLLs:
   
   Search for, and delete, if found, the following files/folders:
   C:\Program Files\àppPatch<<<<---folder
   C:\Program Files\Cowabanga<<<<---folder
   C:\Program Files\ToolBar888<<<<---folder
   C:\Program Files\Common Files\{002D7F93-0746-1033-0511-060729200001}<<<<---folder
   C:\Program Files\Ares<<<<---folder
   C:\WINDOWS\system32\mljjj.dll<<<--file
   C:\WINDOWS\system32\tuvwwts.dll<<<--file
   C:\WINDOWS\system32\aswBoot.exe<<<--file
   
   While still in safe mode, navigate to the registry and delete the following:
   
   Click the 'Start' button, seleect 'Run', hit 'Enter'.
   
   When box appears, type 'regedit', hit 'Enter'.
   
   Navigate to the following key, by unticking the '+' next to each subkey:
   HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\run
   
   In the right hand side of the window, look for:
   {002D7F93-0746-1033-0511-060729200001
   
   Right-click it, and select 'Delete'. then close the registry.
   
   Reboot into Normal mode and post a new HJT log back into this thread please along with the previously saved Ewido logfile.

 

Ok, followed directions as stated and upon scanning with ewido anti-spyware, I had an error in deleting an infection "Downloader.Agent.uj ".

I also had an error in HJT, here is the error message that showed up:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


And the reason I quoted you above is that when I tried to delete "mljjj.dll" I was given an error message stating that it was being used by another program. I was still in safe mode and the only processes running were the needed programs and HJT and ewido.

I will post a new HJT this log in another post and the ewido log in one following it.

Thank you for your help so far.

 

Here is the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:58:16 AM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RRIM\aim.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [toscdspd] TOSCDSPD.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

 

ewido log....


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:24:12 AM 8/12/2006

+ Scan result:



HKLM\SOFTWARE\Classes\Media-Codec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Media-Codec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian Smith\Local Settings\Temporary Internet Files\Content.IE5\QTSZMNWL\util[1].js -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888 -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tuvwwts.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001180.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001187.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001203.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001219.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001379.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001672.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001768.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP5\A0001902.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[164] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning.
[524] VM_003D0000 -> Downloader.Agent.uj : Error during cleaning.
[760] VM_034E0000 -> Downloader.Agent.uj : Error during cleaning.
[792] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning.
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Ignored.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.14:C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Mozilla\Firefox\Profiles\bwm973kp.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@a.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@ehg-inforspaceinc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Brian Smith\Cookies\brian smith@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Brian Smith.BRIAN\Cookies\brian smith@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1\A0000014.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1\A0000338.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000670.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\znbyb.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001193.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001211.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001226.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001408.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001679.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP3\A0001777.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


::Report end

 

OK lets get a fresh ComboFix log file please.

We need to see if any files changed names and see what else may be lurking.

Thanks for being patient.

 

Hey, it's no problem. I am not going to be someone who demands help when I am getting the service for no charge. Thank you for taking the time and being willing to help people.

Here is a fresh combofix log.

Start Time= Sat 08/12/2006 13:40:05.68
Running from: C:\Documents and Settings\Brian Smith.BRIAN\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-12 07:47:36 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0 "
2006-08-08 22:34:14 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Mozilla "
2006-08-08 22:33:56 ( .D... ) "C:\Program Files\Mozilla Firefox "
2006-08-04 23:05:48 ( .D... ) "C:\Program Files\Alwil Software "
2006-08-04 03:20:56 573492 ( ...H. ) "C:\WINDOWS\system32\mljjj.dll "
2006-08-04 03:03:28 ( .D... ) "C:\Program Files\àppPatch "
2006-08-02 17:11:16 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Lavasoft "
2006-08-02 17:11:08 ( .D... ) "C:\Program Files\Lavasoft "
2006-07-31 18:28:12 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Sun "
2006-07-31 00:30:12 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\InterVideo "
2006-07-30 23:06:00 ( .D... ) "C:\Program Files\BitLord "
2006-07-30 22:04:50 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\AdobeUM "
2006-07-30 19:32:40 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Aim "
2006-07-30 19:31:02 ( .D... ) "C:\Program Files\RRIM "
2006-07-30 18:04:56 ( .D... ) "C:\Program Files\Norton AntiVirus "
2006-07-30 18:04:28 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Symantec "
2006-07-30 16:59:52 ( .D... ) "C:\Program Files\Common Files\Symantec Shared "
2006-07-30 16:39:24 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Ahead "
2006-07-30 16:38:40 ( .D... ) "C:\Program Files\Common Files\Ahead "
2006-07-30 16:38:38 ( .D... ) "C:\Program Files\Ahead "
2006-07-30 16:34:38 ( .D... ) "C:\Program Files\CloneDVD "
2006-07-30 15:19:34 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Macromedia "
2006-07-30 15:12:22 ( .DS.. ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Microsoft "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\You've Got Pictures Screensaver "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\toshiba "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Identities "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\AOL "
2006-07-30 15:12:22 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Adobe "
2006-07-29 22:49:32 ( .D... ) "C:\Documents and Settings\Brian Smith.BRIAN\Application Data\Intel "
2006-07-25 18:03:44 466944 ( A.... ) "C:\WINDOWS\system32\capicom.dll "


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-12 03:39 597,504 C:\WINDOWS\system32\aswBoot.exe
2006-08-12 03:36 1,063,309,312 C:\hiberfil.sys
2006-08-08 18:48 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-04 03:20 573,492 C:\WINDOWS\system32\mljjj.dll
2006-08-02 15:57 299,520 C:\WINDOWS\uninst.exe
2006-08-01 16:50 98,304 C:\WINDOWS\system32\msir3jp.dll
2006-08-01 16:50 9,216 C:\WINDOWS\system32\kbdnecAT.dll
2006-08-01 16:50 838,144 C:\WINDOWS\system32\chtbrkr.dll
2006-08-01 16:50 70,656 C:\WINDOWS\system32\korwbrkr.dll
2006-08-01 16:50 7,680 C:\WINDOWS\system32\kbdnecNT.dll
2006-08-01 16:50 7,168 C:\WINDOWS\system32\kbdnec95.dll
2006-08-01 16:50 7,168 C:\WINDOWS\system32\kbdibm02.dll
2006-08-01 16:50 7,168 C:\WINDOWS\system32\f3ahvoas.dll
2006-08-01 16:50 6,656 C:\WINDOWS\system32\kbdlk41a.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbdlk41j.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbdax2.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbd106n.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbd101a.dll
2006-08-01 16:50 6,144 C:\WINDOWS\system32\kbd101.dll
2006-08-01 16:50 218,112 C:\WINDOWS\system32\c_g18030.dll
2006-08-01 16:50 1,677,824 C:\WINDOWS\system32\chsbrkr.dll
2006-08-01 16:49 811,064 C:\WINDOWS\system32\imjp81k.dll
2006-08-01 16:49 8,704 C:\WINDOWS\system32\kbdjpn.dll
2006-08-01 16:49 8,192 C:\WINDOWS\system32\kbdkor.dll
2006-08-01 16:49 76,288 C:\WINDOWS\system32\uniime.dll
2006-08-01 16:49 6,656 C:\WINDOWS\system32\c_is2022.dll
2006-08-01 16:49 6,144 C:\WINDOWS\system32\kbd106.dll
2006-08-01 16:49 6,144 C:\WINDOWS\system32\kbd101c.dll
2006-08-01 16:49 6,144 C:\WINDOWS\system32\kbd101b.dll
2006-08-01 16:49 5,632 C:\WINDOWS\system32\kbd103.dll
2006-07-30 19:31 344,064 C:\WINDOWS\system32\msvcr70.dll
2006-07-30 17:00 466,944 C:\WINDOWS\system32\capicom.dll
2006-07-30 16:38 569,344 C:\WINDOWS\system32\imagr5.dll
2006-07-30 16:38 544,768 C:\WINDOWS\system32\imagx5.dll
2006-07-30 16:38 38,912 C:\WINDOWS\system32\picn20.dll
2006-07-30 16:38 283,920 C:\WINDOWS\system32\ImagXpr5.dll
2006-07-30 16:38 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-07-30 16:38 106,496 C:\WINDOWS\system32\TwnLib20.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TFncKy "= "TFncKy.exe "
"TDispVol "= "TDispVol.exe "
"igfxtray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"igfxhkcmd "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"igfxpers "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"ehTray "= "C:\\WINDOWS\\ehome\\ehtray.exe "
"THotkey "= "C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"NDSTray.exe "= "NDSTray.exe "
"Tvs "= "C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe "
"TPSMain "= "TPSMain.exe "
"PadTouch "= "C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe "
"SmoothView "= "C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe "
"dla "= "C:\\WINDOWS\\system32\\dla\\DLACTRLW.exe "
"Pinger "= "c:\\toshiba\\ivp\\ism\\pinger.exe /run "
"IntelZeroConfig "= "\ "C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\" "
"IntelWireless "= "\ "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless "
"Ad-watch "= "C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"AIM "= "C:\\Program Files\\RRIM\\aim.exe -cnetwait.odl "
"toscdspd "= "TOSCDSPD.EXE "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metamail Trust Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Metamail Trust Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\Metamail Trust Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\METAMA~1\\METAMA~2\\METAMA~1.EXE "
"item "= "Metamail Trust Manager "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AGRSMMSG "
"hkey "= "HKLM "
"command "= "AGRSMMSG.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Ares "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Ares\\Ares.exe\" -h "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "NeroCheck "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LexBceS "=dword:00000002
"SAVScan "=dword:00000003
"ose "=dword:00000003
"aspnet_state "=dword:00000003
"AOL TopSpeedMonitor "=dword:00000002
"AOL ACS "=dword:00000002

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder

Completion time: Sat 08/12/2006 13:41:09.50
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-11.175527.txt
ComboFix.2006-08-11.212206.txt
ComboFix.2006-08-12.134005.txt

 

Well its been a long day for me, had a couple of kids over for playdate and out visiting family, so my reply comes at a rather longer interval than I'd really like.

Lets try a special app to remove that stubborn file.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\mljjj.dll
C:\Program Files\àppPatch

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot your machine, post a new ComboFix log file

 

Ok, I did as you stated and when I click on the "delete files" button I get a message that says "PendingFileRenameOperations Registry Data has been Removed by External Process!" and it will not reboot my computer.

 

Restart it manually and look for that file see if you can either find it and delete it then give me another ComboFix log file.

If you get any error that the file is in use or similar, try The Unlocker.

You'll have to navigate to the file, right-click it, select the Unlocker option from the menu and then select the option to 'Unlock all'. Then you should be able to delete the file.

 

Ok, I saw that you posted a minute ago so hopefully I can catch you in time. The file mljjj.dll is being used by explorer.exe, iexplorer.exe, and winlogon.exe. Is it going to be safe to unlock this file or is it going to freeze me up?

 

I went ahead and gave it a shot after posting the reply. It did freeze my comp. up. Then upon reboot it gave me a report that winlogon.exe has encoutered an error and needs to close. Got any ideas?

 

Lets get a fresh combo fix log, the error had more to do with the rogue file than anything else.

Also give me a new HJT log file as well.