Trojan Beast

J

Jalvarezmcp

Hello,

I've removed most the viruses/malware except this one, if I have an active
internet connection at start up then my Avast catches it and allows me to
delete it only to appear on next reboot, unless I'm not internet connected
then nothing. The file that ends up infected is
c:\windows\system32\qwinmldt.exe

The name of the malware/Trojan is: Win32:Downloader-IB [trj]

Here below is the logfile from Hi-Jack this and the Kapersky Online Scanner:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:48 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\Logi_MwX.Exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\windows\system32\kldsrngp.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\bwgo0000d4c4.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AVStuff\TM HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [{B2-23-31-13-ZN}] C:\windows\system32\kldsrngp.exe CHD003
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft
Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account
Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kldsrngp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129320974937
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program
Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. -
C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: pntsvc - Unknown owner - C:\Program Files\KODAK\Pictures Now
Transfer\pntsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner -
c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Kapersky Log:

KASPERSKY ONLINE SCANNER REPORT
Monday, September 24, 2007 5:46:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 25/09/2007
Kaspersky Anti-Virus database records: 422958


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 26446
Number of viruses found 1
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 00:50:47

Infected Object Name Virus Name Last Action
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D9890980-0082-44BA-B3AB-CAD8AA47E84A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\dwdsrngt.exe Infected:
not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\kldsrngp.exe Infected:
not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\WINDOWS\system32\lmdsrngl.exe Infected:
not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\WINDOWS\system32\lmdsrngs.exe Infected:
not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_6b4.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\hpodvd09.log Object is locked skipped

C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\WCESLog.log Object is locked skipped

C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\~DFE873.tmp Object is locked skipped

C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\~DFEEF3.tmp Object is locked skipped

Scan process completed.

Any ideas?
 
K

Kayman

On Mon, 24 Sep 2007 21:16:00 -0700, Jalvarezmcp wrote:
> Hello,
> I've removed most the viruses/malware except this one, if I have an active
> internet connection at start up then my Avast catches it and allows me to
> delete it only to appear on next reboot, unless I'm not internet connected
> then nothing. The file that ends up infected is
> c:\windows\system32\qwinmldt.exe
> The name of the malware/Trojan is: Win32:Downloader-IB [trj]
> Here below is the logfile from Hi-Jack this and the Kapersky Online Scanner:
>
Do not post HJT logs to newsgroups.
Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED in any of the below before posting a log.

(http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29)
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=hijackthis)
(http://aumha.net/viewforum.php?f=30)
(http://forums.spywareinfo.com/index.php?&showforum=18)
(http://www.spywarewarrior.com/viewforum.php?f=5)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://www.dslreports.com/forum/cleanup)
(http://forum.malwareremoval.com/viewforum.php?f=11)
(http://www.cybertechhelp.com/forums/forumdisplay.php?f=25)
(http://www.atribune.org/forums/index.php?showforum=9)
(http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://www.techmonkeys.co.uk/forums/viewforum.php?f=8)
(http://forum.networktechs.com/forumdisplay.php?f=130)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://forums.spywaretimes.com/index.php?showforum=2)
(http://www.bluetack.co.uk/forums/index.php?showforum=172)
(http://forums.techguy.org/f54-s.html)
(http://forums.tomcoyote.org/index.php?showforum=27)
(http://forums.subratam.org/index.php?showforum=7)
(http://www.5starsupport.com/ipboard/index.php?showforum=18)
(http://www.malwarebytes.org/forums/index.php?showforum=7)
(http://www.wilderssecurity.com/forumdisplay.php?f=26)
(http://makephpbb.com/phpbb/viewforum.php?f=2)
(http://forums.techguy.org/54-security/)
(http://forums.security-central.us/forumdisplay.php?f=13)
(http://castlecops.com/forum67.html)
(http://gladiator-antivirus.com/forum/index.php?showforum=170)

Download David H. Lipman's MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close

Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your FireWall to allow it to download the needed AV vendor
related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode. This way all the components can be downloaded from each AV
vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can download the files and perform a scan in Normal Mode. Once you
have downloaded the files needed for each scanner you want to use, you
should reboot the PC into Safe Mode [F8 key during boot] and re-run the
menu again and choose which scanner you want to run in Safe Mode.
It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help file.
http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm
Vista users please note:
http://www.elephantboycomputers.com/page2.html#Multi-AV

Good luck :)
 
M

Milo \(MSPSS\)

Thanks for taking time to produce those logs

As i see it this are the ( unknown ), maybe we can help you further
identifying the said file. Also if am not mistaken you are running in safe
mode with networking it would help more to identify the issue if you are on
normal mode: Anyways this is by far what I identfied

C:\windows\system32\kldsrngp.exe
C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\bwgo0000d4c4.exe ( weird algo )
O4 - HKLM\..\Run: [{B2-23-31-13-ZN}] C:\windows\system32\kldsrngp.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kldsrngp.exe

If you are in the US/CANADA please call Microsoft Security rather for a
direct and free assistance removing this infection and its toll free ( 866
727 2338 ). And please do indicate to them the file as listed thanks.


"Jalvarezmcp" <Jalvarezmcp@discussions.microsoft.com> wrote in message
news:E4AB5906-DB38-4011-ABC8-A4DF7DD86BE7@microsoft.com...
> Hello,
>
> I've removed most the viruses/malware except this one, if I have an active
> internet connection at start up then my Avast catches it and allows me to
> delete it only to appear on next reboot, unless I'm not internet connected
> then nothing. The file that ends up infected is
> c:\windows\system32\qwinmldt.exe
>
> The name of the malware/Trojan is: Win32:Downloader-IB [trj]
>
> Here below is the logfile from Hi-Jack this and the Kapersky Online
> Scanner:
>
> Logfile of HijackThis v1.99.1
> Scan saved at 6:30:48 PM, on 9/24/2007
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\Program Files\Windows Defender\MsMpEng.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
> C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
> C:\Program Files\Alwil Software\Avast4\ashServ.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
> C:\WINDOWS\System32\DVDRAMSV.exe
> C:\WINDOWS\System32\svchost.exe
> c:\toshiba\ivp\swupdate\swupdtmr.exe
> C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
> C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
> C:\toshiba\ivp\ism\pinger.exe
> C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
> C:\WINDOWS\Logi_MwX.Exe
> C:\toshiba\ivp\ism\ivpsvmgr.exe
> C:\WINDOWS\System32\igfxtray.exe
> C:\WINDOWS\System32\hkcmd.exe
> C:\WINDOWS\System32\00THotkey.exe
> C:\windows\system32\kldsrngp.exe
> C:\WINDOWS\system32\TPSMain.exe
> C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
> C:\WINDOWS\system32\TFNF5.exe
> C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
> C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
> C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
> C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
> C:\Program Files\Apoint2K\Apoint.exe
> C:\Program Files\Windows Defender\MSASCui.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Microsoft ActiveSync\wcescomm.exe
> C:\Program Files\MSN Messenger\msnmsgr.exe
> C:\WINDOWS\system32\TPSBattM.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\bwgo0000d4c4.exe
> C:\PROGRA~1\MI3AA1~1\rapimgr.exe
> C:\Program Files\Apoint2K\Apntex.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
> C:\WINDOWS\system32\HPZinw12.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\AVStuff\TM HiJackThis\hijackthis\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft
> Internet Explorer
> O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
> O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
> O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
> O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
> O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
> O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
> O4 - HKLM\..\Run: [{B2-23-31-13-ZN}] C:\windows\system32\kldsrngp.exe
> CHD003
> O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
> O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
> O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
> O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
> O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft
> Works\WksSb.exe" /AllUsers
> O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software
> Update\HPWuSchd2.exe"
> O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account
> Numbers\CitiVAN.exe" /dontopenmycards
> O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
> O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
> O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
> Defender\MSASCui.exe" -hide
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop
> Messenger\8876480\Program\LogitechDesktopMessenger.exe"
> O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat
> 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
> O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
> ActiveSync\wcescomm.exe"
> O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
> /background
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kldsrngp.exe
> O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
> Files\HP\Digital Imaging\bin\hpqtra08.exe
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O8 - Extra context menu item: Easy-WebPrint Add To Print List -
> res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
> O8 - Extra context menu item: Easy-WebPrint High Speed Print -
> res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
> O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
> Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
> O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
> Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
> C:\WINDOWS\System32\Shdocvw.dll
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
> O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
> http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
> Advantage
> Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
> O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129320974937
> O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
> O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -
> C:\Program
> Files\Lavasoft\Ad-Aware 2007\aawservice.exe
> O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
> C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
> O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
> Software\Avast4\ashServ.exe
> O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program
> Files\Alwil
> Software\Avast4\ashMaiSv.exe" /service (file missing)
> O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
> Software\Avast4\ashWebSv.exe" /service (file missing)
> O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -
> C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
> O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co.,
> Ltd. -
> C:\WINDOWS\System32\DVDRAMSV.exe
> O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
> Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
> 32\IDriverT.exe
> O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
> Files\iPod\bin\iPodService.exe
> O23 - Service: pntsvc - Unknown owner - C:\Program Files\KODAK\Pictures
> Now
> Transfer\pntsvc.exe
> O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
> Analog Devices, Inc. - C:\Program Files\Analog
> Devices\SoundMAX\SMAgent.exe
> O23 - Service: Swupdtmr - Unknown owner -
> c:\toshiba\ivp\swupdate\swupdtmr.exe
> O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
>
>
> Kapersky Log:
>
> KASPERSKY ONLINE SCANNER REPORT
> Monday, September 24, 2007 5:46:31 PM
> Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
> 2600)
> Kaspersky Online Scanner version: 5.0.93.1
> Kaspersky Anti-Virus database last update: 25/09/2007
> Kaspersky Anti-Virus database records: 422958
>
>
> Scan Settings
> Scan using the following antivirus database extended
> Scan Archives true
> Scan Mail Bases true
>
> Scan Target Critical Areas
> C:\WINDOWS
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\
>
> Scan Statistics
> Total number of scanned objects 26446
> Number of viruses found 1
> Number of infected objects 4
> Number of suspicious objects 0
> Duration of the scan process 00:50:47
>
> Infected Object Name Virus Name Last Action
> C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
>
> C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
>
> C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
>
> C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
>
> C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
>
> C:\WINDOWS\SchedLgU.Txt Object is locked skipped
>
> C:\WINDOWS\SoftwareDistribution\EventCache\{D9890980-0082-44BA-B3AB-CAD8AA47E84A}.bin
> Object is locked skipped
>
> C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
> skipped
>
> C:\WINDOWS\Sti_Trace.log Object is locked skipped
>
> C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
>
> C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
>
> C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
>
> C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
>
> C:\WINDOWS\system32\config\default Object is locked skipped
>
> C:\WINDOWS\system32\config\default.LOG Object is locked skipped
>
> C:\WINDOWS\system32\config\SAM Object is locked skipped
>
> C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
>
> C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
>
> C:\WINDOWS\system32\config\SECURITY Object is locked skipped
>
> C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
>
> C:\WINDOWS\system32\config\software Object is locked skipped
>
> C:\WINDOWS\system32\config\software.LOG Object is locked skipped
>
> C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
>
> C:\WINDOWS\system32\config\system Object is locked skipped
>
> C:\WINDOWS\system32\config\system.LOG Object is locked skipped
>
> C:\WINDOWS\system32\dwdsrngt.exe Infected:
> not-a-virus:AdWare.Win32.ZenoSearch.o skipped
>
> C:\WINDOWS\system32\h323log.txt Object is locked skipped
>
> C:\WINDOWS\system32\kldsrngp.exe Infected:
> not-a-virus:AdWare.Win32.ZenoSearch.o skipped
>
> C:\WINDOWS\system32\lmdsrngl.exe Infected:
> not-a-virus:AdWare.Win32.ZenoSearch.o skipped
>
> C:\WINDOWS\system32\lmdsrngs.exe Infected:
> not-a-virus:AdWare.Win32.ZenoSearch.o skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
> skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
> skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
> skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
> skipped
>
> C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
> skipped
>
> C:\WINDOWS\Temp\Perflib_Perfdata_6b4.dat Object is locked skipped
>
> C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
>
> C:\WINDOWS\wiadebug.log Object is locked skipped
>
> C:\WINDOWS\wiaservc.log Object is locked skipped
>
> C:\WINDOWS\WindowsUpdate.log Object is locked skipped
>
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\hpodvd09.log Object is locked
> skipped
>
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\WCESLog.log Object is locked skipped
>
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\~DFE873.tmp Object is locked skipped
>
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\~DFEEF3.tmp Object is locked skipped
>
> Scan process completed.
>
> Any ideas?
 
J

Jalvarezmcp

You are the man, I deleted/quarantined that file (and a few others that were
very similiar) and ran a few more clean up scans and voila things are all
better.

Thanks

"Milo (MSPSS)" wrote:

> Thanks for taking time to produce those logs
>
> As i see it this are the ( unknown ), maybe we can help you further
> identifying the said file. Also if am not mistaken you are running in safe
> mode with networking it would help more to identify the issue if you are on
> normal mode: Anyways this is by far what I identfied
>
> C:\windows\system32\kldsrngp.exe
> C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\bwgo0000d4c4.exe ( weird algo )
> O4 - HKLM\..\Run: [{B2-23-31-13-ZN}] C:\windows\system32\kldsrngp.exe CHD003
> O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kldsrngp.exe
>
> If you are in the US/CANADA please call Microsoft Security rather for a
> direct and free assistance removing this infection and its toll free ( 866
> 727 2338 ). And please do indicate to them the file as listed thanks.
>
>
> "Jalvarezmcp" <Jalvarezmcp@discussions.microsoft.com> wrote in message
> news:E4AB5906-DB38-4011-ABC8-A4DF7DD86BE7@microsoft.com...
> > Hello,
> >
> > I've removed most the viruses/malware except this one, if I have an active
> > internet connection at start up then my Avast catches it and allows me to
> > delete it only to appear on next reboot, unless I'm not internet connected
> > then nothing. The file that ends up infected is
> > c:\windows\system32\qwinmldt.exe
> >
> > The name of the malware/Trojan is: Win32:Downloader-IB [trj]
> >
> > Here below is the logfile from Hi-Jack this and the Kapersky Online
> > Scanner:
> >
> > Logfile of HijackThis v1.99.1
> > Scan saved at 6:30:48 PM, on 9/24/2007
> > Platform: Windows XP SP2 (WinNT 5.01.2600)
> > MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> >
> > Running processes:
> > C:\WINDOWS\System32\smss.exe
> > C:\WINDOWS\system32\winlogon.exe
> > C:\WINDOWS\system32\services.exe
> > C:\WINDOWS\system32\lsass.exe
> > C:\WINDOWS\system32\svchost.exe
> > C:\Program Files\Windows Defender\MsMpEng.exe
> > C:\WINDOWS\System32\svchost.exe
> > C:\WINDOWS\Explorer.EXE
> > C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
> > C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
> > C:\Program Files\Alwil Software\Avast4\ashServ.exe
> > C:\WINDOWS\system32\spoolsv.exe
> > C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
> > C:\WINDOWS\System32\DVDRAMSV.exe
> > C:\WINDOWS\System32\svchost.exe
> > c:\toshiba\ivp\swupdate\swupdtmr.exe
> > C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
> > C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
> > C:\toshiba\ivp\ism\pinger.exe
> > C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
> > C:\WINDOWS\Logi_MwX.Exe
> > C:\toshiba\ivp\ism\ivpsvmgr.exe
> > C:\WINDOWS\System32\igfxtray.exe
> > C:\WINDOWS\System32\hkcmd.exe
> > C:\WINDOWS\System32\00THotkey.exe
> > C:\windows\system32\kldsrngp.exe
> > C:\WINDOWS\system32\TPSMain.exe
> > C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
> > C:\WINDOWS\system32\TFNF5.exe
> > C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
> > C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
> > C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
> > C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
> > C:\Program Files\Apoint2K\Apoint.exe
> > C:\Program Files\Windows Defender\MSASCui.exe
> > C:\WINDOWS\system32\ctfmon.exe
> > C:\Program Files\Microsoft ActiveSync\wcescomm.exe
> > C:\Program Files\MSN Messenger\msnmsgr.exe
> > C:\WINDOWS\system32\TPSBattM.exe
> > C:\Program Files\Messenger\msmsgs.exe
> > C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\bwgo0000d4c4.exe
> > C:\PROGRA~1\MI3AA1~1\rapimgr.exe
> > C:\Program Files\Apoint2K\Apntex.exe
> > C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
> > C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
> > C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
> > C:\WINDOWS\system32\HPZinw12.exe
> > C:\Program Files\Internet Explorer\iexplore.exe
> > C:\Program Files\Internet Explorer\iexplore.exe
> > C:\AVStuff\TM HiJackThis\hijackthis\HijackThis.exe
> >
> > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> > Microsoft
> > Internet Explorer
> > O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
> > O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
> > O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
> > O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
> > O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
> > O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
> > O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
> > O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
> > O4 - HKLM\..\Run: [{B2-23-31-13-ZN}] C:\windows\system32\kldsrngp.exe
> > CHD003
> > O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
> > O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
> > O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
> > O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
> > O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft
> > Works\WksSb.exe" /AllUsers
> > O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software
> > Update\HPWuSchd2.exe"
> > O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account
> > Numbers\CitiVAN.exe" /dontopenmycards
> > O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
> > O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
> > O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
> > Defender\MSASCui.exe" -hide
> > O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> > O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop
> > Messenger\8876480\Program\LogitechDesktopMessenger.exe"
> > O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat
> > 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
> > O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
> > ActiveSync\wcescomm.exe"
> > O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
> > /background
> > O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> > /background
> > O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kldsrngp.exe
> > O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
> > Files\HP\Digital Imaging\bin\hpqtra08.exe
> > O8 - Extra context menu item: E&xport to Microsoft Excel -
> > res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> > O8 - Extra context menu item: Easy-WebPrint Add To Print List -
> > res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
> > O8 - Extra context menu item: Easy-WebPrint High Speed Print -
> > res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
> > O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
> > Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
> > O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
> > Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
> > O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> > C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> > O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
> > C:\WINDOWS\System32\Shdocvw.dll
> > O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> > C:\Program Files\Messenger\msmsgs.exe
> > O9 - Extra 'Tools' menuitem: Windows Messenger -
> > {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> > Files\Messenger\msmsgs.exe
> > O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
> > O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
> > http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
> > O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
> > Advantage
> > Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
> > O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
> > http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129320974937
> > O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
> > O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -
> > C:\Program
> > Files\Lavasoft\Ad-Aware 2007\aawservice.exe
> > O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
> > C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
> > O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
> > Software\Avast4\ashServ.exe
> > O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program
> > Files\Alwil
> > Software\Avast4\ashMaiSv.exe" /service (file missing)
> > O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
> > Software\Avast4\ashWebSv.exe" /service (file missing)
> > O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -
> > C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
> > O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co.,
> > Ltd. -
> > C:\WINDOWS\System32\DVDRAMSV.exe
> > O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
> > Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
> > 32\IDriverT.exe
> > O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
> > Files\iPod\bin\iPodService.exe
> > O23 - Service: pntsvc - Unknown owner - C:\Program Files\KODAK\Pictures
> > Now
> > Transfer\pntsvc.exe
> > O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
> > Analog Devices, Inc. - C:\Program Files\Analog
> > Devices\SoundMAX\SMAgent.exe
> > O23 - Service: Swupdtmr - Unknown owner -
> > c:\toshiba\ivp\swupdate\swupdtmr.exe
> > O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
> > Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
> >
> >
> > Kapersky Log:
> >
> > KASPERSKY ONLINE SCANNER REPORT
> > Monday, September 24, 2007 5:46:31 PM
> > Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
> > 2600)
> > Kaspersky Online Scanner version: 5.0.93.1
> > Kaspersky Anti-Virus database last update: 25/09/2007
> > Kaspersky Anti-Virus database records: 422958
> >
> >
> > Scan Settings
> > Scan using the following antivirus database extended
> > Scan Archives true
> > Scan Mail Bases true
> >
> > Scan Target Critical Areas
> > C:\WINDOWS
> > C:\DOCUME~1\CATHY~1.TOS\LOCALS~1\Temp\
> >
> > Scan Statistics
> > Total number of scanned objects 26446
> > Number of viruses found 1
> > Number of infected objects 4
> > Number of suspicious objects 0
> > Duration of the scan process 00:50:47
> >
> > Infected Object Name Virus Name Last Action
> > C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
> >
> > C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
> >
> > C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
> >
> > C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
> >
> > C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
> >
> > C:\WINDOWS\SchedLgU.Txt Object is locked skipped
> >
> > C:\WINDOWS\SoftwareDistribution\EventCache\{D9890980-0082-44BA-B3AB-CAD8AA47E84A}.bin
> > Object is locked skipped
> >
> > C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
> > skipped
> >
> > C:\WINDOWS\Sti_Trace.log Object is locked skipped
> >
> > C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
> >
> > C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
> >
> > C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
> >
> > C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
> >
> > C:\WINDOWS\system32\config\default Object is locked skipped
> >
> > C:\WINDOWS\system32\config\default.LOG Object is locked skipped
> >
> > C:\WINDOWS\system32\config\SAM Object is locked skipped
> >
> > C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
> >
> > C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
> >
> > C:\WINDOWS\system32\config\SECURITY Object is locked skipped
> >
> > C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
> >
> > C:\WINDOWS\system32\config\software Object is locked skipped
> >
> > C:\WINDOWS\system32\config\software.LOG Object is locked skipped
> >
> > C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
> >
> > C:\WINDOWS\system32\config\system Object is locked skipped
> >
> > C:\WINDOWS\system32\config\system.LOG Object is locked skipped
> >
> > C:\WINDOWS\system32\dwdsrngt.exe Infected:
> > not-a-virus:AdWare.Win32.ZenoSearch.o skipped
> >
> > C:\WINDOWS\system32\h323log.txt Object is locked skipped
> >
> > C:\WINDOWS\system32\kldsrngp.exe Infected:
> > not-a-virus:AdWare.Win32.ZenoSearch.o skipped
> >
> > C:\WINDOWS\system32\lmdsrngl.exe Infected:
> > not-a-virus:AdWare.Win32.ZenoSearch.o skipped
> >
> > C:\WINDOWS\system32\lmdsrngs.exe Infected:
> > not-a-virus:AdWare.Win32.ZenoSearch.o skipped
> >
> > C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
> >
> > C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
> >
> > C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
> > skipped
> >
> > C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
> > skipped
> >
> > C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
> > skipped
> >
> > C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
 
You must log in or register to reply here.

Similar threads

A
.Net8.0 WebAPI Deployment Not Working with IIS on Windows Server 2012 R2 aspnetcore.dll and Asp.Net Core Module\V2\aspnetcorev2.dll not found
Replies
0
Views
31
Arvind Sharma3
A
K
Back up skipped files
Replies
0
Views
87
KennethStarick
K
N
What to do after getting infected.
Replies
0
Views
45
NotDalson
N
J
I recently installed Malwarebytes after a BSOD and I keep getting this popup - How do I remove this trojan?
Replies
0
Views
52
Jason Chin WS
J
T
Desktop is not accessible. Access is denied, win 10
Replies
0
Views
76
TerezaŘeháčková
T
Back
Top Bottom