Author Topic: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool] (Read 27991 times)

Ivona · « **Reply #30 on:** August 29, 2008, 10:58:37 PM »

is this the report or is there something i need to do with this...thank you sooo much

ComboFix 08-08-29.02 - Christopher 2008-08-29 16:42:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.440 [GMT -4:00]
Running from: C:\Documents and Settings\Christopher\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\E7E62UA7\bin.clearspring.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\E7E62UA7\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\E7E62UA7\interclick.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\E7E62UA7\interclick.com\ud.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Christopher\Cookies\christopher@lxk235.lexmark[1].txt
C:\Documents and Settings\Christopher\Cookies\christopher@passagesmalibu[1].txt
C:\Documents and Settings\Christopher\Cookies\christopher@peach.bskyb[2].txt
C:\Documents and Settings\Christopher\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 16:33 . 2008-08-29 16:33   <DIR>   d--------   C:\Program Files\Sun
2008-08-29 16:33 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-08-29 16:30 . 2008-08-29 16:33   <DIR>   d--------   C:\Program Files\Java
2008-08-29 16:30 . 2008-08-29 16:30   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-08-29 11:52 . 2008-08-29 11:52   <DIR>   d--------   C:\Documents and Settings\Christopher\DoctorWeb
2008-08-28 22:27 . 2008-08-28 22:27   <DIR>   d--------   C:\Program Files\SpywareBlaster
2008-08-28 22:27 . 2008-08-28 22:27   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 21:28 . 2008-08-28 21:28   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-28 21:28 . 2008-08-28 21:28   <DIR>   d--------   C:\Documents and Settings\Christopher\Application Data\SUPERAntiSpyware.com
2008-08-28 21:28 . 2008-08-28 21:28   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-28 21:26 . 2008-08-28 21:26   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-28 19:39 . 2008-08-28 19:39   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 19:39 . 2008-08-28 19:39   <DIR>   d--------   C:\Documents and Settings\Christopher\Application Data\Malwarebytes
2008-08-28 19:39 . 2008-08-28 19:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-28 19:39 . 2008-08-17 15:04   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-28 19:39 . 2008-08-17 15:04   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 20:07 . 2008-08-28 20:43   <DIR>   d--------   C:\Program Files\PWA
2008-08-23 18:38 . 2008-08-23 18:38   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-13 10:50 . 2008-05-01 10:30   331,776   -----c---   C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:25   ---------   d-----w   C:\Documents and Settings\Christopher\Application Data\Skype
2008-08-29 20:06   ---------   d-----w   C:\Documents and Settings\Christopher\Application Data\skypePM
2008-07-10 12:52   ---------   d-----w   C:\Program Files\InterActual
2008-06-29 18:26   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-29 18:26   ---------   d-----w   C:\Program Files\Vimicro
2008-06-29 18:26   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-02-18 23:18   32   ----a-w   C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

Ivona · « **Reply #31 on:** August 29, 2008, 10:59:08 PM »

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 19:37 21898024]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 10:00 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56 64512]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-22 00:05 344064]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 04:02 761948]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20 122940]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 15:11 73728]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 01:06 1077322]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 16:47 356352]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 15:37 184320]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2002-01-31 10:59 61440]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"lxdfmon.exe"="C:\Program Files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 09:53 455600]
"lxdfamon"="C:\Program Files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 04:06 20480]
"Lexmark 6500 Series Fax Server"="C:\Program Files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 09:56 308144]
"BigDog303"="C:\WINDOWS\VM303_STI.EXE" [2005-10-25 00:56 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 18:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 19:50 88204 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 08:00 15360]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
IEHOME.LNK - C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat [2006-12-13 14:45:36 298]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat [2006-12-13 14:45:36 298]

C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 00:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-09-14 18:48:02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\lxdfcfg.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfwbgw.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 02:06]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 02:06]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.hotmail.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 16:48:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\urlmon.dll
-> ?:\WINDOWS\system32\urlmon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfserv.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-29 16:52:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 20:52:28

Pre-Run: 33,837,121,536 bytes free
Post-Run: 36,317,757,440 bytes free

192   --- E O F ---   2008-08-14 11:46:54
thank you!!!!!!

Ivona · « **Reply #32 on:** August 29, 2008, 11:06:51 PM »

the highjack this scan came up with the following....thank you!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:49 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Christopher\Desktop\HiJackThis.exe

Ivona · « **Reply #33 on:** August 29, 2008, 11:07:13 PM »

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 11229 bytes
thanks!!!!

essexboy · « **Reply #34 on:** August 29, 2008, 11:16:13 PM »

Lets see if we can try the sysrestore search again
1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

SysRst::

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt .

Ivona · « **Reply #35 on:** August 29, 2008, 11:18:12 PM »

which is the run box? when i pressed run before it merely ran the program..thanks

essexboy · « **Reply #36 on:** August 29, 2008, 11:24:05 PM »

Ahh OK I see where the problem is. The instruction are set at the lowest level. But in your case open Notepad and type in SysRst:: then save the notepad file as CFScript.txt. Then drag and drop it onto the combofix icon

Ivona · « **Reply #37 on:** August 30, 2008, 12:27:05 AM »

Sorry, that i've been away from the computer but basically i ran avast again after the initial combofix and it seems my computer is virus free....THANK YOU SOOO much...i really appreciate all the help...you saved me!!! should i delete all the software i installed that being combofix, hijackthis, malware' anti-malware, SUPERantispyware?

Thanks again

Ivona · « **Reply #38 on:** August 30, 2008, 12:28:12 AM »

and dr.cure...thanks

wyrmrider · « **Reply #39 on:** August 30, 2008, 12:37:50 AM »

delete combofix it changes too fast to keep
hijack this does not change often is small so keep it in your emergency folder
I'd also keep MBAM and SAS and keep them updated
malware today frequently knarls the internet connection making it impossible to download these when you might need them again- unless you clicked some start at boot options they should take no resources except a little disk space

how bout running secunia software inspector and getting everything up to date?
Firewall name?
are you running any start at boot (real time) anti spyware/ malware product (MBAM and SAS being on demand)
we do not want to do this again, do we

Ivona · « **Reply #40 on:** August 30, 2008, 12:42:47 AM »

i'm sorry i'm very computer illiterate...so i should get rid of combo fix but keep highjackthis and malware'antimalware and superantivirus...i don't know if i have a firewall how do i check and what else should i install? thank you

Ivona · « **Reply #41 on:** August 30, 2008, 12:45:27 AM »

sorry my realtime anit spyware just recently installed is spywareblaster...thank you!

polonus · « **Reply #42 on:** August 30, 2008, 12:51:42 AM »

Hi Ivona,

Yes I should like you to install a software firewall of some form. In these days one resident antivirus program and a software firewall (mind you only one!) are a must to stay out of trouble on the Internet.
The ZoneAlarm Free firewall is an option,

polonus

DavidR · « **Reply #43 on:** August 30, 2008, 01:14:06 AM »

Quote from: Ivona on August 30, 2008, 12:27:05 AM

Sorry, that i've been away from the computer but basically i ran avast again after the initial combofix and it seems my computer is virus free....THANK YOU SOOO much...i really appreciate all the help...you saved me!!! should i delete all the software i installed that being combofix, hijackthis, malware' anti-malware, SUPERantispyware?

Thanks again

avast won't have resolved what essexboy said:

Quote from: essexboy on August 29, 2008, 11:24:05 PM

Ahh OK I see where the problem is. The instruction are set at the lowest level. But in your case open Notepad and type in SysRst:: then save the notepad file as CFScript.txt. Then drag and drop it onto the combofix icon

You should still do what he suggested.

polonus · « **Reply #44 on:** August 30, 2008, 01:27:35 AM »

Hi Ivona,

Do as DavidR says, and follow essexboy's instructions to the dot. It is the only way to get your computer back, and that is what you want, won't you? Essexboy surely knows what he is instructing you to do, I can stand in for that,

polonus

Author Topic: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool] (Read 27991 times)

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

essexboy

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

essexboy

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

wyrmrider

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

Ivona

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

polonus

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

DavidR

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

polonus

Re: Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]