Sorry if this is too long, but I did fight hard with the virus and I still need some help.
Please see the logfile first:
Logfile of HijackThis v1.97.7
Scan saved at 1:02:00 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\WINDOWS\System32\PELMICED.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Documents and Settings\Yongbing Pu\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.toshiba.com/searchR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://webmail.uic.edu/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.toshiba.comR3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\Jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [dwnejkb] C:\WINDOWS\dwnejkb.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Go -
http://download.games.yahoo.com/games/clients/y/gt2_x.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.2229398148The above is what have left after I have tried several software. I would be grateful if some expert can point out if my system is free of trogan or adware.
This is a long story. Let me begin with the symptoms.
I was running Windows XP on a toshiba notebook with dial up internet connection and IE. I felt that I got some virus because when I turned on the computer it pops up that some contents is not available offline, Do I want to connect to the internet. I agreed and there is no IE shown up (it used show up automaticly). I am very suspicious about this because I can see there are data transfering between my computer and somewhere else. There must be bad programe running at the back ground. My Friend told me that this is like Trogan and Avast is good.
I downloaded avast (I guess at the same time the trogan did a lot of things too). I unstalled Norton antivirus (it is expired for half year and can not detect the trojan). Avast found and killed like 10 different trogan virus, but the problem is still not fixed. I went to this forum and learned to disable windows restoration and using safe mood by pushing F8 when reboot, scanning before reboot etc. Then I killed more and can not find trogen any more by avast, but the symptom persist--it popup and ask me to connect to internet each time when I start the computer. Here is what I found wrong at this moment: there is a fold named internetoptimizer and some files with similar name in it; therr arer some file named rabate or barginbuy, things like that; when I push ctr alt del, then the taskman shows me the iexplore is running and also a sysupd.exe is running. avast cleaner will not help.
I learned from this forum to use spybot, HijackThis and ad-aware 6. the spybot find like a hundred adwares not killed most of them, the ad-aware 6 then find some more and killed then. Now only the sysupd.exe is there and 5 other things in the registry that I guess would be related with this sysupd.exe. The sypbot can kill the 5 entries but it will reappear next time I rebooted the machine. The sysupd.exe just can not be killed because it is running. The spybot also tells me that this sysupd.exe is a 1900 dialer. I also tried HijackThis and deleted another one item that I am sure is a virus. But HijackThis can not help me get rid of this sysupd.exe. So I decided to take some risk and just manually delete it. I reboot the computer to safe mode command only mode and use DOS command to delete the sysupd.exe. This time, it workd--when I reboot the computer, there is no popup asking me to connect to the internet. But, the 5 registry change also came back. I can kill them with spybot, but they alwasy come back after reboot. So, I think my computer is not totally clean, though it seemed that they are doing no harm. Anyone have a comment on this. Thanks.
I also intallled firefox. I think it is good. I guess I will not use IE any more.
A side story: in the whold process, I uninstalled the software for sound card by mistake. And it always ask me for a multimedia audio controller. I lost my recovery disk, so I had a hard time trying to intall this thing back. I checked internet and a lot of people have lost this stupid multimedia audio controller and asking for help. I read some article and as they suggested, go to the manufacturer's website and intalled the software. Now Some of my audio software is working (ex. I can play DVD), but some (like microsoft media player) are not working. I have to fix that.
