View Full Version : unable to update Vista or AVG & misdirected when searching
My nephew's laptop seems infected. He cannot download any security updates and keeps being misdirected when searching. How can I help him fix it, please?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:35, on 10/08/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
D:\Users\Kie\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.archdaily.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O1 - Hosts: ::1 localhost
O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TEXTHE~3.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Desktop SMS] C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe /auto
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /F "C:\Windows\TEMP\E_SBD7A.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [loyumujiyo] Rundll32.exe "C:\ProgramData\mafolibu\mafolibu.dll",s
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = C:\Program Files\Olympus\DeviceDetector\DirectrecConfig.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E93DFD6-9D66-43E1-BEF3-A15ED15ADA9A}: NameServer = 85.255.112.214,85.255.112.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EAC943B-D829-4983-A845-A99DD064204B}: NameServer = 85.255.112.214,85.255.112.22
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.214,85.255.112.22
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.214,85.255.112.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.214,85.255.112.22
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\Windows\system32\UAService7.exe
--
End of file - 14014 bytes
pskelley
2009-08-11, 12:50
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
You would have to be a saint to fool with this mess, this is a badly abused computer. It might be easier to reformat:
http://www.google.com/search?hl=en&q=reformat+vista&aq=f&oq=&aqi=g10
If you really want to continue, I call tell you:
*At least three antivirus programs running (only one should be)
AVG7 (out of date) F-Secure, Symantec
*Obsolete program: AVG Anti-Spyware 7.5
*Virtumonde likely: http://www.incodesolutions.com/threats2/System32Rootmafolibudll.php
*Hacked by Ukrainian criminals: 85.255.112.214
http://whois.domaintools.com/85.255.112.214
If you want to proceed, uninstall all but one valid, updated antivirus program and post.
1) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
2) A new HJT log.
3) Please do not enable TeaTimer while we work together.
Thanks
Thank you for your help.
I realise it would be better to reformat Vista but, unfortunately, my nephew cannot find his recovery disks (scatter-brained student!) so I only have the eradication options.
Re the anti-virus programs: I can't update AVG and the other 2 were time-limited options that came with the laptop (he thinks!).
I'll try to remove F-secure and Symantec. Then I'll post the HJT uninstall log. is there a way round the updating issue for AVG?
pskelley
2009-08-11, 14:48
I'll try to remove F-secure and Symantec. Then I'll post the HJT uninstall log. is there a way round the updating issue for AVG?
We will get it uninstalled and updated to AVG 8.5 before we finish, please make sure only to be online when you absolutely have to. This junk will download more and you probably have no antivirus protection.
Thanks...Phil
Sorry about the delay, Phil. I've tried to remove F-secure, but to no avail.
I'm using my laptop to talk to you and leaving my nephew's off-line.
I've printed out and scanned the Uninstall log. I hope this is what you wanted:
2007 Microsoft office Suite service pack 1 (SP1)
2007 Microsoft Office Suite service Pack 1 (SP1)
2007 Microsoft office suite service pack 1 (SP1)
2007 Microsoft office suite service pack 1 (SP1)
2007 Microsoft office suite service pack 1 (SP1)
2007 Microsoft Office Suite service pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft office Suite service Pack 1 (SP1)
2007 Microsoft office Suite service pack 1 (sp1)
2007 Microsoft office Suite service Pack 1 (sp1)
32 Bit HP CIO components Installer
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash player 10 ActiveX
Adobe Help Center 1.0
Adobe photoshop cs2
Adobe Reader 7.0.9
Adobe shockwave player 11
Adobe Stock photos 1.0
Apple software update
ArchiBar Toolbar
Arcsoft photoImpression 5
AutoCAD 2007 - English
Autodesk DWF viewer
AvantGo Client
BIGscreensaver
Bluetooth Stack for windows by Toshiba
BroadJump client Foundation
Camera Assistant software for Toshiba
Catalyst Control Center - Branding
CD/DVD Drive Acoustic silencer Desktop SMS
Divx Codec
oivx Converter
Divx player
Divx plus DirectShow Filters
Divx web player
Documents TO Go
EASEUS Data Recovery wizard professional 3.3.4
Emdedded IR Driver
Ephpod
EPSON Copy Utility 3
EPSON Easy photo print
EPSON Event Manager
EPSON File Manager
EPSON Image clip palette
EPSON Printer software
EPSON Scan
EPSON Scan Assistant
EPSON web-To-page
ERUNT 1.1j
ESDX3800 User's Guide
Flamingo 1.1
Flamingo 1.1 for Rhino 4.0
GameShadow
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google updater
Hotfix for Microsoft .NET Framework 3.5 sp1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation program 10.0
HP-Deskjet F2200 All-In-One Driver software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP photosmart Essential 2.5
HP Smart web printing
HP solution Center 10.0
HP update
Inspiration 8 IE
Intel Turbo Memory and Intel Matrix storage Manager
iPod To computer Transfer 4.8
iTunes
Java(TM) SE Runtime Environment 6
LaserJet 1018
Magic ISO Maker v5.5 (build 0261)
Maxwell for Rhinoceros 4
Maxwell Plugin for Maya
Maxwell Scrlpt Library for Maxwell .Net plugins
Microsoft .NET Framework 3.5 sp1
Microsoft .NET Framework 3.5 sp1
Microsoft office outlook MUI (English) 2007
Microsoft Office powerpoint MUI (English) 2007
Microsoft office proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft office proof (spanish) 2007
Microsoft office proofing (English) 2007
Microsoft Office shared MUI (English) 2007
Microsoft office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft office Standard 2007
Microsoft office word MUI (English) 2007
Microsoft silverlight
Microsoft SQL Server Native client
Microsoft SQL Server setup support Files (English)
Microsoft SQL server vss writer
Microsoft Text-to-speech Engine 4.0 (English)
Microsoft visual c++ 2005 Redistributable
Microsoft visual c++ 2005 Redistributable
Microsoft visual c++ 8.0 support DLLs
MSXML 4.0 sp2 (KB927978)
MSXML 4.0 Sp2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 sp2 (KB954430)
myphotobook 3.1
Network play System (patching)
Olympus DSS player
Penguin 1.0 SR3
Perfv350 user's Guide
PIF DESIGNER
QuickTime
Read And write 8.1 Gold
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Rhlno RDK
Rhinoceros 3.0 Rendering patch
SAMSUNG CDMA Modem Driver Set
SAMSUNG MobilE USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung pc studio 3 USB Driver Installer
security update for 2007 Microsoft Office system (KB951550)
security update for 2007 Microsoft office system (KB951944)
security update for 2007 Microsoft office system (KB960003)
security update for CAPICOM (KB931906)
security update for CAPICOM (KB931906)
security update for Microsoft office Excel 2007 (KB959997)
security update for Microsoft Office powerPoint 2007 (KB951338)
security update for Microsoft office system 2007 (KB954326)
security update for Microsoft Office system 2007 (KB956828)
security update for Microsoft Office word 2007 (KB956358)
shop for HP supplies
sketchup 4.0
spyware Doctor 6.0
synaptics pointing Device Driver
TELL ME MORE
Texas Instruments PClxx21/x515/xx12 drivers.
The Rosetta Stone
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for windows Mobility Center
TOSHIBA Flash Cards support utility
TOSHIBA Hardware Setup
Toshiba online Product Information
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA supervisor password
TOSHIBA value Added package
TouchCopy
update for Microsoft office 2007 Help for Common Features (KB957244)
update for Microsoft Office Excel 2007 Help (KB957242)
update for Microsoft office Outlook 2007 (KB952142)
update for Microsoft office Outlook 2007 Help (KB957246)
update for Microsoft Office PowerPoint 2007 Help (KB957247)
update for Microsoft office word 2007 Help (KB957252)
update fpr Microsoft script Editor Help (KB957253)
update for Office 2007 (KB946691)
update for outlook 2007 Junk Email Filter (kb962871)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.8a
Thanks, once again.
Rosie
pskelley
2009-08-11, 19:16
2) A new HJT log.
Read the directions carefuly please, you can wait now until I ask again for a HJT log.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Flash player 10 ActiveX <<< check this:
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 7.0.9 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.adobe.com/products/reader/
(if you want a smaller program, look at this one)
Foxit Reader 3.0 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Adobe shockwave player 11 <<< check this:
Security Update available for Shockwave Player
http://www.adobe.com/support/security/bulletins/apsb09-08.html
Critical Adobe Shockwave flaw affects millions
http://blogs.zdnet.com/security/?p=3664
Java(TM) SE Runtime Environment 6 <<< out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Carbonite Piggybacks on Java
http://www.bleepingcomputer.com/blogs/mowgreen/index.php?showentry=1569
Read and follow the directions carefully:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
http://www.besttechie.net/mbam/mbam-setup.exe <<< download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://thespykiller.co.uk/index.php/topic,5946.0.html
Thanks
I've installed MBAM but nothing happens after I click Finish. It doesn't appear to update and it won't open when I click the shortcut or from Programs.
What next? Should i try to do it unupdated or in Safe Mode?
Rosie
pskelley
2009-08-11, 22:05
The infection on the computer is of a type that blocks some tools from working. Try deleting it and downloading again using this link:
http://www.malwarebytes.org/affiliates/besttechie/mbam-setup.exe
When you click the link choose "Save this file now" and then OK. At the top "Save in" choose Desktop. At the bottom where you see mbam-setup.exe, change that to rosieb.exe then save it and see if it will update and run.
Thanks
That hasn't worked, either.
Is there another way?
pskelley
2009-08-11, 23:13
Before we try something else. I wish to be sure you understand that these tools have to be run as Administrator since this is Windows Vista.
Thanks
pskelley
2009-08-11, 23:30
How to use User Account Control (UAC) in Windows Vista
http://support.microsoft.com/kb/922708
Thanks, Phil.
I'll follow the MS link steps and see if it does the trick, then I'll post the logs tomorrow as it's getting late now.
Rosie
Tried Run as Administrator but again nothing happens.
When I right click the MBAM icon & select Run as Administrator, I get a Windows message box saying "MBAM has stopped working" and i have 2 options 1) check online for a solution later and close the program
2) Close the program
What a nightmare!
Rosie
pskelley
2009-08-12, 00:44
Please visit this webpage for download links, and instructions for running the tool:
Recovery Console does not install on Vista.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When the tool is finished, it will produce a report for you. Post that report and a new HJT log
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Thanks
I've tried to connect to the links in the above post with my nephew's laptop but something is blocking all connections and I get the message "Internet Explorer cannot display the webpage".
Could I download Combofix to my laptop and burn it to a CD and try to install it that way?
Thanks for your patience with this problem,
Rosie
pskelley
2009-08-12, 15:29
Could I download Combofix to my laptop and burn it to a CD and try to install it that way?
Hi Rosie, yes you can, we often have to bring tools to the infected computer. I will also suggest you can use a USB Memory stick or Flash drive, but keep in mind combofix is 2.97 MB's so make sure the tool has enough space.
I am also going to suggest, even though I realize the computer is hacked, that you may be able to reset your internet connection. Before I installed FIOS, I would have to reset DSL once in a while. If you think this can help, the proceedure Verizon had me use.
1) Uplug and router
2) Unplug the modem
3) Power down the computer and wait a few minutes.
4) Power up the router or modem if no router is user, then boot the computer. Open Internet Explorer to see if you are getting online. Here is some Microsoft information about this.
http://support.microsoft.com/kb/956196
Hope that helps...Phil
Thanks, Phil. I tried all you said about resetting the internet connection and the advice from the MS link. The laptop seems to be connected but all the web addresses I enter give the same message that IE cannot display the webpage.
I'm going to try to install Combofix from a CD I've burned.
I'm worrying about the Recovery Console - if Combofix can't connect, how will the Recovery Console work or does this not matter as it's Vista? Remember, I don't have the laptop Recovery DVD.
Rosie
pskelley
2009-08-12, 19:09
Recovery Console will not install with Vista, see this:
http://windowshelp.microsoft.com/Windows/en-US/Help/326b756b-1601-435e-99d0-1585439470351033.mspx
Well, I tried to load Combofix from a cd but all I get is a small white rectangle with Combofix in black print and a green loading line flashing across the bottom of the rectangle.
I assume it hasn't loaded properly.
Shall I try again by downloading Combofix from a different link?
Rosie
Further to my last post, I reinstalled it and it seems to be working! Yippee!!
It worked! I'm still unable to connect to the internet, though, so I'll have to investigate that tomorrow.
Here is the Combofix log:
ComboFix 09-08-10.06 - Kie 12/08/2009 22:22.1.2 - NTFSx86
Microsoft~ windows vistam Business 6.0.6000.0.1252.44.1033.18.2046.1376 [GMT 1:00]
Running from: d:\users\Kie\Desktop\combofix.exe
AV: F-Secure Anti-Virus 7.30 *on-access scanning disabled* (updated) {E7512ED5-4245-4B4D-AF3A-382D3F313FI5}
FW: F-secure Internet security 2008 OEM 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
SP: AVG Anti-spyware *disabled* (outdated) {48F2E28D-ED66-4646-9C11-B3055BOAF604}
SP: F-Secure Anti-virus 7.30 *disabled* (updated) {0651C4BO-ID7E-4682-B965-2E9523C483A5}
SP: windows Defender *enabled* (outdated) {D68DDC3A-831F-4FAE-9E44-DAI32ClACF46}
* created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\$recycle.bin\S-I-5-21-1571381933-3166844399-2333848073-500
c:\$recycle.bin\S-1-5-21-1661674311-2815529458-2936180237-500
c:\$recycle.bin\s-1-5-21-1909584832-858829809-948134049-500
c:\$recycle.bin\s-I-5-21-2504357094-947659251-4233815124-500
c:\$recycle.bin\S-I-5-21-3753462501-2946134135-3446067773-500
c:\$recycle.bin\S-1-5-21-651549746-3940150078-1581359000-500
c:\$recycle.bin\s-1-5-21-672597815-3237486728-385770818-500
c:\$recycle.bin\S-I-5-21-918056312-2952985149-2686913973-500
c:\program files\Antispywareshield
c:\program files\Antispywareshield\Antispywareshieldl.ad
c:\programdata\Microsoft\windows\start Menu\programs\Herocodec
c:\programdata\Microsoft\windows\start Menu\programs\Herocodec\uninstall.lnk
c:\users\Kie\AppData\Roaming\Microsoft\windows\start Menu\programs\Herocodec c:\windows\Installer\$patchCache$\Managed\6ACA9EFE6506Dc043852EOB02EBC26B2\8.1.0 \html.ini2
c:\windows\system32\375013
c:\windows\system32\AcsignExtRes.dll
c:\windows\system32\drivers\gxvxcjydjpjcxtfrnpdcconhcamuswewdhulq.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcqxiaydlsjadmlutkwdkbigbrvjleolnm.dll
D:\autorun.inf
((((((((((((((((((((((((((((((((((((((( Drivers/services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys
((((((((((((((((((((((((( Files created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
2009-08-11 21:52 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 21:52 . 2009-08-11 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 21:52 . 2009-08-11 21:52 -------- d-----w- c:\programdata\Malwarebytes
2009-08-11 21:52 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 14:46 . 2007-06-28 13:36 401720 ----a-w- c:\program files\HijackThis.exe
2009-08-10 14:37 . 2009-08-10 14:37 -------- d-----w- c:\program files\ERuNT
2009-08-05 14:27 . 2009-08-05 14:27 -------- d-----w- C:\AVGTemp
2009-08-05 00:16 . 2009-08-05 00:16 -------- d-----w- c:\users\Kie\AppData\Roaming\AVG8
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-08-12 21:30 . 2007-04-13 20:11 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-12 15:38 . 2008-11-11 21:39 -------- d-----w- c:\programdata\Google updater
2009-08-11 15:02 . 2007-11-13 14:39 -------- d-----w- c:\programdata\fssg
2009-08-11 14:03 . 2008-03-30 15:14 -------- d-----w- c:\programdata\Grisoft
2009-08-11 12:26 . 2008-07-05 21:06 -------- d-----w- c:\program files\BitLord
2009-08-10 12:03 . 2008-07-05 21:06 -------- d-----w- c:\program files\TorrentMan
2009-08-05 14:25 . 2007-12-02 23:04 1356 ----a-w- c:\users\Kie\AppData\Local\d3d9caps.dat
2009-08-01 11:49 . 2007-04-13 21:53 -------- d-----w- c:\program files\common Files\symantec Shared
2009-07-02 21:43 . 2007-12-19 01:02 -------- d-----w- c:\users\Kie\AppData\Roaming\dvdcss
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\uR~searchHooks]
"{24cc1362-11c6-4918-a2cO-bgee5a563185}"= "c:\program files\ArchiBar\tbArcl.dll" [2008-07-06 1569304]
[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2cO-bgee5a563185}]
[HKEY_LOCAL_MACHINE\~\Browser Helper objects\{24cc1362-11c6-4918-a2cO-bgee5a563185}]
2008-07-06 22:21 1569304 ----a-w- c:\program files\ArchiBar\tbArc1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{24cc1362-11c6-4918-a2cO-bgee5a563185} "= "c: \program fi1eS\ArchiBar\tbArcl.dll" [2008-07-06 1569304]
[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2cO-bgee5a563185}]
[HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Toolbar\webbrowser] "{24cC1362-11C6-4918-A2cO-B9EE5A563185}"= "c:\program files\ArchiBar\tbArcl.dll" [2008-07-06 1569304]
[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2cO-bgee5a563185}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\windows\currentversion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-11 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\Run]
"windows Defender"="c:\program files\windows Defender\MSAScui.exe" [2007-07-04 1006264]
"HotKeyscmds"="c:\windows\system32\hkcmd.exe" [2007-04-03 154392]
"persistence"="c:\windows\system32\igfxpers.exe" [2007-04-03 133912]
"SVPWUTIL"="c: \program fi1es\ TOSHIBA\Uti1itieS\SvPWUTIL. exe" [2006-03-22 438272]
"topi"="c:\program files\TOSHIBA\Toshiba online Product Information\topi .exe" [2007-04-02 577536]
"TPwrMain"="c:\program files\TOSHIBA\power saver\TPwrMain.ExE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"smoothview"="c:\program files\Toshiba\smoothview\smoothview.exe" [2007-05-23 509496]
"OOTcrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"desktop SMS"="c:\program files\IDM\oesktop SMS\DesktopSMS.exe" [2007-06-18 1507328J
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-02-19 571024]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872J
"IaNvsrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvsrv\IaNvsrv.exe" [2007-03-13 33048]
"Acronis Scheduler2 service"="c:\pro~ram files\common Files\Acronis\schedule2\schedhlp.exe [2007-08-02 148760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"EEventManager"="c:\program files\EPSON\creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"HP Software update"="c:\program files\HP\HP software update\HPwuschd2.exe" [2007-10-14 49152]
"hpqsRMon"="c:\program files\HP\Digital Imaging\bin\hpqsRMon.exe" [2007-08-22 80896]
"Msconfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208] "RtHDVCpl"="RtHOVcpl.exe" - c:\windows\RtHOVcpl.exe [2007-06-13 4489216]
"NoSTrax.exe"="NDsTray.exe" [BU] .
"skytel '="skytel.exe" - c:\windows\skyTel.exe [2007-05-28 1826816]
c:\users\Kie\AppOata\Roaming\Microsoft\windows\Start Menu\programs\Startup\
Adobe Gamma.lnk - c:\program files\common Fil~s\Adobe\calibration\Adobe Gamma
Loader.exe [2005-3-16 113664] .
Palm Registration.lnk - c:\program files\palm\register.exe [2008-4-23 2494464]
c:\programdata\Microsoft\windows\start Menu\programs\Startup\
Dataviz Inc Messenger.lnk - c:\program files\Common Files\Dataviz\ovzIncMsgr.exe [2008-1-3 28672]
.
[HKEY_LOCAL~MACHINE\SYSTEM\Currentcontrolset\control\safeBoot\Minimal\winDefend] @="Service"
[HKLM\~\startupfolder\c:^programData^Microsoft^windowsAStart
Menu^programs^startup^Directrec configuration Tool.lnk]
path=c:\programdata\Microsoft\windows\start Menu\programs\startup\directrec configuration Tool.lnk
backup=c:\windows\pss\Directrec configuration Tool.lnk.commonstartup backupExtension=.commonstartup
[HKLM\~\startupfolder\c:Apr09ramoataAMicrosoftAwindowsAStart MenuAprogramsAStartupAHP Digltal Imaging Monitor.lnk] path=c:\programdata\Microsoft\windows\Start Menu\programs\Startup\HP Digital Imaging Monltor.lnk
backup=c:\windows\pSS\HP Digital Imaging Monitor.lnk.commonstartup
backupExtension=.commonStartup .
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\symantecAntivirus]
"disableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\symantecFirewall]
"disableMonitoring"=dword:00000001
[HKLM\-\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query user{B459534A-25B8-4502-A1E9-AA066B2COEC7}c:\\pro!}ram files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bltlord.exe:BitLord "UDP Query user{314B4A72-81E7-4ABF-A411-989B753FDABO}c:\\pro!}ram files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bltlord.exe:BitLord "{6A8COFFE-D351-4FB9-A1B7-5B31DAB73F8F}"= UDP:c:\program files\TOSHlBA\Utilities\TAcSPROP.exe:Accessibility "{3C57c25E-69CD-4976-B76B-477458EDD568}"= TCP:c:\program files\TosHlBA\Utilities\TAcsPROP.exe:Accessibility
"TCP Query user{573BA530-5E86-4153-9756-AA5E7A80B5C9}d:\\program files\\itunes\\itunes.exe"= Disabled:uDP:d:\program files\itunes\itunes.exe:iTunes
"UDP Query user{8c996AA2-4C1C-4888-BBE1-E8A3439128EA}d:\\program files\\itunes\\itunes.exe"= Disabled:Tcp:d:\program files\itunes\itunes.exe:iTunes
[HKLM\-\services\sharedaccess\parameters\firewallpolicy\publicprofile] "EnableFirewall"= 0 (OxO)
[HKLM\-\services\sharedaccess\parameters\firewallpolicy\Restrictedservices\Static\system]
"DFSR-1"= RPort=5722luDP:%SystemRoot%\system32\svchost.exelsvc=DFSR:Allow inbound TCP trafficl
RO CpllR;Embedded IR Driver;c:\windows\system32\drivers\cpllR.SYS [06/03/2007 15:01 14848]
RO iaNvStor;lntelCR) Turbo Memory Technology NAND controller;c:\windows\system32\drivers\iaNvStor.sys [13/04/2007 21:52 210432]
R1 FSES;F-Secure Email scanning Driver;c:\windows\system32\drivers\fses.sys [13/11/2007 15:41 35024]
R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [13/11/2007 15:41 60064]
[HKEY_LOCAL_MACHlNE\software\microsoft\winG_MULTl_SZ Pml Driver HPz12 Net Driver HPZ12
hpdevmgmt REG_MULTl_SZ hpqcxs08 hpqddsvc
Contents of the 'scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\AppleSoftwareupdate.job
- c:\program files\Apple Software update\softwareupdate.exe [2006-10-10 17:13]
2009-08-12 c:\windows\Tasks\Google Software updater.job
- c:\program files\Google\Common\Google updater\Googleupdaterservice.exe [2008-11-11 21:02]
2009-08..,12 c:\windows\Tasks\user_Feed_synchronization-{364B15A7-9ABD-47BF-BD4E-c8850BA667FD } .job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
- - - - ORPHANS REMOVED - - - -
HKCU-Run-T0SCDSPD - TOSCDSPD.EXE
HKLM-Run-HWSetup - \HWSetup.exe
------- supplementary Scan -------
ustart page = hxxp://www.archdaily.com/
ulnternet settin!}s,proxyoverride = *.local
IE: E&xport to Mlcrosoft Excel - c:\progra-1\MICROS-1\office12\EXCEL.EXE/3000
lE: {{C08CAF1D-COA3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN
LSP: c:\program files\F-Secure Internet security\FSPs\program\FSLSP.DLL
Trusted Zone: microsoft.com\download.wondowsupdate
Trusted Zone: microsoft.com\update
**************************************************************************
scanning hidden processes scanning hidden autostart entries scanning hidden files ...
scan completed successfully hidden files:
**************************************************************************
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\controlset001\Control\class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Allusersettings]
@Denied: (A) (users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (5-1-5-20)
IBlindDial"=dword:OOOOOOOO
"MSCurrentCountry"=dword:000000b4
[HKEY_LOCAL_MACHINE\system\controlset001\Control\class\{4D36E96D-E325-11CE-BFC1- 08002BE10318}\0001\Allusersettings]
@Denied: (A) (users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (5-1-5-20)
"BlindDial"=dword:00000000
--------------------- DLLS Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3568)
c:\program files\Arcsoft\photoImpression 5\share\pihook.dll
------------------------ Other Running Processes -----------------------*
c:\windows\Microsoft.NET\Framework\v3.0\wPF\presentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\audiodg.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\common Files\Acronis\schedule2\schedu12.exe
c:\program files\TosHIBA\ConfigFree\CFsvcs.exe
c:\program files\olympus\DeviceDetector\DM1service.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNavlSrv.exe
c:\windows\system32\TODDsrv.exe
c:\program files\TOSHIBA\power saver\Toscosrv.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\uAService7.exe
**************************************************************************
.
completion time: 2009-08-12 22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 21:40
Pre-Run: 40,646,709,248 bytes free
Post-Run: 46,590,873,600 bytes free
213 --- E 0 F --- 2009-04-23 21:14
Here's the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:30:52, on 12/08/2009
platform: windows vista (winNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal
Running processes:
c:\windows\system32\taskeng.exe
c:\windows\system32\Dwm.exe
c:\windows\system32\taskeng.exe
c:\windows\Explorer.exe
c:\windows\system32\notepad.exe
c:\program Files\windows defender\MsAscui.exe
c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Users\Kie\Desktop\Hi JaCkThis\HijackThi s.exe
RO - HKCU\software\Microsoft\Internet Explorer\Main,Start page = http://www.archdaily.com/
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_page_uRL http://go.microsoft.com/fwlink/?Linkld=69157
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_Search_URL http://go.microsoft.com/fwlink/?LinkId=54896
RI - HKLM\software\Microsoft\Internet Explorer\Main,search page = http://go.microsoft.com/fwlink/?LinkId=54896
RO - HKLM\Software\Microsoft\Internet Explorer\Main,start Page = http://go.microsoft.com/fwlink/?Linkld=69157
RI - HKCU\software\Microsoft\windows\Currentversion\Internet settings,proxyoverride = *.local
RO - HKCU\software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
R3 - URLSearchHook: ArchiBar Toolbar - {24ccI362-11c6-49I8-a2cO-bgee5a563185} ¬c:\program Files\ArchiBar\tbArcl.dll
02 - BHO: txthlpBHO class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} ¬C:\PROGRA~I\TEXTHE~I\READAN~I\TEXTHE~3.DLL
02 - BHO: ArchiBar TQolbar - {24ccI362-11c6-4918-a2cO-bgee5a563185} - c:\program Files\Archisar\tbArcl.dll
02 - BHO: wormRadar.com IESiteBlocker.NavFilter ¬{3CA2F3I2-6F6E-4B53-A66E-4E65E497C8CO} - c:\program Files\AVG\AVG8\avgssie.dll (file missing)
02 - BHO: Google Toolbar Helper - {AAS8ED58-01DD-4d9I-8333-CFI0S77473F7} ¬c:\program files\google\googletoolbarl.dll
02 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} ¬c:\program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
02 - BHO: EpsonToolBandKicker Class - {E9942IFB-68DD-40FO-B4Ac-a7027CAE2FlA} ¬c:\program Files\EPsON\EPSON web-To-page\EPSON web-To-page.dll
02 - BHO: HP smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72EI16A856} ¬c:\program Files\HP\Digital Imaging\Smart web printing\hpswp_BHO.dll
03 - Toolbar: EPSON web-To-page - {EESD279F-081B-4404-994D-C6B60AAEBA6D} ¬c:\program Files\EPSON\EPSON web-To-page\EPsON web-To-page.dll
03 - Toolbar: ArchiBar Toolbar - {24ccI362-I1c6-49I8-a2cO-bgee5a563185} ¬C:\program Files\ArchiBar\tbArcl.dll
03 - Toolbar: &Google - {23I8C2BI-4965-11d4-9BI8-009027A5CD4F} - c:\program files\google\googletoolbarl.dl1
04 - HKLM\ .. \Run: [windows Defender] %programFiles%\windows Defender\MSAscui.exe -hide
04 - HKLM\ .. \Run: [HotKeyscmds] c:\windows\system32\hkcmd.exe
04 - HKLM\ .. \Run: [persistence] c:\windows\system32\igfxpers.exe
04 - HKLM\ .. \Run: [SVPWUTIL] c:\program Files\TosHIBA\Utilities\SvPwuTIL.exe SVPwUTIL
04 - HKLM\ .. \Run: [topi] c:\program Files\TOSHIBA\Toshiba online Product Information\topi.exe -startup
04 - HKLM\ .. \Run: [RtHDVCpl] RtHDVcpl.exe
04 - HKLM\ .. \Run: [TPwrMain] %programFiles%\TOSHIBA\power saver\TPwrMain.ExE
04 - HKLM\ .. \Run: [HSON] %programFiles%\TOSHIBA\TBS\HSON.exe
04 - HKLM\ .. \Run: [smoothview] %programFiles%\Toshiba\Smoothview\SmQothview.exe
04 - HKLM\ .. \Run: [OOTCrdMain] %programFiles%\TOSHIBA\Flashcards\TCrdMain.exe
04 - HKLM\ .. \Run: [NDSTray.exe] NDSTray.exe
04 - HKLM\ .. \Run: [Desktop SMS] c:\program Files\IDM\Desktop SMS\DesktopSMS.exe /auto
04 - HKLM\ .. \Run: [Toshiba Registration] c:\program Files\Toshiba\Registration\ToshibaRegistration.exe
04 - HKLM\ .. \Run: [IAAnotif] c:\program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
04 - HKLM\ .. \Run: [IaNvSrv] c:\program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvsrv.exe
04 - HKLM\ .. \Run: [Acronis scheduler2 service] "c:\program Files\common Files\Acronis\Schedule2\schedhlp.exe"
04 - HKLM\ .. \Run: [QuickTime Task] "e:\program Files\QuickTime\qnask.exe" -atboottime
04 - HKLM\ .. \Run: [iTunesHelper] "D:\program Files\iTunes\iTunesHelper.exe"
04 - HKLM\ .. \Run: [EEventManager] C:\Program Files\EPsON\Creativity Suite\Event Manager\EEventManager.exe
04 - HKLM\ .. \Run: lHP software update] c:\program Files\HP\HP Software update\HPwuschd2.exe
04 - HKLM\ .. \Run: [hpqsRMon] c:\program Files\HP\Digital Imaging\bin\hpqsRMon.exe
04 - HKLM\ .. \Run: [skytel] skr,tel.exe
04 - HKLM\ .. \Run: [Msconfi g] 'e: \wi ndows\system32\msconfi g. exe" jauto
04 - HKCU\ .. \Run: [swg] c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
04 - startup: Adobe Gamma.lnk = c:\program Files\common Files\Adobe\calibration\Adobe Gamma Loader.exe
04 - Startup: palm Registration.lnk = c:\program Files\palm\register.exe
04 - Global startup: Dataviz Inc Messenger.lnk = c:\program Files\common Files\Dataviz\DvzIncMsgr.exe
08 - Extra context menu item: E&xport to Microsoft Excel ¬res:jjC:\PROGRA~1\MICROS~1\office12\EXcEL.ExEj3000
09 - Extra button: Research - {92780B25-18CC-41c8-B9BE-3C9C57IA8263} ¬C:\PROGRA-1\MICROS-1\office12\REFIEBAR.DLL
09 - Extra button: eBay - {C08CAF1D-COA3-40D5-9970-06D067EAC017} ¬http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
09 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} ¬c:\program Files\HP\Digital Imaging\Smart web printin~\hpswp_BHO.dll
010 - Broken Internet access because of LSP provider c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
013 - Gopher Prefix:
018 - protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} ¬c:\program Files\AVG\AVG8\avgpp.dll (file missing)
023 - Service: Acronis Scheduler2 Service (AcrSch2svc) - Acronis - c:\program Files\common Files\Acronis\schedule2\schedu12.exe
023 - Service: Adobe LM Service - Adobe Systems - c:\program Files\common Files\Adobe systems shared\Service\Adobelmsvc.exe
023 - service: Ati External Event utility - ATI Technologies Inc. ¬c:\windows\system32\Ati2evxx.exe
023 - Service: Autodesk Licensing Service - Autodesk - c:\program Files\common Files\Autodesk shared\service\Adskscsrv.exe
023 - service: configFree service (CFSVCS) - TOSHIBA CORPORATION - c:\program Files\TOSHIBA\ConfigFree\CFSvcs.exe
023 - service: DM1Service - OLYMPUS IMAGING CORP. - c:\program Files\01ympus\DeviceDetector\DM1Service.exe
023 - Service: Google software updater (gusvc) ~ Goo9le - c:\program Files\Google\common\Google updater\GoogleupdaterServlce.exe
023 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel corporation - c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe 023 - Service: InstallDriver Table Manager (IDriverT) - Macrovlsion corporation - c:\program Files\common Files\Installshield\Driver\ll\Intel 32\IDriverT.exe 023 - service: Installshield Licensing service - Macrovision
- c:\program Files\Common Files\Installshield shared\service\InstallShield Licensing service.exe
023 - service: iPod Service - Apple computer, Inc. - c:\program Files\ipod\bin\ipodservice.exe
023 - service: symantec core LC - Symantec corporation - c:\program Files\common Files\symantec shared\cCPD-Lc\symlcsvc.exe
023 - Service: TOSHIBA Navi Support service (TNavisrv) - TOSHIBA corporation ¬c:\program Files\TosHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
023 - Service: TOSHIBA optical Disc Drive Service (TODDSrv) - TOSHIBA corporation - c:\windows\system32\TODDsrv.exe
023 - Service: TOSHIBA power Saver CTosCoSrv) - TOSHIBA Corporation - c:\program Files\TosHIBA\power saver\Toscosrv.exe
023 - Service: TOSHIBA Bluetooth service - TOSHIBA CORPORATION - c:\program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
023 - service: SecuROM User Access Service CV7) (userAccess7) - unknown owner ¬c:\windows\system32\uAservice7.exe
End of file - 7919 bytes
I'm really grateful for your continuing help, Phil. Thanks.
Rosie
rosieb, thank you for your PM. :)
A helper will continue with your topic soon.
Hello rosieb,
My name is Ken and I will be taking over for Phil.
You should be able to run Malwarebytes now and this cleaner as Combofix removed the Rootkit that was causing all your issues, but there could be more we cant see.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Drag Malwarebytes to the trash and lets start over nice an clean
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
Thanks for your help, Ken.
I've used the TFC but I can't connect to the internet on the infected laptop and I can't work out why not - so I can't download MBAM. I could burn it to a CD on a clean laptop but it wouldn't be able to update.
What should I do?
Rosie
Hello Rosie
When you download MBAM it will be fairly current so go ahead and burn it to a CD and transfer it to the infected one.
Are you trying to get online with Internet Explorer? What exactly happens when you open your browser, are you getting a page not found?
Try this, open IE and go to Tools> Internet Options> Advanced Tab > Reset Internet Explorer Settings > Reset.....let it do its thing..takes about 15 seconds, then ok your way out , close IE then open it again and see if you can get online.
You may also have to reset your modem Cable/DSL and router if your using one. Just turn off your computer, pull the power cord to both the modem and router....let this set like this for about 3 minutes. Plug the power cord back into both the router and modem, wait until all the lights are on, then start your computer and wait until it fully loads, then try the internet again.
Hi Ken. The TFC is still going on the infected laptop. That's over an hour so far. Has it hung up, do you think? It seems stuck on the Recycle Bin.
How long should I let it run?
Rosie
Hello Ken
I tried the IE resets you suggested - to no avail. The lap top connects to the LAN but I cannot access any web pages. Could it be something to do with the F-secure firewall? I thought I'd removed all the AV programs prior to installing just a single program but there seem to be remnants remaining, although not showing in Add/Remove programs.
Anyway, here are the logs you requested (I printed them and scanned them to my clean laptop):
MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2551
windows 6.0.6000
14/08/2009 21:28:56
mbam-log-2009-08-14 (21-28-56).txt
Scan type: Full Scan
(C:\ID:\I) objects scanned: 233755
Time elapsed: 49 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7
Memory processes Infected:
(NO malicious items detected)
Memory Modules Infected:
(NO malicious items detected)
Registry Keys Infected:
(NO malicious items detected)
Registry values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\Run\desktop sms (worm.p2P) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(NO malicious items detected)
Folders Infected:
c:\Program Files\Malwarecore 7.4 (Rogue.Malwarecore) -> Quarantined and deleted successfully.
c:\program Files\Malwarecore 7.4\Quarantine (Rogue.Malwarecore) -> Quarantined and deleted successfully.
c:\users\Kie\AppData\Roaming\Microsoft\windows\start Menu\programs\Malwarecore 7.4 (Rogue.Malwarecore) -> Quarantined and deleted successfully.
Files Infected:
c:\programData\malusasu\malusasu.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\ProgramData\yivivaso\yivivaso.dll (Trojan.vundo) -> Quarantined and deleted successfully.
c:\Qoobox\Quarantine\c\windows\system32\gxvxcqxiaydlsjadmlutkwdkbigbrvjleolnm.dl l.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\users\Kle\AppData\Local\virtualstore\windows\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\users\Kie\AppData\Local\virtualstore\windows\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program Files\Malwarecore 7.4\Malwarecore 7.4.url (Rogue.Malwarecore) -> Quarantined and deleted successfully.
c:\program Files\Malwarecore 7.4\mwdb.dat (Rogue.Malwarecore) -> Quarantined and deleted successfully.
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:14, on 14/08/2009
Platform: windows Vista (winNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal
Running processes: c:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
c:\windows\Explorer.ExE
c:\program Files\windows Defender\MSAscui.exe
c:\program Files\TOSHIBA\Toshiba online product Information\TOPI.exe
C:\windows\RtHDVCpl.exe
c:\program Files\TosHIBA\power saver\TPwrMain.exe
C:\program Files\TOSHIBA\smoothview\smoothview.exe
c:\program Files\TOSHIBA\Flashcards\TcrdMain.exe
c:\program Files\TosHIBA\ConfigFree\NDSTray.exe
c:\program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
c:\Program Files\Common Files\Acronis\Schedule2\schedhlp,exe
c:\program Files\QuickTime\qttask.exe
D:\program Files\iTunes\iTunesHelper.exe
c:\program Files\epson\creativity Suite\Event Manager\EEventManager.exe
C:\program Files\HP\HP Software update\hpwuschd2.exe
c:\program Files\HP\Digital Imaging\bin\HpqsRmon.exe
C:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\windows\system32\taskeng.exe
C:\program Files\TOsHIBA\configFree\cFswMgr.exe
c:\windows\system32\NoTEPAD.EXE
D:\users\Kie\Desktop\HiJackThis\HijackThis.exe
RI - HKCU\software\Microsoft\Internet Explorer\Main,search Page = http://go.microsoft.com/fwlink/?LinkId=54896
RO - HKCU\software\Microsoft\Internet Explorer\Main,Start Page =
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_pag~uRL http://go.microsoft.com/fwlink/?Linkld=69157
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_search_uRL http://go.microsoft.com/fwlink/?LinkId=54896
RI - HKLM\software\Microsoft\Internet Explorer\Main,search Page = http://go.microsoft.com/fwlink/?LinkId=54896
RO - HKLM\software\Microsoft\Internet Explorer\Main,start page = http://go.microsoft.com/fwlink/?LinkId=69157
RO - HKLM\software\Microsoft\Internet Explorer\search,searchAssistant =
RO - HKLM\software\Microsoft\Internet Explorer\search,customize~earch =
RI - HKCU\software\Microsoft\windows\currentversion\Internet settings,proxyoverride = *.local
RO - HKCU\software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
02 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} *C:\PROGRA-I\TEXTHE-I\READAN-I\TEXTHE-3.DLL
02 - BHO: ArchiBar Toolbar - {24ccI362-11c6-4918-a2cO-bgee5a563185} - c:\program Files\ArchiBar\tbArcl.dll
02 - BHO: wormRadar.com IESiteBlocker.NavFilter *{3CA2F312-6F6E-4B53-A66E-4E65E497C8CO} - c:\program Files\AVG\AVG8\avgssie.dll (file missing)
02 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CFI0577473F7} *c:\program files\google\googletoolbarl.dll
02 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} *C:\program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
02 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40FO-B4AC-B7027CAE2FlA} *c:\program Files\EPSON\EPSON web-To-Page\EPsoN web-To-page.dll
02 - BHO: HP Smart BHO class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72EI16A856} *c:\program Files\HP\Digital Imaging\Smart web printing\hpswp_BHO.dll
03 - Toolbar: EPSON web-To-page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} *c:\program Files\EPSON\EPSON web-To-page\EPSON web-To-page.dll
03 - Toolbar: ArchiBar Toolbar - {24ccI362-11c6-4918-a2cO-bgee5a563185} *c:\program Files\ArchiBar\tbArcl.dll
03 - Toolbar: &Google - {2318C2BI-4965-11d4-9BI8-009027A5CD4F} - c:\program files\google\googletoolbarl.dll
04 - HKLM\ .. \Run: [windows Defender] %programFiles%\windows Defender\MSAscui.exe -hide
04 - HKLM\ .. \Run: [HotKeyscmds] C:\windows\system32\hkcmd.exe
04 - HKLM\ .. \Run: [persistence] c:\windows\system32\igfxpers.exe
04 - HKLM\ .. \Run: [SVPWUTIL] c:\program Files\TOSHIBA\Utilities\svPwuTIL.exe SVPwUTIL
04 - HKLM\ .. \Run: [topi] c:\program Files\TOSHIBA\Toshiba online Product Information\topi.exe -startup
04 - HKLM\ .. \Run: [RtHDVCpl] RtHDVcpl.exe
04 - HKLM\ .. \Run: [TPwrMain] %programFiles%\TOSHIBA\power saver\TPwrMain.EXE
04 - HKLM\ .. \Run: [HSON] %programFiles%\TOSHIBA\TBS\HSON.exe
04 - HKLM\ .. \Run: [smoothviewJ %programFiles%\Toshiba\smoothview\smoothview.exe
04 - HKLM\ .. \Run: [00TcrdMain] %programFiles%\TOSHIBA\Flashcards\TcrdMain.exe
04 - HKLM\ .. \Run: [NDSTray.exe] NDsTray.exe
04 - HKLM\ .. \Run: [Toshiba Registration] c:\program Files\Toshiba\Registration\ToshibaRegistration.exe
04 ~ HKLM\ .. \Run: [IAAnotif] c:\Program Files\Intel\Intel Matrix storage Manager\iaanotif.exe
04 - HKLM\ .. \Run: [IaNvSrv] C:\program Fi1es\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvsrv.exe
04 - HKLM\ .. \Run: [Acronis scheduler2 service] "c:\program Files\Common Files\Acronis\schedule2\schedhlp.exe"
04 - HKLM\ .. \Run: [QuickTime Task] "c:\program Files\QuickTime\qttask.exe" -atboottime
04 - HKLM\ .. \Run: [iTunesHelper] "D:\program Files\iTunes\iTunesHelper.exe"
04 - HKLM\ .. \Run: [EEventManager] c:\program Files\EPSON\creativity Suite\Event Manager\EEventManager.exe
04 - HKLM\ .. \Run: [HP software update] c:\program Files\HP\HP software update\HPWuschd2.exe
04 - HKLM\ .. \Run: [hpqsRMon] c:\program Files\HP\Digital Imaging\bin\hpqsRMon.exe
04 - HKLM\ .. \Run: [skytel] skytel.exe
04 - HKLM\ .. \Runonce: [Malwarebytes' Anti-Malware] c:\program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
04 - HKCU\ .. \Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
04 - startup: Adobe Gamma.lnk = c:\program Files\common Files\Adobe\calibration\Adobe Gamma Loader.exe
04 - startup: palm Registration.lnk = c:\program Files\palm\register.exe
04 - Global startup: Dataviz Inc Messenger.lnk = c:\program Files\common Files\Dataviz\DvzlncMsgr.exe
09 - Extra button: Research - {92780B25-18CC-41C8-B96E-3C9C571A8263} *C:\PROGRA~1\MICROS~1\Offi~e12\REFIEBAR.DLL
09 - Extra button: eBay - {C08CAF1D-COA3-40D5-9970-06D067EAC017} *http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
09 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} *c:\program Files\HP\Digital Imaging\smart web printin~\hpswp_BHO.dll
010 - Broken Internet access because of LSP provider c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
013 - Gopher prefix:
018 - protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} *c:\program Files\AVG\AVG8\avgpp.dll (file missing)
023 - Service: Acronis scheduler2 Service (Acrsch2Svc) - Acronis - c:\program Files\common Files\Acronis\schedule2\schedu12.exe
023 - Service: Adobe LM Service - Adobe Systems - c:\program Files\common Files\Adobe Systems shared\service\Adobelmsvc.exe
023 - service: Ati External Event utility - ATI Technologies Inc. *c:\windows\system32\Ati2evxx.exe
023 - Service: Autodesk Licensing Service - Autodesk - C:\program Files\common Files\Autodesk shared\service\Adskscsrv.exe
023 - service: configFree Service (CFSvcs) - TOSHIBA CORPORATION - c:\program Files\TOSHIBA\configFree\CFsvcs.exe
023 - service: DM1service - OLYMPUS IMAGING CORP. - c:\program Files\01ympus\DeviceDetector\DM1service.exe
023 - Service: Google software updater (gusvc) - Google - c:\program Files\Google\common\Google updater\GoogleupdaterServlce.exe
023 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel corporation - c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe 023 - Service: InstallDriver Table Manager (IDriverT) - Macrovlsion corporation - c:\program Files\Cqmmon Files\Installshield\oriver\11\Intel 32\IoriverT.exe
023 - Service: Installshield Licensing Service - Macrovision - c:\program Files\common Files\Installshield shared\service\InstallShield Licensing Service.exe
023 - service: ipod service - Apple Computer, Inc. - c:\program Files\iPod\bin\ipodservice.exe
023 - Service: symantec Core LC - symantec corporation - C:\program Files\Common Files\symantec shared\ccPo-Lc\symlcsvc.exe
023 - service: TOSHIBA Navi Support service (TNavisrv) - TOSHIBA corporation *C:\program Files\TosHIBA\TOSHIBA OVD PLAYER\TNaviSrv.exe
023 - service: TOSHIBA optical Disc Drive service (ToDOsrv) - TOSHIBA Corporation - C:\windows\system32\TODDsrv.exe
023 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA corporation - c:\program Files\TOSHIBA\power Saver\ToscoSrv.exe
023 - service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
023 - service: SecUROM User Access Service (V7) (userAccess7) - Unknown owner *c:\windows\system32\UAserv;ce7.exe
End of file - 8628 bytes
Thanks for all your help,
Rosie
Hello Rosie,
Sometimes TFC will hang if it removes a log of garbage, not to worry , it looks like your up and running.
Not sure if no internet is related to a malicious program, when your all clean that will tell us. Have you tried calling your ISP and telling them you cant get online??
Lets make sure there is no part of that rootkit left. This to you can transfer by disk
Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors (Recommended)
Primary Mirror (http://rootrepeal.googlepages.com/RootRepeal.zip)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.zip)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.zip)
Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror (http://ad13.geekstogo.com/RootRepeal.rar)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.rar)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.rar)
Extract RootRepeal.exe from the archive.
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check all seven boxes: http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Hello Ken
When I try to run RootRepeal, I get an error: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)
Should I try a different download?
Rosie
Yes, please do, just drag the one you are having problems with to the trash. There are 3 links for zip and 3 for rar, if your using zip, then try all three.
If that doesn't work than try this one.
Please download Rooter Rootkit Detector (http://eric.71.mespages.googlepages.com/Rooter.exe) to your Desktop
Doubleclick it to start the tool.
A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
Post the report for me to see.
Hi Ken
Here's the Rooter log:
Rooter_2
Rooter.exe (v1.0.2) by Eric_71
.
seDebugprivilege granted successfully ...
.
windows vista. (6.0.6000)
[32_bits] - x86 Family 6 Model 15 stepping 10, GenUineIntel
.
[wscsvc] (security center) RUNNING (state:4)
[MpSSVC] RUNNING (state:4)
windows Firewall -> Enabled
windows Defender -> Enabled
User Account control (UAC) -> Enabled
.
Internet Explorer 7.0.6000.16830
.
C:\ [Fixed-NTFS] ( Total:80 Go - Free:43 Go )
D:\ [Fixed-NTFS] .. ( Total:63 Go - Free:27 Go )
F:\ [CD_Rom]
.
scan: 03:23.47
path : D:\userS\Kie\Desktop\Rooter.exe
User: Kie ( Administrator -> YES)
.
----------------------\\ Processes
.
Locked [system Process] (0)
Locked system (4)
_____ \systemRoot\system32\smss.exe (464)
_____ c:\windows\system32\csrss.exe (600)
_____ c:\windows\system32\wininit.exe (648)
_____ c:\windows\system32\csrss.exe (660)
_____ c:\windows\system32\services.exe (692)
_____ c:\windows\system32\lsass.exe (704)
_____ c:\windows\system32\lsm.exe (712)
_____ c:\windows\system32\winlogon.exe (780)
_____ c:\windoWs\system32\svchost.exe (932)
_____ c:\windows\Microsoft.Net\Framework\v3.0\wPF\presentationFontCache.exe (972)
_____ c:\windows\system32\svchost.exe (1016)
_____ c:\windows\system32\svchost.exe (1048)
_____ c:\windows\system32\Ati2evxx.exe (1152)
_____ c:\windows\system32\svchost.exe (1164)
_____ c:\windows\system32\svchost.exe (1204)
_____ c:\windows\system32\svchost.exe (1220)
Locked audiodg.exe (1336)
_____ c:\windows\system32\sLsvc.exe (1376)
_____ c:\windows\system32\svchost.exe (1468)
_____ c:\windows\system32\svchost.exe (1592)
_____ c:\windows\system32\Ati2evxx.exe (1700)
_____ c:\windows\system32\spoolsv.exe (1836)
_____ c:\windows\system32\svchost.exe (1860)
_____ C:\windows\system32\Dwm.exe (388)
_____ c:\windows\system32\taskeng.exe (592)
_____ c:\windows\Explorer.EXE (1000)
_____ c:\program Files\common Files\Acronis\schedule2\schedu12.exe (2044)
_____ c:\windows\system32\svchost,exe (1212)
_____ c:\program Files\TOSHIBA\ConfigFree\cFsvcs,exe (384)
_____ c:\program Files\olympus\DeviceDetector\DM1service.exe (904)
_____ c:\windows\system32\svchost.exe (1036)
_____ c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe (392)
_____ c:\windows\system32\svchost.exe (1412)
_____ c:\windows\system32\svchost.exe (2028)
_____ c:\windows\system32\svchost.exe (2056)
_____ c:\program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (2084)
_____ c:\windows\system32\ToDDSrv.exe (2104)
_____ c:\program Fi 1 es\ TOSHIBA \power Saver\ TosCoSrv. exe (2172)
_____ c:\program Files\Toshiba\Bluetooth Toshiba stack\TosBtSrv.exe (2212)
_____ C;\windows\system32\uAservice7.exe (2284)
_____ c:\windows\system32\svchost.exe (2300)
_____ c:\windows\system32\Searchlndexer.exe (2332)
_____ c:\program Files\windows Defender\MsAscui.exe (3508)
_____ c:\program Files\TosHIBA\Toshiba online Product Information\TOPI.exe (3556)
_____ c:\windows\RtHDVCpl.exe (3564)
_____ c:\program Files\TOSHIBA\power Saver\TPWrMain.exe (3572)
_____ c:\program Files\TosHIBA\Smoothview\smoothview.exe (3592)
_____ c:\program Files\TOSHIBA\Flashcards\TcrdMain.exe (3600)
_____ c:\program Files\ToSHIBA\configFree\NDSTray.exe (3608)
_____ c:\program Files\Intel\I.ntel Matrix Storage Manager\IMnotif.exe (3624)
_____ c:\program Files\common Files\Acronis\schedule2\schedhlp.exe (3640)
_____ c:\program Files\QuickTime\qttask.exe (3648)
_____ D:\program Files\iTunes\iTunesHelper.exe (3656)
_____ c:\program Files\epson\creativity Suite\Event Manager\EEventManager.exe (3664)
_____ c:\program Files\HP\HP software update\hpwuschd2.exe (3672)
_____ c:\program Files\HP\Digital Imaging\bin\HpqsRmon.exe (3680)
_____ c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3700)
_____ c:\program Files\ipod\bin\iPodService.exe (2276)
_____ c:\program Files\ToSHIBA\ConfigFree\CFswMgr.exe (2916)
_____ c:\windows\system32\taskeng.exe (3488)
Locked dllhost.exe (3184)
D:\users\Kie\Desktop\Rooter.exe (1272)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [sectors: 63 x 512 Bytes]
\Device\Harddisk0\partition1 (Start_offset:1048576 | Length:1572864000)
\Device\Harddisk0\part;tion2 --[ MBR ]-- (Start_offset:1573912576 | Length:86894444544)
\Device\Harddisk0\partition3 (Start_Offset:88468357120 | Length:68157440000)
\Device\Harddisk0\partition4 (Start_Offset:237850421760 | Length:12206315520)
.
----------------------\\ Scheduled Tasks
.
c:\Windows\Tasks\Applesoftwareupdate.job
c:\windows\Tasks\Google software updater.job
c:\windows\Tasks\SA.DAT
c:\windows\Tasks\sCHEDLGU.TXT
c:\windows\Tasks\user_Feed_synchronization-{364B15A7-9ABD-47BF-BD4E-c8850BA667FD }. job
.
----------------------\\ Registry
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 03:23.48
.
C:\Rooter$\Rooter_2.txt - (15/08/2009 I 03:23.48)
Thanks again for your help,
Rosie
Hello Rosie,
Rooter did not find anything bad.
Outside of no internet, how is your system running now??
Apart from the Internet, it seems to be fine, Ken.
Rosie
Rosie,
I am going to leave this thread open for you for a week or so in case you need to post back, What I would like you do to is post on this windows forum, its our sister site, tell them you have no internet, that you posted here and we removed Vundo, a Rouge Antimalware Program and a Rootkit and that now you cannot access the internet. They can help you get back online. We just do malware removal in this forum. You can also link them to this thread so they can see what we have done.
http://forums.spybot.info/showthread.php?t=50685
Post here, let me know if they helped you
http://forums.whatthetech.com/Browsers_Internet_email_f123.html
Good Luck,
Ken :)
I'm very grateful for all your help, Ken. Thank you! :thanks:
I'll do as you advise re: posting on the other site and let you know the outcome.
What security protection would you advise my nephew to have on his now clean laptop to stop re-infection? Programs which update automatically might be advisable, perhaps :)
Rosie
Looks like you have Symantec Anti Virus installed, just keep in updated and run a scan at least once a week
Malwarebytes <-- This is the free version and yours to keep, open a few times a month, check for updates and run the Quick Scan removing what it finds
Windows Defender <-- You also have this installed, you can find it to run on Start > All Programs > Windows Defender.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Rosie, when you post in the other forum, post the link back here in this thread so I can follow along.
Ken :)
Thanks for the advice, Ken. Once I can get him on-line again I'll download your suggestions.
The Symantic, like the F-secure were time-limited programs that came with his laptop. He usually uses AVG which I have reinstalled and updated via CD from my laptop.
How do I get rid of the remnants of these old programs, I wonder? Will they interfere with AVG?
Rosie
Hi Ken
Here's the link to the other forum (I think!):
http://forums.whatthetech.com/LAN_connected_but_unable_access_web_pages_t106157.html
Rosie
Rosie,
I am linked to WTT so I can follow along.
Post a new HJT log and let me see whats installed.
Let me ask you a couple of questions also.
1. Do you have DSL or Cable Internet?
2. Do you use a Router ?
Hello Ken
I use a cable modem. I do not have a router.
I'll post a new HJT log later tonight or tomorrow.
Thanks for your help,
Rosie
On the cable modem, there are a set of lights, one usually is amber and flashes, its marked Internet. Do you see all the lights lit up and the one that says Internet lit up?
Hi Ken,
Here's the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53:39, on 15/08/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\ieuser.exe
D:\Users\Kieran Sheehan\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TEXTHE~3.DLL
O2 - BHO: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\Windows\system32\UAService7.exe
--
End of file - 9177 bytes
Thanks,
Rosie
You started off with AVAST, I believe and now have AVG, I am still looking at Norton running as a service.
You can run this tool that will remove all of Norton.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Then post a new HJT log and lets see if its gone
Hi Ken
In reply to your post,
I've got 4 green lights:
Power, enet, sync and ready which is normal for this modem
and 2 other lights: send and receive which are not flashing because I'm unable to send or receive!
Kath
Like I said before, you may want to call your ISP , give them that info and let them check for you. It could be on there end.
Hi Ken
My laptop, which I'm using to reply to you, is connecting fine through the cable modem, so I don't think there's a problem with the ISP.
New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:19:58, on 15/08/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
D:\Users\Kie\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TEXTHE~3.DLL
O2 - BHO: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\Windows\system32\UAService7.exe
--
End of file - 9038 bytes
Another thing I've noticed is that when I look in C:\Program data, I find F-secure Files and when I look at Contol Panel, Security centre - it tells me that Windows Firewall and F-secure are switched on. I removed F-secure via Add/Remove programs and it doesn't show up there any more! Wierd!
Thanks for your continuing help, Ken
Rosie
Hi Ken,
I've just noticed this in the HJT log:
O10 - Broken Internet access because of LSP provider 'c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
Could it be the problem?
Rosie
That looks like a leftover from F-Secure, sorry I missed that as i was looking for Norton. Do not fix that with HJT
Do it this way.
Please download LSPFix (http://www.cexx.org/LSPFix.exe)
Disconnect from the internet.
Go to where you downloaded LSPFix and run the LSPFix.exe by double clicking on it.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of fslsp.dll
Select every instance of fslsp.dll and move each one to the Remove box by clicking the >> button.
When you are done click Finish.
LSP Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial59.html) <-- If you need it.
Reboot your system and give it a go.
Rosie, this system has had so many anti virus programs installed, you have AVG now which is more than adequate, do not install any more of them
Brilliant, Ken!!
It worked!
I'm now using my nephew's laptop to reply.
I'm so grateful for all your help and patience.
Rosie
Your welcome Rosie. It looks like you had a bad uninstall of F-Secure.
Post one last HJT log and lets make sure everything is in order.
Be sure to let Doug know its working now
Hi Ken
Latest HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:18:15, on 16/08/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\mobsync.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Users\Kie\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TEXTHE~3.DLL
O2 - BHO: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ArchiBar Toolbar - {24cc1362-11c6-4918-a2c0-b9ee5a563185} - C:\Program Files\ArchiBar\tbArc1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\Windows\system32\UAService7.exe
--
End of file - 9132 bytes
I hope everything is now in order & I won't need another late night (almost 3:30 am in London).
Thanks again for all your help,
Rosie
Just remove this with HJT, its just a leftover, more clutter than anything else.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
Looks like your good to go :bigthumb:
Yep, it must be late for you on the other side of the pond :)
Take Care,
Ken
Done it.
Thank you for all your help.
Regards,
Rosie
Your welcome Rosie,
Take care,
Ken :)
It's me again, Ken.
I'm just tidying up my nephew's laptop after the disinfection.
I'm wondering if there's a handy utility for removing remnants of F-Secure as MS Security Centre is still telling me I have 2 firewalls working - Windows and F-secure. Obviously these are more bits of F-secure which didn't uninstall although it doesn't show up in Add/Remove programs.
Also there are lots of stray files and empty folders in C:\ Program Files & C:\Program Data. These refer to uninstalled programs or ones with missing links. Is there something I could run to get rid of them safely?
I'd be grateful if you could point me in the right direction.
Thanks,
Rosie
Hi Rosie,
I just looked over your HJT log and see no evidence of F-Secure. Here are two links to a removal tool that will remove all F-Secure products. Keep in mind I have never run this one so its at your own risk.
http://support.f-secure.com/enu/corporate/downloads/removeav.shtml
http://www.softpedia.com/get/Tweak/Uninstallers/F-Secure-Uninstallation-Tool.shtml
As far as cleaning those files, I really am not sure which ones your referring to. In Program Files, if a program was removed via Programs and Features and the folder for that program is still present, you can delete it. In Program data I am not sure what you have in there. Your computer is clean so I would not lose any sleep over them.
Ken :)
Ken to the rescue once again!:bigthumb:
Thank you. That uninstaller worked. Security Centre says only one firewall now.
I won't worry about the stray files any more.
My next query is about CPU and disk activity. When I start up the laptop and the desktop appears, there is now about 5-8 minutes of frantic disk activity and the CPU runs at 100%. Is this normal?
Rosie
Hi Rosie
When you start windows and its loading, there will be high CPU but it should settle down to around 4% or so in just a few minutes.
You may have programs loading that are not needed, maybe even one that could be corrupted and causing problems.
Post in this forum, same website , different forum, this one is for windows and they can help you sort out whats going on on startup. We don't do that here, we just do malware removal
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Good Luck,
Ken :)
Thank you, Ken.
I've posted on the other site and Doug is helping me again.
Take care,
Rosie :thanks:
:bigthumb: Your in good hands
Hello Ken
Once again thank you for all your help.
Before we close the thread, should I uninstall Combofix?
Finally, I managed to run RootRepeal and it has found a number of Stealth Objects. Should they be there? Would you like to see the log?
Rosie
Hi Rosie,
I am sure there fine but go ahead and post the RR log
Thanks Ken
Here it is:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 02:20
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x91260000 Size: 778240 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x93115000 Size: 49152 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: spzc.sys
Image Path: C:\Windows\System32\Drivers\spzc.sys
Address: 0x8068A000 Size: 1048576 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{c2c89de7-8c3a-11de-af0f-001b3840b6c1}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{fe1ad5b2-8c4b-11de-b2b1-001b3840b6c1}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{fe1ad5c3-8c4b-11de-b2b1-001b3840b6c1}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\Users\Kie\My Documents
Status: Locked to the Windows API!
Path: C:\Windows\Microsoft.NET\Framework\NETFXS~1.HKF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588445e3d272feb1.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c1279468b7b84b.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d5e63e93b68.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5ca663317c4.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a8980e994a5d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\4a4e6de1088e614f7694727d621129512819bdecdb46cc6ebb7c1f192dfe380e.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\8b414e757cb8b153bff77dd00a36556aea3adab25ce15f3e8b184ffbf41ba7a2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\935df4549e21123a2efb986a707f54475380a037519679510e4b4dfc4bdb5767.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\ef483ae0673e2975dd4224fe26749623c1c702b8b3fded10161417459e1771a7.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\b080e112e69d2e9c8e71acd39a81f0d469d837625ceb8ed73b5b87da1fd1424c.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\989e628160e12c984a435d2bb2a335ad043e006646150c7b1f3bb52dccd842cc.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\d5ecf2ab9387e082648bbcccd6eceb9d67b096939150833d0ae3066b3a1a676e.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\71503c1b988fb27a41668f3ba35468d268daf07e8e79cf7b82a1ef64a8d213a1.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\bd83dce340498e7c363093c2fc74dfb58e1ec17770453905172c7471fadd9333.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\4bde3906e1ad59953a7d8592ff3860dd7fadc4e12abe4b5c828645390461a3aa.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Manifests\df4c00155bfca5da82320089743bb386e8df43312c8d8b8112418980a2440f2d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18289_none_0b1c4a254f52777a\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.16720_none_7c654fdc62654993\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.20883_none_659d66807c078e86\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.18111_none_7c40349262b75634\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.22230_none_6574a52e7c5ccf47\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.22230_none_3804510a8394f0bd\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.22230_none_3804510a8394f0bd\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.22230_none_3804510a8394f0bd\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.16720_none_e000b84a44323b9f\WEBADM~2.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.16720_none_e000b84a44323b9f\WEBADM~3.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.16720_none_e000b84a44323b9f\WE5915~1.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.16720_none_e000b84a44323b9f\WEBE69~1.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.20883_none_c938ceee5dd48092\WEBADM~2.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.20883_none_c938ceee5dd48092\WEBADM~3.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.20883_none_c938ceee5dd48092\WE5915~1.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6000.20883_none_c938ceee5dd48092\WEBE69~1.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6001.18111_none_dfdb9d0044844840\WEBADM~2.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6001.18111_none_dfdb9d0044844840\WEBADM~3.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6001.18111_none_dfdb9d0044844840\WE5915~1.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.0.6001.18111_none_dfdb9d0044844840\WEBE69~1.MAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.16720_none_9e3e9a071d8dacdd\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8776b0ab372ff1d0\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18000_none_9e18955f1de08635\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_c71adcbf2e98b7f5\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_c75f98da47ea9a09\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_c89dc99f2c0a148a\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_c98ab83044dce8b0\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.16708_none_9958372092944487\_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.20864_none_999cf33babe6269b\_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6001.18096_none_9adb24009005a11c\_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_807ba2c12fe38edc\_TRANS~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_80c05edc493570f0\_TRANS~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_4303a14a59b89802\_SMSVC~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_35b5d7ed0b402f09\_SMSVC~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6001.22208_none_9bc81291a8d87542\_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16885_none_09320a57522f812d\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21083_none_09b97eb06b4f218b\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\ASPX_F~1.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\DESELE~1.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\GRADIE~1.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\GRADIE~2.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\HEADER~1.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\REQUIR~1.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\SECURI~1.JPG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\SELECT~2.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\SELECT~3.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\UNSELE~1.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\UNSELE~2.GIF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\NAVIGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\WEBADM~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\WEBADM~2.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\WEBADM~3.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\WEBADM~4.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\WED669~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ca395fee41af92fe\NAVIGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ca395fee41af92fe\WEBADM~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ca395fee41af92fe\WEBADM~2.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ca395fee41af92fe\WEBADM~3.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ca395fee41af92fe\WEBADM~4.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ca395fee41af92fe\WED669~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.18111_none_e0dc2e00285f5aac\NAVIGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.18111_none_e0dc2e00285f5aac\WEBADM~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.18111_none_e0dc2e00285f5aac\WEBADM~2.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.18111_none_e0dc2e00285f5aac\WEBADM~3.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.18111_none_e0dc2e00285f5aac\WEBADM~4.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.18111_none_e0dc2e00285f5aac\WED669~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ca109e9c4204d3bf\NAVIGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ca109e9c4204d3bf\WEBADM~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ca109e9c4204d3bf\WEBADM~2.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ca109e9c4204d3bf\WEBADM~3.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ca109e9c4204d3bf\WEBADM~4.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ca109e9c4204d3bf\WED669~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.0.6000.16720_none_7cdc4e91b93964e9\APPLIC~1.CS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.0.6000.20883_none_66146535d2dba9dc\APPLIC~1.CS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.0.6001.18111_none_7cb73347b98b718a\APPLIC~1.CS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.0.6001.22230_none_65eba3e3d330ea9d\APPLIC~1.CS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.16720_none_7c904d7bb970f7cd\WEBADM~2.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.16720_none_7c904d7bb970f7cd\WEBADM~3.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.16720_none_7c904d7bb970f7cd\WEBADM~4.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.16720_none_7c904d7bb970f7cd\WEBB00~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.20883_none_65c8641fd3133cc0\WEBADM~2.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.20883_none_65c8641fd3133cc0\WEBADM~3.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.20883_none_65c8641fd3133cc0\WEBADM~4.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6000.20883_none_65c8641fd3133cc0\WEBB00~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6001.18111_none_7c6b3231b9c3046e\WEBADM~2.ASP
Status: Locked to the Windows API!
Path: C:\WinProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: C:\Windows\System32\audiodg.exe
PID: 1396 Status: Locked to the Windows API!
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x858221f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_CREATE]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_CLOSE]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_READ]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_WRITE]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_QUERY_EA]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_SET_EA]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_CLEANUP]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: fastfat��П牄直褅��咠謾�, IRP_MJ_PNP]
Process: System Address: 0x8850c1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x858201f8 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: System Address: 0x885ad500 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_CREATE]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_CLOSE]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_READ]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_WRITE]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_QUERY_EA]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SET_EA]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_CLEANUP]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_POWER]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: iaNvStor, IRP_MJ_PNP]
Process: System Address: 0x8581f1f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x884f71f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x884f71f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x884f71f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x884f71f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x884f71f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x884f71f8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x884f71f8 Size: 121
SmiliesObject: Hidden Code [Driver: Smb彬�Ў浍摌裈迅㘐轮??, IRP_MJ_CREATE]
Process: System Address: 0x8fcc21f8 Size: 121
Object: Hidden Code [Driver: Smb彬�Ў浍摌裈迅㘐轮??, IRP_MJ_CLOSE]
Process: System Address: 0x8fcc21f8 Size: 121
Object: Hidden Code [Driver: Smb彬�Ў浍摌裈迅㘐轮??, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8fcc21f8 Size: 121
[More] Object: Hidden Code [Driver: Smb彬�Ў浍摌裈迅㘐轮??, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8fcc21f8 Size: 121
Post IconsYou may choose anObject: Hidden Code [Driver: Smb彬�Ў浍摌裈迅㘐轮??, IRP_MJ_CLEANUP]
Process: System Address: 0x8fcc21f8 Size: 121
icon for your message from the folObject: Hidden Code [Driver: Smb彬�Ў浍摌裈迅㘐轮??, IRP_MJ_PNP]
Process: System Address: 0x8fcc21f8 Size: 121
Object: Hidden Code [Driver: netbt, IRP_MJ_CREATE]
Process: System Address: 0x8fcc31f8 Size: 121
Object: Hidden Code [Driver: netbt, IRP_MJ_CLOSE]
Process: System Address: 0x8fcc31f8 Size: 121
Object: Hidden Code [Driver: netbt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8fcc31f8 Size: 121
Object: Hidden Code [Driver: netbt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8fcc31f8 Size: 121
Object: Hidden Code [Driver: netbt, IRP_MJ_CLEANUP]
Process: System Address: 0x8fcc31f8 Size: 121
Object: Hidden Code [Driver: netbt, IRP_MJ_PNP]
Process: System Address: 0x8fcc31f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_CREATE]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_CLOSE]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_POWER]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: iScsiPrt�Є䑈畁㑨衏쐨衍�衧萜衙쫜衙, IRP_MJ_PNP]
Process: System Address: 0x885131f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x84e901f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x884c51f8 Size: 121
Object: Hidden Code [Driver: msahci, IRP_MJ_POWER]
Process: System Address: 0x858211f8 Size: 121
Object: Hidden Code [Driver: msahci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x858211f8 Size: 121
Object: Hidden Code [Driver: msahci, IRP_MJ_PNP]
Process: System Address: 0x858211f8 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_CREATE]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_CLOSE]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_READ]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_WRITE]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_QUERY_EA]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SET_EA]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SHUTDOWN]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_CLEANUP]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SET_SECURITY]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_POWER]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_SET_QUOTA]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: mrxsmb �Е楆, IRP_MJ_PNP]
Process: System Address: 0x91711500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_CREATE]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_CLOSE]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_READ]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_WRITE]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8509d500 Size: 121
Object: Hidden Code [Driver: cdfs, IRP_MJ_PNP]
Process: System Address: 0x8509d500 Size: 121
==EOF==
There seems an awful lot of Stealth Objects!
Rosie
The log is fine, no rootkit :bigthumb:
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Thanks, Ken. That's set my mind at rest.
I'll follow your instructions to uninstall Combofix. I think I'll also uninstall RootRepeal now.
Once again, Thank you. I'm very grateful for all your help. :thanks:
Rosie
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.