View Full Version : Backdoor/Generic 12/AAVT ???
I keep getting a pop-up from "Resident Shield Alert" saying that they found the trojan "Backdoor.Generic 12.AAVT" and it is located in C:/WINDOWS/System32/drivers/intelppm.sys. I am incredibly suspicious and now I am getting pretty frustrated. AVG, Malwarebytes', Ad-Aware and Spybot have not found/fixed anything. So, I need your help. Here is my HJT log I just did. Thank you so much for your help!!! :thanks:
--YJRen91
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:53 PM, on 1/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAccessibility] C:\Program Files\TOSHIBA\Accessibility\TAccessibility.exe Instant
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
--
End of file - 9991 bytes
Hi,
Upload C:\WINDOWS\System32\drivers\intelppm.sys file to http://www.virustotal.com and post back the results.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
File intelppm.sys received on 2010.02.02 23:20:58 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/39 (38.47%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 58 and 83 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.02 Trojan.Rootkit!IK
AhnLab-V3 5.0.0.2 2010.02.02 -
AntiVir 7.9.1.156 2010.02.02 TR/Rootkit.Gen
Antiy-AVL 2.0.3.7 2010.02.02 Trojan/Win32.ZAccess.gen
Authentium 5.2.0.5 2010.02.02 -
Avast 4.8.1351.0 2010.02.02 Win32:Rootkit-gen
AVG 9.0.0.730 2010.02.02 BackDoor.Generic12.AAVT
BitDefender 7.2 2010.02.02 -
CAT-QuickHeal 10.00 2010.02.02 -
ClamAV 0.96.0.0-git 2010.02.02 -
Comodo 3798 2010.02.02 -
DrWeb 5.0.1.12222 2010.02.03 -
eSafe 7.0.17.0 2010.02.02 -
eTrust-Vet 35.2.7277 2010.02.02 -
F-Prot 4.5.1.85 2010.02.01 -
F-Secure 9.0.15370.0 2010.02.02 -
Fortinet 4.0.14.0 2010.02.02 -
GData 19 2010.02.03 Win32:Rootkit-gen
Ikarus T3.1.1.80.0 2010.02.02 Trojan.Rootkit
Jiangmin 13.0.900 2010.02.02 Rootkit.ZAccess.f
K7AntiVirus 7.10.963 2010.02.02 -
Kaspersky 7.0.0.125 2010.02.03 -
McAfee 5880 2010.02.02 Generic Rootkit.ei
McAfee+Artemis 5880 2010.02.02 Generic Rootkit.ei
McAfee-GW-Edition 6.8.5 2010.02.02 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5406 2010.02.02 -
NOD32 4829 2010.02.02 -
Norman 6.04.03 2010.02.02 W32/Rootkit.BGXP
nProtect 2009.1.8.0 2010.02.02 -
Panda 10.0.2.2 2010.02.02 -
PCTools 7.0.3.5 2010.02.02 -
Prevx 3.0 2010.02.03 -
Rising 22.33.01.04 2010.02.02 -
Sophos 4.50.0 2010.02.02 Mal/ZAccess-A
Sunbelt 3.2.1858.2 2010.02.02 -
TheHacker 6.5.1.0.177 2010.02.02 Trojan/ZAccess.dl
TrendMicro 9.120.0.1004 2010.02.02 -
ViRobot 2010.2.2.2168 2010.02.02 -
VirusBuster 5.0.21.0 2010.02.02 Trojan.Rootkit.ZL
Additional information
File size: 36352 bytes
MD5...: 26505a17e030ccd0221f96ce4fe6e3ba
SHA1..: 95775c3ca6466c45cd0b6e33d4f3daacdd09518b
SHA256: 295a939e43b1204bb36c598e08cb371ce5ff53834b1befaa14cd29f28c9c9f5b
ssdeep: 768:Dfb4VuCjw6dHrJRuTF3p5UzJrhJJbA58ZLUbpPo8U6r3:D89jwYHrruTxp5U
Rhr38Rr3
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x372b
timedatestamp.....: 0x4b5b141c (Sat Jan 23 15:22:04 2010)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2a2a 0x2c00 6.29 1a738531f02bf4a9391f40e29dbeb9ec
.rdata 0x4000 0x1222 0x1400 4.77 1f52faa54e4dc9f950d43bd709c13005
.data 0x6000 0x1d1 0x200 0.89 650c5b7411e95df32e49c6fe77825e63
.reloc 0x7000 0x40e 0x600 4.46 e9a56c3bcd9634136573f282236be3dc
( 1 imports )
> ntoskrnl.exe: ObfDereferenceObject, ExAllocatePool, ExFreePoolWithTag, ZwClose, ZwSetSystemInformation, swprintf, RtlInitUnicodeString, IoCreateDriver, ObMakeTemporaryObject, ExUuidCreate, RtlStringFromGUID, sprintf, RtlFreeUnicodeString, ZwSetInformationFile, ZwWriteFile, ZwCreateFile, ZwQueryInformationFile, KeQuerySystemTime, RtlTimeToTimeFields, ZwDeleteFile, ZwOpenFile, ZwReadFile, RtlIpv4StringToAddressExA, KeInsertQueue, KeRemoveQueue, KeRundownQueue, IoFreeIrp, KeInitializeQueue, ObfReferenceObject, PsCreateSystemThread, ObReferenceObjectByHandle, IoBuildDeviceIoControlRequest, IofCallDriver, ZwOpenSection, ZwMapViewOfSection, MmAllocatePagesForMdl, MmMapLockedPagesSpecifyCache, MmUnmapLockedPages, MmFreePagesFromMdl, ZwUnmapViewOfSection, RtlHashUnicodeString, KeSetEvent, RtlPrefixUnicodeString, IoGetRelatedDeviceObject, IoAllocateIrp, KeInitializeEvent, KeWaitForSingleObject, ExAllocatePoolWithTag, PoStartNextPowerIrp, IofCompleteRequest, PoCallDriver, ObReferenceObjectByName, IoDriverObjectType, IoEnumerateDeviceObjectList, IoCreateDevice, ZwCreateSection, ZwFlushVirtualMemory, ZwOpenKey, ZwEnumerateKey, ZwDeleteKey, ZwQueryKey, IoQueueWorkItem, ZwLoadDriver, ZwQueryDirectoryFile, ZwFsControlFile, IoDeleteDevice, ZwOpenDirectoryObject, ZwQueryDirectoryObject, IoGetDeviceObjectPointer, wcsrchr, IoAllocateWorkItem, KeInitializeTimer, KeInitializeDpc, KeSetTimerEx, _allmul, _allshr, _aullrem, memset, memcpy
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
___________________________________________________
DDS:
DDS (Ver_09-12-01.01) - NTFSx86
Run by whiting field at 17:23:31.92 on Mon 02/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.128 [GMT -8:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\whiting field\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [<NO NAME>]
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TDispVol] TDispVol.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TAccessibility] c:\program files\toshiba\accessibility\TAccessibility.exe Instant
mRun: [TPSMain] TPSMain.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\whitin~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-22 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-22 161800]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-8-21 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-22 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-22 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-22 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-22 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-22 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-11-22 2304192]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-22 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-22 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-22 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-22 25736]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [2009-7-23 48176]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-11-22 5832712]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-6 1684736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-22 30104]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
=============== Created Last 30 ================
2010-01-29 22:16:21 36 ----a-w- c:\windows\system32\?Õ
2010-01-25 19:17:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-25 19:17:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-25 02:46:59 0 d-----w- c:\documents and settings\whiting field\.hd
2010-01-24 07:12:36 537829 ----a-w- C:\HaxFix.exe
2010-01-24 06:02:10 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-01-24 05:45:02 0 d-----w- c:\program files\Trend Micro
2010-01-24 05:33:39 0 d-----w- c:\docume~1\whitin~1\applic~1\AVG9
2010-01-20 23:28:20 0 d-----w- c:\program files\common files\SWF Studio
2010-01-20 23:24:44 0 d-----w- c:\windows\system32\Adobe
2010-01-20 23:19:29 0 d-----w- C:\T-1 Stuff
2010-01-12 21:50:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
==================== Find3M ====================
2010-01-30 06:39:19 6840 ----a-w- c:\docume~1\whitin~1\applic~1\wklnhst.dat
2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-23 03:30:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-23 03:30:07 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-04-06 19:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-08-03 14:49:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080320090804\index.dat
2009-08-03 14:51:49 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-08-03 14:51:41 3 --sh--r- c:\windows\system32\drivers\taishop.sys
============= FINISH: 17:24:38.48 ===============
Hi again,
Please update AVG definitions and see if it still detects C:\WINDOWS\System32\drivers\intelppm.sys. If it does please upload the file here (http://www.bleepingcomputer.com/submit-malware.php?channel=76). Kindly include a link to this topic in the message.
Uninstall old Adobe Reader versions and get the latest one (9.3) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 18 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report & a fresh dds.txt log.
Start MBAM, update its definitions on update tab and run a quick scan. Let the program delete its findings and post back the report.
I have uploaded the file, updated all of my programs, and ran ATF.
Kapersky did not work for me. There was a problem with I can't figure out why it wouldn't. "Internet connection" problem, though my connection is good.
I keep getting the pop-ups from "Resident Shield Alert."
THANK YOU SO MUCH FOR YOUR HELP!! :2thumb:
Below are the DDS and MBAM reports:
______________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by whiting field at 13:17:29.60 on Tue 02/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.298 [GMT -8:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Documents and Settings\whiting field\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [<NO NAME>]
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TDispVol] TDispVol.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TAccessibility] c:\program files\toshiba\accessibility\TAccessibility.exe Instant
mRun: [TPSMain] TPSMain.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\whitin~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-8-21 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-2 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-2 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-2 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-2 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-2 285392]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [2009-7-23 48176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-6 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
=============== Created Last 30 ================
2010-02-02 21:05:40 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-02 21:05:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-02 21:05:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-02 21:05:23 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-02 19:47:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-29 22:16:21 36 ----a-w- c:\windows\system32\?Õ
2010-01-25 19:17:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-25 19:17:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-25 02:46:59 0 d-----w- c:\documents and settings\whiting field\.hd
2010-01-24 07:12:36 537829 ----a-w- C:\HaxFix.exe
2010-01-24 05:45:02 0 d-----w- c:\program files\Trend Micro
2010-01-24 05:33:39 0 d-----w- c:\docume~1\whitin~1\applic~1\AVG9
2010-01-20 23:28:20 0 d-----w- c:\program files\common files\SWF Studio
2010-01-20 23:24:44 0 d-----w- c:\windows\system32\Adobe
2010-01-20 23:19:29 0 d-----w- C:\T-1 Stuff
2010-01-12 21:50:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
==================== Find3M ====================
2010-02-02 19:47:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-30 06:39:19 6840 ----a-w- c:\docume~1\whitin~1\applic~1\wklnhst.dat
2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-04-06 19:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-08-03 14:49:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080320090804\index.dat
2009-08-03 14:51:49 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-08-03 14:51:41 3 --sh--r- c:\windows\system32\drivers\taishop.sys
============= FINISH: 13:18:35.01 ===============
________________________________________________________________
MBAM:
Malwarebytes' Anti-Malware 1.44
Database version: 3685
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
2/2/2010 2:59:27 PM
mbam-log-2010-02-02 (14-59-27).txt
Scan type: Full Scan (C:\|)
Objects scanned: 173640
Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
:sick: I followed your directions and closed everything and disabled everything. Upon starting ComboFix, it gave me notice that RootKit activity was going on and it needed to re-start. After re-start, everything was all normal, and the scan continued. I left the computer for a moment and came back to it going through the start-up/restart cycle and so I went to safe mode and ComboFix finished its report as normal. I hope I didn't inadvertantly screw it up.
Now to start-up, all I can do is Safe Mode with Networking. I keep getting the quick blip of a blue screen of death on start-ups as normal. Here is my ComboFix log. Things have gotten worse I think, but you are the expert. Thank you so much for your help!!!!!!
ComboFix 10-02-07.01 - whiting field 02/06/2010 12:30:52.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.619 [GMT -8:00]
Running from: c:\documents and settings\whiting field\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\webserver
c:\recycler\S-1-5-21-723572097-2801298171-3283528345-1003
c:\windows\system32\config\iixxc8tx.sav
Infected copy of c:\windows\system32\DRIVERS\intelppm.sys was found and disinfected
Restored copy from - The cat ate it :p
Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\intelppm.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.
2010-02-02 21:05 . 2010-02-02 21:05 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-02 21:05 . 2010-02-02 21:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-02 21:05 . 2010-02-02 21:05 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-02 21:05 . 2010-02-02 21:05 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-02 21:05 . 2010-02-06 19:39 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-02 19:48 . 2010-02-02 19:48 -------- d-----w- c:\program files\Common Files\Java
2010-02-02 19:47 . 2010-02-02 19:47 503808 ----a-w- c:\documents and settings\whiting field\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2dc288fe-n\msvcp71.dll
2010-02-02 19:47 . 2010-02-02 19:47 499712 ----a-w- c:\documents and settings\whiting field\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2dc288fe-n\jmc.dll
2010-02-02 19:47 . 2010-02-02 19:47 348160 ----a-w- c:\documents and settings\whiting field\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2dc288fe-n\msvcr71.dll
2010-02-02 19:47 . 2010-02-02 19:47 61440 ----a-w- c:\documents and settings\whiting field\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-20666cb3-n\decora-sse.dll
2010-02-02 19:47 . 2010-02-02 19:47 12800 ----a-w- c:\documents and settings\whiting field\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-20666cb3-n\decora-d3d.dll
2010-02-02 19:19 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\whiting field\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-02 19:17 . 2010-02-02 19:17 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-25 20:37 . 2010-01-25 20:38 -------- d-----w- c:\program files\ERUNT
2010-01-25 19:17 . 2010-01-30 09:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-25 19:17 . 2010-01-25 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 17:45 . 2010-02-02 21:05 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-25 17:45 . 2010-02-02 21:05 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-25 02:46 . 2010-02-04 01:43 -------- d-----w- c:\documents and settings\whiting field\.hd
2010-01-24 07:12 . 2010-01-19 17:16 537829 ----a-w- C:\HaxFix.exe
2010-01-24 06:01 . 2010-01-30 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-24 05:45 . 2010-01-24 05:45 -------- d-----w- c:\program files\Trend Micro
2010-01-24 05:33 . 2010-01-24 05:33 -------- d-----w- c:\documents and settings\whiting field\Application Data\AVG9
2010-01-20 23:28 . 2010-01-20 23:28 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-01-20 23:24 . 2010-01-20 23:24 -------- d-----w- c:\windows\system32\Adobe
2010-01-20 23:19 . 2010-01-24 23:45 -------- d-----w- C:\T-1 Stuff
2010-01-12 21:50 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 09:52 . 2010-01-10 09:52 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 20:25 . 2009-10-19 22:32 -------- d-----w- c:\documents and settings\whiting field\Application Data\Skype
2010-02-06 19:32 . 2009-10-19 22:37 -------- d-----w- c:\documents and settings\whiting field\Application Data\skypePM
2010-02-05 01:44 . 2009-10-21 05:58 7468 ----a-w- c:\documents and settings\whiting field\Application Data\wklnhst.dat
2010-02-02 21:05 . 2009-11-23 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-02 19:47 . 2009-04-06 18:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-02 19:44 . 2009-10-21 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-02 19:20 . 2009-04-06 19:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-02 19:19 . 2009-04-06 19:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-10 09:52 . 2009-10-21 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 00:07 . 2009-10-21 23:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-10-21 23:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2009-04-06 19:48 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-04-06 19:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2009-04-06 19:46 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-21 15:51 . 2009-04-06 19:46 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-03 14:51 . 2009-08-03 14:51 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-08-03 14:51 . 2009-08-03 14:51 3 --sh--r- c:\windows\system32\drivers\taishop.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"ACU"="c:\program files\Atheros\ACU.exe" [2009-03-06 479320]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2009-03-26 417792]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-20 83336]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-04-03 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-13 17531392]
"NDSTray.exe"="NDSTray.exe" [BU]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-03-18 827392]
"TDispVol"="TDispVol.exe" [2009-04-02 210232]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"TAccessibility"="c:\program files\TOSHIBA\Accessibility\TAccessibility.exe" [2009-02-25 110592]
"TPSMain"="TPSMain.exe" [2009-03-17 283960]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-16 252288]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
c:\documents and settings\whiting field\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-02 21:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:webserver
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [8/21/2008 9:35 AM 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 9:14 AM 6528]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/2/2010 1:05 PM 333192]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/2/2010 1:05 PM 360584]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/2/2010 1:05 PM 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/2/2010 1:05 PM 285392]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 11:22 AM 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 11:15 AM 134016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/6/2009 11:08 AM 1684736]
S3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [7/23/2009 10:46 PM 48176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title =
uInternet Settings,ProxyOverride = *.local
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 12:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
.
**************************************************************************
.
Completion time: 2010-02-06 12:50:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 20:50
Pre-Run: 131,055,603,712 bytes free
Post-Run: 132,173,463,552 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 2099002C9EB35591B2DEB1AE146FF469
Hi,
Please post a fresh dds log too.
Then restart system and press F8 to access boot menu. Select "disable automatic restart on system failure" option and try to start normally. Note down possible error.
Sorry, new DDS and Attach
Thank you so much!!
DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by whiting field at 21:35:26.56 on Sat 02/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.654 [GMT -8:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\whiting field\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TDispVol] TDispVol.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TAccessibility] c:\program files\toshiba\accessibility\TAccessibility.exe Instant
mRun: [TPSMain] TPSMain.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\whitin~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-8-21 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-2 360584]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-2 333192]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-2 28424]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-2 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-2 285392]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-6 1684736]
S3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [2009-7-23 48176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
=============== Created Last 30 ================
2010-02-06 20:26:52 0 d-sha-r- C:\cmdcons
2010-02-06 20:25:19 98816 ----a-w- c:\windows\sed.exe
2010-02-06 20:25:19 77312 ----a-w- c:\windows\MBR.exe
2010-02-06 20:25:19 261632 ----a-w- c:\windows\PEV.exe
2010-02-06 20:25:19 161792 ----a-w- c:\windows\SWREG.exe
2010-02-02 21:05:40 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-02 21:05:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-02 21:05:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-02 21:05:23 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-02 19:47:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-29 22:16:21 36 ----a-w- c:\windows\system32\?Õ
2010-01-25 19:17:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-25 19:17:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-25 02:46:59 0 d-----w- c:\documents and settings\whiting field\.hd
2010-01-24 07:12:36 537829 ----a-w- C:\HaxFix.exe
2010-01-24 05:45:02 0 d-----w- c:\program files\Trend Micro
2010-01-24 05:33:39 0 d-----w- c:\docume~1\whitin~1\applic~1\AVG9
2010-01-20 23:28:20 0 d-----w- c:\program files\common files\SWF Studio
2010-01-20 23:24:44 0 d-----w- c:\windows\system32\Adobe
2010-01-20 23:19:29 0 d-----w- C:\T-1 Stuff
2010-01-12 21:50:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
==================== Find3M ====================
2010-02-05 01:44:39 7468 ----a-w- c:\docume~1\whitin~1\applic~1\wklnhst.dat
2010-02-02 19:47:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-04-06 19:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-08-03 14:49:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080320090804\index.dat
2009-08-03 14:51:49 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-08-03 14:51:41 3 --sh--r- c:\windows\system32\drivers\taishop.sys
============= FINISH: 21:36:22.54 ===============
Blue Screen of Death, reads:
Problem seems to be caused by the following file: intelppm.sys
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Technical Information:
***STOP: 0x000000CE (0xF7907BDE, 0x00000008, 0xF7907BDE, 0x00000000)
intelppm.sys
:confused::confused::confused:
Hi,
Have you tried to use "Last known good configuration" -option to see if it helps?
Yeah, the only options that work are the safe modes. :thanks:
I appreciate you helping me with this!
Hi,
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
intelppm.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
SystemLook Report
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:49 on 07/02/2010 by whiting field (Administrator - Elevation successful)
========== filefind ==========
Searching for "intelppm.sys"
C:\WINDOWS\system32\dllcache\intelppm.sys -----c 36352 bytes [00:01 14/04/2008] [08:01 14/04/2008] 8C953733D8F36EB2133F5BB58808B66B
C:\WINDOWS\system32\drivers\intelppm.sys --a--- 36352 bytes [00:01 14/04/2008] [08:01 14/04/2008] 26505A17E030CCD0221F96CE4FE6E3BA
-=End Of File=-
Hi,
Click start->run->type cmd.exe and press enter.
Type following command in command prompt:
copy /y C:\WINDOWS\system32\dllcache\intelppm.sys C:\WINDOWS\system32\drivers\intelppm.sys
See if you're able to reboot into normal mode after that.
Hello,
I did what you said and it starts right up in normal mode, no problem! I turned everything (AVG, Firewall, etc.) back on and so far so good.
:rockon:
Great :)
Now please do the following:
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post also a fresh dds log.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.