View Full Version : Hijack This Log - Inexperienced User
Hello everyone, I'm following a good 'spring clean your pc guide' and just got my first Hijack this log.
I know nothing of this stuff so i thought i would post here, any help is appreciated, cheers! (p.s sorry if i have done anything wrong.)
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:15:39 PM, on 4/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [winsvc32] winsvc32.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 11408 bytes
===================
[I]Last edited by tashi; Yesterday at 07:50 PM. Reason: Provided link to this malware removal forum's FAQ :-)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
-------------------------------------
Also, thought I might add - often, probably 1/3 times I start my computer, a blue screen comes up saying BAD POOL HEADER and I have to restart my computer, not sure if the log would have [icked that up or not.
=)
Hello and :welcome: to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply
Thanks peku006
Hey, thanks for helping my out it is much appreciated!
I ran the program as instructed, this is the log it created:
I wasn't sure whether you wanted to file or to paste the text? Cheers!
ComboFix 10-03-05.01 - Reuben Stone 06/03/2010 13:02:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.186 [GMT 11:00]
Running from: c:\documents and settings\Reuben Stone\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
c:\recycler\S-1-5-21-2178042772-3960084829-1456234550-1003
c:\recycler\S-1-5-21-936217405-998132377-2883199059-1006
c:\windows\kernel32.exe
c:\windows\run.log
c:\windows\system32.exe
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\hsfd83jfdg.dll
c:\windows\system32\kbiwkmpdcuvgod.dat
c:\windows\system32\kbiwkmvwuibrdh.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\net.net
c:\windows\system32\sdra64.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\uacinit.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_kbiwkmebviixuj
-------\Legacy_UACd.sys
-------\Service_kbiwkmebviixuj
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.
2010-03-04 02:13 . 2010-03-04 02:13 -------- d-----w- c:\program files\TrendMicro
2010-02-25 07:42 . 2010-02-25 07:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-25 03:47 . 2010-02-25 03:47 -------- d-----w- c:\documents and settings\Reuben Stone\.tuxguitar-1.2
2010-02-23 07:59 . 2010-02-23 08:01 -------- d-----w- c:\program files\iTunes
2010-02-23 07:54 . 2010-02-23 07:54 -------- d-----w- c:\program files\Bonjour
2010-02-21 06:13 . 2010-02-21 06:13 -------- d-sh--w- c:\documents and settings\Reuben Stone\PrivacIE
2010-02-16 04:42 . 2010-02-16 04:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-16 04:42 . 2010-02-16 04:42 -------- d-sh--w- c:\documents and settings\Reuben Stone\IETldCache
2010-02-11 05:44 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-11 05:44 . 2010-02-16 16:02 -------- d-----w- c:\windows\ie8updates
2010-02-11 05:42 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-11 05:42 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-11 05:31 . 2010-02-11 05:33 -------- dc-h--w- c:\windows\ie8
2010-02-10 16:13 . 2010-02-10 16:25 -------- d-----w- C:\0603d71e8cff1260288af9c3c4a3ed
2010-02-10 03:28 . 2004-11-01 21:58 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- c:\temp\display
2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 15:25 . 2009-12-14 02:31 0 ----a-w- c:\documents and settings\Reuben Stone\Local Settings\Application Data\prvlcl.dat
2010-03-04 02:14 . 2010-03-04 02:14 388096 ----a-r- c:\documents and settings\Reuben Stone\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-25 06:57 . 2008-07-08 10:37 -------- d-----w- c:\program files\MIDI to MP3 Converter
2010-02-23 08:00 . 2006-02-13 11:08 -------- d-----w- c:\program files\iPod
2010-02-23 08:00 . 2008-05-08 04:50 -------- d-----w- c:\program files\Common Files\Apple
2010-02-23 07:45 . 2010-02-23 07:45 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-21 06:09 . 2009-11-26 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-08 09:50 . 2009-11-30 22:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-12 06:32 . 2005-05-13 12:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 02:59 . 2006-01-23 02:05 71296 ----a-w- c:\documents and settings\Reuben Stone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2005-05-12 04:34 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-05-12 04:34 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-05-12 04:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-05-12 04:34 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2005-05-12 04:34 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-06-28 23:22 . 2009-06-28 23:20 750833664 -c--a-w- c:\program files\Track 01.bin
2008-12-21 01:46 . 2008-12-21 01:46 14396 -c--a-w- c:\program files\History_en.rtf
2008-12-21 01:44 . 2008-12-21 01:44 24027 -c--a-w- c:\program files\History_de.rtf
2008-12-21 01:38 . 2008-12-21 01:38 1160704 -c--a-w- c:\program files\DlgMgr.dll
2008-07-08 10:37 . 2008-07-08 10:36 1286507 -c--a-w- c:\program files\mid2mp3setup.exe
2008-06-15 10:51 . 2008-06-15 10:47 151552 -c--a-w- c:\program files\ipod2comp_std.exe
2008-05-10 05:12 . 2008-05-10 05:12 79008 -c--a-w- c:\program files\daemon347.exe
2008-05-10 05:08 . 2008-05-10 05:03 56775 -c--a-w- c:\program files\daemon4123-lite.exe
2008-03-08 22:51 . 2008-03-08 22:51 61440 -c--a-w- c:\program files\Plugin.dll
2008-03-08 08:26 . 2008-03-08 08:26 1416 -c--a-w- c:\program files\License_en.rtf
2006-11-27 13:03 . 2009-07-13 12:18 10275328 -c--a-w- c:\program files\game.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 02:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-17 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-01 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-14 5562368]
"nwiz"="nwiz.exe" [2005-04-14 1495040]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-12-28 270336]
"ZoomingHook"="ZoomingHook.exe" [2004-05-01 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 24576]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 65536]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 28672]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-21 88358]
"TFncKy"="TFncKy.exe" [BU]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-03 1848648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-5-13 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 11:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Reuben Stone^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Reuben Stone\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-02 17:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 12:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-17 09:08 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/04/2009 6:04 PM 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/06/2009 2:17 PM 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/04/2009 11:50 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/04/2009 11:50 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/11/2009 10:17 PM 285392]
S2 Ca536av;USB Camcorder Series;c:\windows\system32\drivers\Ca536av.sys [3/06/2006 3:29 PM 514859]
S3 gel90xne;gel90xne;\??\c:\docume~1\REUBEN~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\REUBEN~1\LOCALS~1\Temp\gel90xne.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 01:34]
2010-03-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 01:20]
2010-03-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2010-02-10 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Reuben Stone\Application Data\Mozilla\Firefox\Profiles\w5cgx2ts.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MS AntiSpyware 2009 - c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
HKLM-Run-winsvc32 - winsvc32.exe
MSConfigStartUp-19731254 - c:\documents and settings\All Users\Application Data\19731254\19731254.exe
MSConfigStartUp-Diagnostic Manager - c:\docume~1\REUBEN~1\LOCALS~1\Temp\3328304770.exe
MSConfigStartUp-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\REUBEN~1\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-jsf8uiw3jnjgffght - c:\docume~1\REUBEN~1\LOCALS~1\Temp\winlognn.exe
MSConfigStartUp-systeminit - c:\docume~1\REUBEN~1\LOCALS~1\Temp\systeminit.exe
AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 13:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spvi.sys >>UNKNOWN [0x82FCC938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e5f28
\Driver\ACPI -> ACPI.sys @ 0xf831fcb8
\Driver\atapi -> atapi.sys @ 0xf82bcb40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf81b0bb0
PacketIndicateHandler -> NDIS.sys @ 0xf81bda21
SendHandler -> NDIS.sys @ 0xf819b87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\CLBCATQ.DLL
- - - - - - - > 'explorer.exe'(3900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\ZoomingHook.exe
c:\windows\system32\TCtrlIOHook.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-06 13:22:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 02:21
Pre-Run: 11,570,343,936 bytes free
Post-Run: 11,543,158,784 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 7C8CEF1E4E90781FCF35640FD04A3A62
Hi Reuben
1 - Run CFScript
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\docume~1\REUBEN~1\LOCALS~1\Temp\gel90xne.sys
Driver::
gel90xne
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
2 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
Thanks peku006
Hi there, this is the combofix log:
ComboFix 10-03-05.01 - Reuben Stone 06/03/2010 19:43:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.217 [GMT 11:00]
Running from: c:\documents and settings\Reuben Stone\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Reuben Stone\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\docume~1\REUBEN~1\LOCALS~1\Temp\gel90xne.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GEL90XNE
-------\Service_gel90xne
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.
2010-03-04 02:13 . 2010-03-04 02:13 -------- d-----w- c:\program files\TrendMicro
2010-02-25 07:42 . 2010-02-25 07:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-25 03:47 . 2010-02-25 03:47 -------- d-----w- c:\documents and settings\Reuben Stone\.tuxguitar-1.2
2010-02-23 07:59 . 2010-02-23 08:01 -------- d-----w- c:\program files\iTunes
2010-02-23 07:54 . 2010-02-23 07:54 -------- d-----w- c:\program files\Bonjour
2010-02-21 06:13 . 2010-02-21 06:13 -------- d-sh--w- c:\documents and settings\Reuben Stone\PrivacIE
2010-02-16 04:42 . 2010-02-16 04:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-16 04:42 . 2010-02-16 04:42 -------- d-sh--w- c:\documents and settings\Reuben Stone\IETldCache
2010-02-11 05:44 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-11 05:44 . 2010-02-16 16:02 -------- d-----w- c:\windows\ie8updates
2010-02-11 05:42 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-11 05:42 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-11 05:31 . 2010-02-11 05:33 -------- dc-h--w- c:\windows\ie8
2010-02-10 16:13 . 2010-02-10 16:25 -------- d-----w- C:\0603d71e8cff1260288af9c3c4a3ed
2010-02-10 03:28 . 2004-11-01 21:58 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- c:\temp\display
2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 15:25 . 2009-12-14 02:31 0 ----a-w- c:\documents and settings\Reuben Stone\Local Settings\Application Data\prvlcl.dat
2010-03-04 02:14 . 2010-03-04 02:14 388096 ----a-r- c:\documents and settings\Reuben Stone\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-25 06:57 . 2008-07-08 10:37 -------- d-----w- c:\program files\MIDI to MP3 Converter
2010-02-23 08:00 . 2006-02-13 11:08 -------- d-----w- c:\program files\iPod
2010-02-23 08:00 . 2008-05-08 04:50 -------- d-----w- c:\program files\Common Files\Apple
2010-02-23 07:45 . 2010-02-23 07:45 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-21 06:09 . 2009-11-26 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-08 09:50 . 2009-11-30 22:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-12 06:32 . 2005-05-13 12:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 02:59 . 2006-01-23 02:05 71296 ----a-w- c:\documents and settings\Reuben Stone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2005-05-12 04:34 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-05-12 04:34 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-05-12 04:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-05-12 04:34 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2005-05-12 04:34 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-06-28 23:22 . 2009-06-28 23:20 750833664 -c--a-w- c:\program files\Track 01.bin
2008-12-21 01:46 . 2008-12-21 01:46 14396 -c--a-w- c:\program files\History_en.rtf
2008-12-21 01:44 . 2008-12-21 01:44 24027 -c--a-w- c:\program files\History_de.rtf
2008-12-21 01:38 . 2008-12-21 01:38 1160704 -c--a-w- c:\program files\DlgMgr.dll
2008-07-08 10:37 . 2008-07-08 10:36 1286507 -c--a-w- c:\program files\mid2mp3setup.exe
2008-06-15 10:51 . 2008-06-15 10:47 151552 -c--a-w- c:\program files\ipod2comp_std.exe
2008-05-10 05:12 . 2008-05-10 05:12 79008 -c--a-w- c:\program files\daemon347.exe
2008-05-10 05:08 . 2008-05-10 05:03 56775 -c--a-w- c:\program files\daemon4123-lite.exe
2008-03-08 22:51 . 2008-03-08 22:51 61440 -c--a-w- c:\program files\Plugin.dll
2008-03-08 08:26 . 2008-03-08 08:26 1416 -c--a-w- c:\program files\License_en.rtf
2006-11-27 13:03 . 2009-07-13 12:18 10275328 -c--a-w- c:\program files\game.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 02:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-17 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-01 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-14 5562368]
"nwiz"="nwiz.exe" [2005-04-14 1495040]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-12-28 270336]
"ZoomingHook"="ZoomingHook.exe" [2004-05-01 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 24576]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 65536]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 28672]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-21 88358]
"TFncKy"="TFncKy.exe" [BU]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-03 1848648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-5-13 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 11:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Reuben Stone^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Reuben Stone\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-02 17:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 12:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-17 09:08 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/04/2009 6:04 PM 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/06/2009 2:17 PM 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/04/2009 11:50 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/04/2009 11:50 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/11/2009 10:17 PM 285392]
S2 Ca536av;USB Camcorder Series;c:\windows\system32\drivers\Ca536av.sys [3/06/2006 3:29 PM 514859]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b962c205-7008-11de-9a80-0013ce9a2e9e}]
\Shell\AutoRun\command - E:\setup.exe /autorun
\Shell\setup\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 01:34]
2010-03-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 01:20]
2010-03-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2010-02-10 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Reuben Stone\Application Data\Mozilla\Firefox\Profiles\w5cgx2ts.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 19:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spao.sys >>UNKNOWN [0x82F94938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e5f28
\Driver\ACPI -> ACPI.sys @ 0xf831fcb8
\Driver\atapi -> atapi.sys @ 0xf82bcb40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf81b0bb0
PacketIndicateHandler -> NDIS.sys @ 0xf81bda21
SendHandler -> NDIS.sys @ 0xf819b87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\ZoomingHook.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\TCtrlIOHook.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-06 20:01:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 09:01
ComboFix2.txt 2010-03-06 02:22
Pre-Run: 12,069,388,288 bytes free
Post-Run: 12,027,396,096 bytes free
- - End Of File - - 1C3637BA6FCB39FD5299BAF07A497AB9
-------------------------------------------------------------------
And this is the NEW Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:15:10 PM, on 6/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 10092 bytes
-Hopefully I did everything right!
Thank you
Hi Reube
good job :bigthumb:
1 - Download and Run Malwarebytes' Anti-Malware
Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
2 - Status Check
Please reply with
1. the Malwarebytes' Anti-Malware Log
Thanks peku006
Hi there, I have finished the next step. I deleted all the infections except the System Volume Information files aswell.
Here is the report:
Malwarebytes' Anti-Malware 1.44
Database version: 3830
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/03/2010 12:52:17 PM
mbam-log-2010-03-07 (12-52-17).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 268012
Time elapsed: 1 hour(s), 2 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\19731254 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP373\A0197968.exe (Trojan.Feplec) -> Not selected for removal.
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP373\A0198065.dll (Rootkit.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP373\A0198066.dll (Rootkit.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP373\A0198067.dll (Rootkit.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP373\A0198068.dll (Rootkit.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP373\A0198069.dll (Rootkit.TDSS) -> Not selected for removal.
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\19731254\19731254 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\19731254\pc19731254ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACdojlacrh.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
Thank you =)
Hi Reube
looks good :)
We will run one online scan to be sure that there is nothing left
1 - Clean temp files
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
2 - Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Eset online scannner report
2. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
Hello again, here is the ESET scan:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0293f2460d627f46bbb04af7beb9ec82
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-07 11:42:12
# local_time=2010-03-07 10:42:12 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 8718801 8718801 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=132305
# found=4
# cleaned=0
# scan_time=9057
C:\Program Files\BitLord\Downloads\Driver Updater Pro 2.2.8.0-with keygen\Driver Updater Pro 2.2.8.0-with keygen\DriverUpdaterPro.exe a variant of Win32/Injector.KX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip a variant of Win32/Kryptik.BCW trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP342\A0167960.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E12BCBFE-C7C8-45A9-8298-D6D5EDFB560A}\RP376\A0203273.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
------------------------------------------------------
And here is the new HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:47:42 PM, on 7/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 10152 bytes
My computer is generally working a little better.
Whats next? There are still those trojans that you said notto delete before? Thanks you so much for all of this =)
Hi Reuben
Download CKScanner by askey127 from HERE (http://downloads.malwareremoval.com/CKScanner.exe)
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
Thanks peku006
Hello, here is the next scan from CKScanner:
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\bitlord\downloads\daemon tools pro 4.10.218\crack\cryptapi.dll
c:\program files\bitlord\downloads\daemon tools pro 4.10.218\crack\dtprohlp.dll
c:\program files\bitlord\downloads\driver updater pro 2.2.8.0-with keygen\driver updater pro 2.2.8.0-with keygen\driverupdaterpro.exe
c:\program files\bitlord\torrents\adobe cs4 keygen 1.02.exe.torrent
c:\program files\bitlord\torrents\driver genius pro 2008 v8.0.316+keygen-heartbug.torrent
c:\program files\bitlord\torrents\driver updater pro 2.2.8.0-with keygen.rar.torrent
c:\program files\bitlord\torrents\the lord of the rings battle for middle earth 2 dvd9 v1.1 crack.torrent
c:\program files\rise of nations\crack\patriots.exe
scanner sequence 3.CE.11
----- EOF -----
Thanks!
Hi Reuben
Can you explain why you have these
cs4 keygen 1.02.exe
driver genius pro 2008 v8.0.316+keygen
Thanks peku006
I'm not sure what the keygen is. I think the Driver genius was when a friend was trying to update my drivers for me, however it was so painful and froze so often he gave up, then I took it to a shop and they updated the drivers there.
Both files can go, are they infected?
Hi Reuben
Yes,they are both "infected"
I accept that explanation ,but we have rules ,this is one........
Note:
We do not support the use of illegal Pirated/Warez/Cracked software.
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply
Thanks peku006
The driver genius or what ever it was was already uninstalled, along with a whole bunch of other programs that i didn't know how to use.
Here is the new HijackThis log:
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.4
AVG Free 9.0
BitLord 1.1
Bonjour
Canon MP Navigator EX 2.0
Canon MP240 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CD/DVD Drive Acoustic Silencer
Connect
DivX Codec
DivX Converter
Dodo Wireless Broadband
DVD-RAM Driver
DV-XCam6e V1.0
ESET Online Scanner v3
GameSpy Arcade
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Guitar Pro 5.2
Highlight Viewer (Windows Live Toolbar)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
IsoBuster 2.3
iTunes
J2SE Runtime Environment 5.0 Update 1
kuler
Leibniz
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office OneNote 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Rise Of Nations
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.8)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
Musical Scales
PCFriendly
PDF Settings CS4
Photoshop Camera Raw
Power Tab Editor 1.7
QuickTime
Realtek AC'97 Audio
RegCure 1.5.0.1
Rise of Nations Thrones and Patriots
Safari
SD Secure Module
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Smart Menus (Windows Live Toolbar)
Sonic DLA
Sonic RecordNow!
Suite Shared Configuration CS4
Texas Instruments PCIxx21/x515 drivers.
The Battle for Middle-earth (tm)
TI Black Link 32
TI InterActive!
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
TuxGuitar
Ulead Photo Express 4.0 SE
Ulead VideoStudio 7 SE Basic
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
-------------------
Thank you!
Hi Reuben
have you cracked version of you Adobe Photoshop on your computer ? (cs4 keygen 1.02.exe)
Thanks peku006
I don't think there is photoshop on my computer, i know there is a photo program that came with it. It's a little confusing as my two sisters and my brother use this computer, probably where all the virus' come from!
Are we able to continue or do I have to delete certain files that aren't allowed? I don't think I can go and delete the programs they use.
Hi
You have cracked version of Adobe Photoshop on your computer. You need to remove Adobe Photoshop before we can continue with any further. Please remove this from your system. We do not support the use of illegal Pirated/Warez/Cracked software (http://forums.spybot.info/showthread.php?t=288).
Yeah that's the problem if it was up to me i would delete it and anything else straight away but my brother said he uses that program frequently and won't let me delete it, it's kinda his computer aswell..
I'll get back to you i guess doesn't look promising though, any last tips?
thank you for all your help, it's great that there are people out there that are just generally willing to help people, good on you =)
Hi Reuben
I'm sorry but I can not help you any more........rules are rules
To remove all of the tools we used and the files and folders they created do the following:
Delete CKScanner from your desktop.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Here are some things that I think are worth having a look at if you don't already know a bout them:.
Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy safe surfing! :bigthumb:
peku006
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)