Fails to install or run anti-virus or firewall

[jjedjo]

Processes:

Process:

System Idle Process
System
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\James\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\TouchED\TouchED.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Console\KRaidMan.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tabtip.exe
C:\Program Files\Toshiba\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Toshiba\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Toshiba\ConfigFree\CFXFER.exe

[jjedjo]

Startup:

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TabletTip
"C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
00THotkey
C:\WINDOWS\system32\00THotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TouchED
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Kraidman
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TFNF5
TFNF5.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPSMain
TPSMain.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPSODDCtl
TPSODDCtl.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TAcelMgr
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TSkrMain
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TFncKy
TFncKy.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DLA
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PSQLLauncher
"C:\Program Files\Protector Suite QL\launcher.exe" /startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Snippet
"C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ThpSrv
c:\WINDOWS\system32\thpsrv /logon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelZeroConfig
"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelWireless
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CFSServ.exe
CFSServ.exe -NoClient

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe_ID0EYTHM
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\WINDOWS\system32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\WINDOWS\system32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Persistence
C:\WINDOWS\system32\igfxpers.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogonStudio
"C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTCheck
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
L06ZXLRD_391206125
"C:\Program Files\Microsoft Student\Microsoft Student DVD 2006\EDICT.EXE" -m

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
STYLEXP
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hidr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Synchronizer.lnk
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Synchronizer.lnk
C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth Manager.lnk
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office StartUp)

C:\Documents and Settings\James\SendTo\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\James\SendTo\Start Menu\Programs\Startup
Last.fm Helper.lnk
C:\Program Files\Last.fm\LastFMHelper.exe (Remark£º)

C:\Documents and Settings\James\SendTo\Start Menu\Programs\Startup
Microsoft Office OneNote 2003 Quick Launch.lnk
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Remark£ºQuick Launcher for Microsoft Office OneNote.)

[Rorschach112]

Hello

Lot of posts

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works


Step 1 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

c:\windows\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\hidr.exe


Step 2 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry values in bold and delete them.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C:\WINDOWS\system32\drivers\hidr.exe

And these registry keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa






1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Code:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f9e7698-28a3-11dc-9478-dcd3c5d9307f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33fcb1e7-983b-11dc-94ac-0018de7e16f5}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9738678f-2bb3-11dc-9479-0018de7e16f5}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7920750-6b3d-11dc-9488-0018de7e16f5}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7920755-6b3d-11dc-9488-0018de7e16f5}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfa548da-08b3-11dc-9468-0018de7e16f5}]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

Then double click on the fix.reg file, when it prompts to merge click "Yes".



Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Startup" and "Win32 Services" tabs, taking note of any red entries from them and from the SSDT tab as well.


Also post a new DSS log and tell me if you had any trouble

[jjedjo]

I could not find this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C:\WINDOWS\system32\drivers\hidr.exe

SSDT:
Unknown (once still)
sptd.sys (7 times)

No other red items in IceSword- I have attached the three .log files

Thanks for all your help so far- this seams to be making real progress.
I will do the dds log, upload and then try to install zone alarm/antivirus.

[jjedjo]

DDS log atached in two parts below:

[jjedjo]

Zone alarm has installed sucessfully!!!

I cannot thank you enough for the quick & direct help you have provided me with. Im also grateful for you introducing me to some new and effective tools for identifying problems.

Zone alarm comes with in built anti-virus and so that I've turned that on. I think that the malware you helped me remove may also have been what disabled/removed Norton Anti-Virus, but I will stick with ZA for now.

Thanks again,
James

[Rorschach112]

Ok we are nearly done

Download and run SafeBootKeyRepair-CF from:

http://download.bleepingcomputer.com...tKeyRepair.exe
or
http://www.techsupportforum.com/sect...yRepair-CF.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply




Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Reboot and post a new DSS log and tell me if you are having any problems

[jjedjo]

At first i thought SafeBootKeyRepair-CF hung in command prompt on "Please wait..."- but it meant what it said, and here is the result:

[Rorschach112]

Looks good

Do the rest of the steps there as well

[jjedjo]

SUPERAntiSpyware has finaly downloaded.
I've installed it, changed the options as you said to, and am about to begin the scan.