unable to update Vista or AVG & misdirected when searching

Status
Not open for further replies.
It worked! I'm still unable to connect to the internet, though, so I'll have to investigate that tomorrow.

Here is the Combofix log:

ComboFix 09-08-10.06 - Kie 12/08/2009 22:22.1.2 - NTFSx86
Microsoft~ windows vistam Business 6.0.6000.0.1252.44.1033.18.2046.1376 [GMT 1:00]
Running from: d:\users\Kie\Desktop\combofix.exe
AV: F-Secure Anti-Virus 7.30 *on-access scanning disabled* (updated) {E7512ED5-4245-4B4D-AF3A-382D3F313FI5}
FW: F-secure Internet security 2008 OEM 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
SP: AVG Anti-spyware *disabled* (outdated) {48F2E28D-ED66-4646-9C11-B3055BOAF604}
SP: F-Secure Anti-virus 7.30 *disabled* (updated) {0651C4BO-ID7E-4682-B965-2E9523C483A5}
SP: windows Defender *enabled* (outdated) {D68DDC3A-831F-4FAE-9E44-DAI32ClACF46}
* created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\$recycle.bin\S-I-5-21-1571381933-3166844399-2333848073-500
c:\$recycle.bin\S-1-5-21-1661674311-2815529458-2936180237-500
c:\$recycle.bin\s-1-5-21-1909584832-858829809-948134049-500
c:\$recycle.bin\s-I-5-21-2504357094-947659251-4233815124-500
c:\$recycle.bin\S-I-5-21-3753462501-2946134135-3446067773-500
c:\$recycle.bin\S-1-5-21-651549746-3940150078-1581359000-500
c:\$recycle.bin\s-1-5-21-672597815-3237486728-385770818-500
c:\$recycle.bin\S-I-5-21-918056312-2952985149-2686913973-500
c:\program files\Antispywareshield
c:\program files\Antispywareshield\Antispywareshieldl.ad
c:\programdata\Microsoft\windows\start Menu\programs\Herocodec
c:\programdata\Microsoft\windows\start Menu\programs\Herocodec\uninstall.lnk
c:\users\Kie\AppData\Roaming\Microsoft\windows\start Menu\programs\Herocodec c:\windows\Installer\$patchCache$\Managed\6ACA9EFE6506Dc043852EOB02EBC26B2\8.1.0 \html.ini2
c:\windows\system32\375013
c:\windows\system32\AcsignExtRes.dll
c:\windows\system32\drivers\gxvxcjydjpjcxtfrnpdcconhcamuswewdhulq.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcqxiaydlsjadmlutkwdkbigbrvjleolnm.dll
D:\autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys


((((((((((((((((((((((((( Files created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))

2009-08-11 21:52 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 21:52 . 2009-08-11 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 21:52 . 2009-08-11 21:52 -------- d-----w- c:\programdata\Malwarebytes
2009-08-11 21:52 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 14:46 . 2007-06-28 13:36 401720 ----a-w- c:\program files\HijackThis.exe
2009-08-10 14:37 . 2009-08-10 14:37 -------- d-----w- c:\program files\ERuNT
2009-08-05 14:27 . 2009-08-05 14:27 -------- d-----w- C:\AVGTemp
2009-08-05 00:16 . 2009-08-05 00:16 -------- d-----w- c:\users\Kie\AppData\Roaming\AVG8


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-08-12 21:30 . 2007-04-13 20:11 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-12 15:38 . 2008-11-11 21:39 -------- d-----w- c:\programdata\Google updater
2009-08-11 15:02 . 2007-11-13 14:39 -------- d-----w- c:\programdata\fssg
2009-08-11 14:03 . 2008-03-30 15:14 -------- d-----w- c:\programdata\Grisoft
2009-08-11 12:26 . 2008-07-05 21:06 -------- d-----w- c:\program files\BitLord
2009-08-10 12:03 . 2008-07-05 21:06 -------- d-----w- c:\program files\TorrentMan
2009-08-05 14:25 . 2007-12-02 23:04 1356 ----a-w- c:\users\Kie\AppData\Local\d3d9caps.dat
2009-08-01 11:49 . 2007-04-13 21:53 -------- d-----w- c:\program files\common Files\symantec Shared
2009-07-02 21:43 . 2007-12-19 01:02 -------- d-----w- c:\users\Kie\AppData\Roaming\dvdcss


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\uR~searchHooks]
"{24cc1362-11c6-4918-a2cO-bgee5a563185}"= "c:\program files\ArchiBar\tbArcl.dll" [2008-07-06 1569304]

[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2cO-bgee5a563185}]

[HKEY_LOCAL_MACHINE\~\Browser Helper objects\{24cc1362-11c6-4918-a2cO-bgee5a563185}]
2008-07-06 22:21 1569304 ----a-w- c:\program files\ArchiBar\tbArc1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{24cc1362-11c6-4918-a2cO-bgee5a563185} "= "c: \program fi1eS\ArchiBar\tbArcl.dll" [2008-07-06 1569304]

[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2cO-bgee5a563185}]

[HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Toolbar\webbrowser] "{24cC1362-11C6-4918-A2cO-B9EE5A563185}"= "c:\program files\ArchiBar\tbArcl.dll" [2008-07-06 1569304]

[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2cO-bgee5a563185}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\windows\currentversion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\Run]
"windows Defender"="c:\program files\windows Defender\MSAScui.exe" [2007-07-04 1006264]
"HotKeyscmds"="c:\windows\system32\hkcmd.exe" [2007-04-03 154392]
"persistence"="c:\windows\system32\igfxpers.exe" [2007-04-03 133912]
"SVPWUTIL"="c: \program fi1es\ TOSHIBA\Uti1itieS\SvPWUTIL. exe" [2006-03-22 438272]
"topi"="c:\program files\TOSHIBA\Toshiba online Product Information\topi .exe" [2007-04-02 577536]
"TPwrMain"="c:\program files\TOSHIBA\power saver\TPwrMain.ExE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"smoothview"="c:\program files\Toshiba\smoothview\smoothview.exe" [2007-05-23 509496]
"OOTcrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"desktop SMS"="c:\program files\IDM\oesktop SMS\DesktopSMS.exe" [2007-06-18 1507328J
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-02-19 571024]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872J
"IaNvsrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvsrv\IaNvsrv.exe" [2007-03-13 33048]
"Acronis Scheduler2 service"="c:\pro~ram files\common Files\Acronis\schedule2\schedhlp.exe [2007-08-02 148760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"EEventManager"="c:\program files\EPSON\creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"HP Software update"="c:\program files\HP\HP software update\HPwuschd2.exe" [2007-10-14 49152]
"hpqsRMon"="c:\program files\HP\Digital Imaging\bin\hpqsRMon.exe" [2007-08-22 80896]
"Msconfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208] "RtHDVCpl"="RtHOVcpl.exe" - c:\windows\RtHOVcpl.exe [2007-06-13 4489216]
"NoSTrax.exe"="NDsTray.exe" [BU] .
"skytel '="skytel.exe" - c:\windows\skyTel.exe [2007-05-28 1826816]

c:\users\Kie\AppOata\Roaming\Microsoft\windows\Start Menu\programs\Startup\
Adobe Gamma.lnk - c:\program files\common Fil~s\Adobe\calibration\Adobe Gamma
Loader.exe [2005-3-16 113664] .
Palm Registration.lnk - c:\program files\palm\register.exe [2008-4-23 2494464]

c:\programdata\Microsoft\windows\start Menu\programs\Startup\
Dataviz Inc Messenger.lnk - c:\program files\Common Files\Dataviz\ovzIncMsgr.exe [2008-1-3 28672]
.
[HKEY_LOCAL~MACHINE\SYSTEM\Currentcontrolset\control\safeBoot\Minimal\winDefend] @="Service"

[HKLM\~\startupfolder\c:^programData^Microsoft^windowsAStart
Menu^programs^startup^Directrec configuration Tool.lnk]
path=c:\programdata\Microsoft\windows\start Menu\programs\startup\directrec configuration Tool.lnk
backup=c:\windows\pss\Directrec configuration Tool.lnk.commonstartup backupExtension=.commonstartup
[HKLM\~\startupfolder\c:Apr09ramoataAMicrosoftAwindowsAStart MenuAprogramsAStartupAHP Digltal Imaging Monitor.lnk] path=c:\programdata\Microsoft\windows\Start Menu\programs\Startup\HP Digital Imaging Monltor.lnk
backup=c:\windows\pSS\HP Digital Imaging Monitor.lnk.commonstartup
backupExtension=.commonStartup .

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\symantecAntivirus]
"disableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\symantecFirewall]
"disableMonitoring"=dword:00000001

[HKLM\-\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query user{B459534A-25B8-4502-A1E9-AA066B2COEC7}c:\\pro!}ram files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bltlord.exe:BitLord "UDP Query user{314B4A72-81E7-4ABF-A411-989B753FDABO}c:\\pro!}ram files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bltlord.exe:BitLord "{6A8COFFE-D351-4FB9-A1B7-5B31DAB73F8F}"= UDP:c:\program files\TOSHlBA\Utilities\TAcSPROP.exe:Accessibility "{3C57c25E-69CD-4976-B76B-477458EDD568}"= TCP:c:\program files\TosHlBA\Utilities\TAcsPROP.exe:Accessibility
"TCP Query user{573BA530-5E86-4153-9756-AA5E7A80B5C9}d:\\program files\\itunes\\itunes.exe"= Disabled:uDP:d:\program files\itunes\itunes.exe:iTunes
"UDP Query user{8c996AA2-4C1C-4888-BBE1-E8A3439128EA}d:\\program files\\itunes\\itunes.exe"= Disabled:Tcp:d:\program files\itunes\itunes.exe:iTunes

[HKLM\-\services\sharedaccess\parameters\firewallpolicy\publicprofile] "EnableFirewall"= 0 (OxO)

[HKLM\-\services\sharedaccess\parameters\firewallpolicy\Restrictedservices\Static\system]
"DFSR-1"= RPort=5722luDP:%SystemRoot%\system32\svchost.exelsvc=DFSR:Allow inbound TCP trafficl

RO CpllR;Embedded IR Driver;c:\windows\system32\drivers\cpllR.SYS [06/03/2007 15:01 14848]
RO iaNvStor;lntelCR) Turbo Memory Technology NAND controller;c:\windows\system32\drivers\iaNvStor.sys [13/04/2007 21:52 210432]
R1 FSES;F-Secure Email scanning Driver;c:\windows\system32\drivers\fses.sys [13/11/2007 15:41 35024]
R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [13/11/2007 15:41 60064]

[HKEY_LOCAL_MACHlNE\software\microsoft\winG_MULTl_SZ Pml Driver HPz12 Net Driver HPZ12
hpdevmgmt REG_MULTl_SZ hpqcxs08 hpqddsvc

Contents of the 'scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareupdate.job
- c:\program files\Apple Software update\softwareupdate.exe [2006-10-10 17:13]

2009-08-12 c:\windows\Tasks\Google Software updater.job
- c:\program files\Google\Common\Google updater\Googleupdaterservice.exe [2008-11-11 21:02]

2009-08..,12 c:\windows\Tasks\user_Feed_synchronization-{364B15A7-9ABD-47BF-BD4E-c8850BA667FD } .job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

- - - - ORPHANS REMOVED - - - -

HKCU-Run-T0SCDSPD - TOSCDSPD.EXE
HKLM-Run-HWSetup - \HWSetup.exe

------- supplementary Scan -------

ustart page = hxxp://www.archdaily.com/
ulnternet settin!}s,proxyoverride = *.local
IE: E&xport to Mlcrosoft Excel - c:\progra-1\MICROS-1\office12\EXCEL.EXE/3000
lE: {{C08CAF1D-COA3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN
LSP: c:\program files\F-Secure Internet security\FSPs\program\FSLSP.DLL
Trusted Zone: microsoft.com\download.wondowsupdate
Trusted Zone: microsoft.com\update

**************************************************************************
scanning hidden processes scanning hidden autostart entries scanning hidden files ...
scan completed successfully hidden files:
**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\controlset001\Control\class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Allusersettings]
@Denied: (A) (users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (5-1-5-20)
IBlindDial"=dword:OOOOOOOO
"MSCurrentCountry"=dword:000000b4
[HKEY_LOCAL_MACHINE\system\controlset001\Control\class\{4D36E96D-E325-11CE-BFC1- 08002BE10318}\0001\Allusersettings]
@Denied: (A) (users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (5-1-5-20)
"BlindDial"=dword:00000000

--------------------- DLLS Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3568)
c:\program files\Arcsoft\photoImpression 5\share\pihook.dll

------------------------ Other Running Processes -----------------------*

c:\windows\Microsoft.NET\Framework\v3.0\wPF\presentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\audiodg.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\common Files\Acronis\schedule2\schedu12.exe
c:\program files\TosHIBA\ConfigFree\CFsvcs.exe
c:\program files\olympus\DeviceDetector\DM1service.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNavlSrv.exe
c:\windows\system32\TODDsrv.exe
c:\program files\TOSHIBA\power saver\Toscosrv.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\uAService7.exe
**************************************************************************
.
completion time: 2009-08-12 22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 21:40
Pre-Run: 40,646,709,248 bytes free
Post-Run: 46,590,873,600 bytes free

213 --- E 0 F --- 2009-04-23 21:14


Here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:30:52, on 12/08/2009
platform: windows vista (winNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
c:\windows\system32\taskeng.exe
c:\windows\system32\Dwm.exe
c:\windows\system32\taskeng.exe
c:\windows\Explorer.exe
c:\windows\system32\notepad.exe
c:\program Files\windows defender\MsAscui.exe
c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Users\Kie\Desktop\Hi JaCkThis\HijackThi s.exe

RO - HKCU\software\Microsoft\Internet Explorer\Main,Start page = http://www.archdaily.com/
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_page_uRL http://go.microsoft.com/fwlink/?Linkld=69157
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_Search_URL http://go.microsoft.com/fwlink/?LinkId=54896
RI - HKLM\software\Microsoft\Internet Explorer\Main,search page = http://go.microsoft.com/fwlink/?LinkId=54896
RO - HKLM\Software\Microsoft\Internet Explorer\Main,start Page = http://go.microsoft.com/fwlink/?Linkld=69157
RI - HKCU\software\Microsoft\windows\Currentversion\Internet settings,proxyoverride = *.local
RO - HKCU\software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
R3 - URLSearchHook: ArchiBar Toolbar - {24ccI362-11c6-49I8-a2cO-bgee5a563185} ¬c:\program Files\ArchiBar\tbArcl.dll
02 - BHO: txthlpBHO class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} ¬C:\PROGRA~I\TEXTHE~I\READAN~I\TEXTHE~3.DLL
02 - BHO: ArchiBar TQolbar - {24ccI362-11c6-4918-a2cO-bgee5a563185} - c:\program Files\Archisar\tbArcl.dll
02 - BHO: wormRadar.com IESiteBlocker.NavFilter ¬{3CA2F3I2-6F6E-4B53-A66E-4E65E497C8CO} - c:\program Files\AVG\AVG8\avgssie.dll (file missing)
02 - BHO: Google Toolbar Helper - {AAS8ED58-01DD-4d9I-8333-CFI0S77473F7} ¬c:\program files\google\googletoolbarl.dll
02 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} ¬c:\program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
02 - BHO: EpsonToolBandKicker Class - {E9942IFB-68DD-40FO-B4Ac-a7027CAE2FlA} ¬c:\program Files\EPsON\EPSON web-To-page\EPSON web-To-page.dll
02 - BHO: HP smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72EI16A856} ¬c:\program Files\HP\Digital Imaging\Smart web printing\hpswp_BHO.dll
03 - Toolbar: EPSON web-To-page - {EESD279F-081B-4404-994D-C6B60AAEBA6D} ¬c:\program Files\EPSON\EPSON web-To-page\EPsON web-To-page.dll
03 - Toolbar: ArchiBar Toolbar - {24ccI362-I1c6-49I8-a2cO-bgee5a563185} ¬C:\program Files\ArchiBar\tbArcl.dll
03 - Toolbar: &Google - {23I8C2BI-4965-11d4-9BI8-009027A5CD4F} - c:\program files\google\googletoolbarl.dl1
04 - HKLM\ .. \Run: [windows Defender] %programFiles%\windows Defender\MSAscui.exe -hide
04 - HKLM\ .. \Run: [HotKeyscmds] c:\windows\system32\hkcmd.exe
04 - HKLM\ .. \Run: [persistence] c:\windows\system32\igfxpers.exe
04 - HKLM\ .. \Run: [SVPWUTIL] c:\program Files\TosHIBA\Utilities\SvPwuTIL.exe SVPwUTIL
04 - HKLM\ .. \Run: [topi] c:\program Files\TOSHIBA\Toshiba online Product Information\topi.exe -startup
04 - HKLM\ .. \Run: [RtHDVCpl] RtHDVcpl.exe
04 - HKLM\ .. \Run: [TPwrMain] %programFiles%\TOSHIBA\power saver\TPwrMain.ExE
04 - HKLM\ .. \Run: [HSON] %programFiles%\TOSHIBA\TBS\HSON.exe
04 - HKLM\ .. \Run: [smoothview] %programFiles%\Toshiba\Smoothview\SmQothview.exe
04 - HKLM\ .. \Run: [OOTCrdMain] %programFiles%\TOSHIBA\Flashcards\TCrdMain.exe
04 - HKLM\ .. \Run: [NDSTray.exe] NDSTray.exe
04 - HKLM\ .. \Run: [Desktop SMS] c:\program Files\IDM\Desktop SMS\DesktopSMS.exe /auto
04 - HKLM\ .. \Run: [Toshiba Registration] c:\program Files\Toshiba\Registration\ToshibaRegistration.exe
04 - HKLM\ .. \Run: [IAAnotif] c:\program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
04 - HKLM\ .. \Run: [IaNvSrv] c:\program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvsrv.exe
04 - HKLM\ .. \Run: [Acronis scheduler2 service] "c:\program Files\common Files\Acronis\Schedule2\schedhlp.exe"
04 - HKLM\ .. \Run: [QuickTime Task] "e:\program Files\QuickTime\qnask.exe" -atboottime
04 - HKLM\ .. \Run: [iTunesHelper] "D:\program Files\iTunes\iTunesHelper.exe"
04 - HKLM\ .. \Run: [EEventManager] C:\Program Files\EPsON\Creativity Suite\Event Manager\EEventManager.exe
04 - HKLM\ .. \Run: lHP software update] c:\program Files\HP\HP Software update\HPwuschd2.exe
04 - HKLM\ .. \Run: [hpqsRMon] c:\program Files\HP\Digital Imaging\bin\hpqsRMon.exe
04 - HKLM\ .. \Run: [skytel] skr,tel.exe
04 - HKLM\ .. \Run: [Msconfi g] 'e: \wi ndows\system32\msconfi g. exe" jauto
04 - HKCU\ .. \Run: [swg] c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
04 - startup: Adobe Gamma.lnk = c:\program Files\common Files\Adobe\calibration\Adobe Gamma Loader.exe
04 - Startup: palm Registration.lnk = c:\program Files\palm\register.exe
04 - Global startup: Dataviz Inc Messenger.lnk = c:\program Files\common Files\Dataviz\DvzIncMsgr.exe
08 - Extra context menu item: E&xport to Microsoft Excel ¬res:jjC:\PROGRA~1\MICROS~1\office12\EXcEL.ExEj3000
09 - Extra button: Research - {92780B25-18CC-41c8-B9BE-3C9C57IA8263} ¬C:\PROGRA-1\MICROS-1\office12\REFIEBAR.DLL
09 - Extra button: eBay - {C08CAF1D-COA3-40D5-9970-06D067EAC017} ¬http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
09 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} ¬c:\program Files\HP\Digital Imaging\Smart web printin~\hpswp_BHO.dll
010 - Broken Internet access because of LSP provider c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
013 - Gopher Prefix:
018 - protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} ¬c:\program Files\AVG\AVG8\avgpp.dll (file missing)
023 - Service: Acronis Scheduler2 Service (AcrSch2svc) - Acronis - c:\program Files\common Files\Acronis\schedule2\schedu12.exe
023 - Service: Adobe LM Service - Adobe Systems - c:\program Files\common Files\Adobe systems shared\Service\Adobelmsvc.exe
023 - service: Ati External Event utility - ATI Technologies Inc. ¬c:\windows\system32\Ati2evxx.exe
023 - Service: Autodesk Licensing Service - Autodesk - c:\program Files\common Files\Autodesk shared\service\Adskscsrv.exe
023 - service: configFree service (CFSVCS) - TOSHIBA CORPORATION - c:\program Files\TOSHIBA\ConfigFree\CFSvcs.exe
023 - service: DM1Service - OLYMPUS IMAGING CORP. - c:\program Files\01ympus\DeviceDetector\DM1Service.exe
023 - Service: Google software updater (gusvc) ~ Goo9le - c:\program Files\Google\common\Google updater\GoogleupdaterServlce.exe
023 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel corporation - c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe 023 - Service: InstallDriver Table Manager (IDriverT) - Macrovlsion corporation - c:\program Files\common Files\Installshield\Driver\ll\Intel 32\IDriverT.exe 023 - service: Installshield Licensing service - Macrovision
- c:\program Files\Common Files\Installshield shared\service\InstallShield Licensing service.exe
023 - service: iPod Service - Apple computer, Inc. - c:\program Files\ipod\bin\ipodservice.exe
023 - service: symantec core LC - Symantec corporation - c:\program Files\common Files\symantec shared\cCPD-Lc\symlcsvc.exe
023 - Service: TOSHIBA Navi Support service (TNavisrv) - TOSHIBA corporation ¬c:\program Files\TosHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
023 - Service: TOSHIBA optical Disc Drive Service (TODDSrv) - TOSHIBA corporation - c:\windows\system32\TODDsrv.exe
023 - Service: TOSHIBA power Saver CTosCoSrv) - TOSHIBA Corporation - c:\program Files\TosHIBA\power saver\Toscosrv.exe
023 - Service: TOSHIBA Bluetooth service - TOSHIBA CORPORATION - c:\program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
023 - service: SecuROM User Access Service CV7) (userAccess7) - unknown owner ¬c:\windows\system32\uAservice7.exe
End of file - 7919 bytes

I'm really grateful for your continuing help, Phil. Thanks.

Rosie
 
Hello rosieb,

My name is Ken and I will be taking over for Phil.

You should be able to run Malwarebytes now and this cleaner as Combofix removed the Rootkit that was causing all your issues, but there could be more we cant see.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean


Drag Malwarebytes to the trash and lets start over nice an clean

Please download Malwarebytes' Anti-Malware from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    post_a4255_MBAM.PNG
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
 
Thanks for your help, Ken.

I've used the TFC but I can't connect to the internet on the infected laptop and I can't work out why not - so I can't download MBAM. I could burn it to a CD on a clean laptop but it wouldn't be able to update.

What should I do?

Rosie
 
Hello Rosie

When you download MBAM it will be fairly current so go ahead and burn it to a CD and transfer it to the infected one.

Are you trying to get online with Internet Explorer? What exactly happens when you open your browser, are you getting a page not found?

Try this, open IE and go to Tools> Internet Options> Advanced Tab > Reset Internet Explorer Settings > Reset.....let it do its thing..takes about 15 seconds, then ok your way out , close IE then open it again and see if you can get online.

You may also have to reset your modem Cable/DSL and router if your using one. Just turn off your computer, pull the power cord to both the modem and router....let this set like this for about 3 minutes. Plug the power cord back into both the router and modem, wait until all the lights are on, then start your computer and wait until it fully loads, then try the internet again.
 
Hi Ken. The TFC is still going on the infected laptop. That's over an hour so far. Has it hung up, do you think? It seems stuck on the Recycle Bin.
How long should I let it run?

Rosie
 
Hello Ken
I tried the IE resets you suggested - to no avail. The lap top connects to the LAN but I cannot access any web pages. Could it be something to do with the F-secure firewall? I thought I'd removed all the AV programs prior to installing just a single program but there seem to be remnants remaining, although not showing in Add/Remove programs.

Anyway, here are the logs you requested (I printed them and scanned them to my clean laptop):

MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2551
windows 6.0.6000

14/08/2009 21:28:56
mbam-log-2009-08-14 (21-28-56).txt

Scan type: Full Scan
(C:\ID:\I) objects scanned: 233755
Time elapsed: 49 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7

Memory processes Infected:
(NO malicious items detected)

Memory Modules Infected:
(NO malicious items detected)

Registry Keys Infected:
(NO malicious items detected)

Registry values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\Run\desktop sms (worm.p2P) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(NO malicious items detected)

Folders Infected:
c:\Program Files\Malwarecore 7.4 (Rogue.Malwarecore) -> Quarantined and deleted successfully.
c:\program Files\Malwarecore 7.4\Quarantine (Rogue.Malwarecore) -> Quarantined and deleted successfully.
c:\users\Kie\AppData\Roaming\Microsoft\windows\start Menu\programs\Malwarecore 7.4 (Rogue.Malwarecore) -> Quarantined and deleted successfully.

Files Infected:
c:\programData\malusasu\malusasu.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\ProgramData\yivivaso\yivivaso.dll (Trojan.vundo) -> Quarantined and deleted successfully.
c:\Qoobox\Quarantine\c\windows\system32\gxvxcqxiaydlsjadmlutkwdkbigbrvjleolnm.dl l.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\users\Kle\AppData\Local\virtualstore\windows\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\users\Kie\AppData\Local\virtualstore\windows\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program Files\Malwarecore 7.4\Malwarecore 7.4.url (Rogue.Malwarecore) -> Quarantined and deleted successfully.
c:\program Files\Malwarecore 7.4\mwdb.dat (Rogue.Malwarecore) -> Quarantined and deleted successfully.

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:14, on 14/08/2009
Platform: windows Vista (winNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes: c:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
c:\windows\Explorer.ExE
c:\program Files\windows Defender\MSAscui.exe
c:\program Files\TOSHIBA\Toshiba online product Information\TOPI.exe
C:\windows\RtHDVCpl.exe
c:\program Files\TosHIBA\power saver\TPwrMain.exe
C:\program Files\TOSHIBA\smoothview\smoothview.exe
c:\program Files\TOSHIBA\Flashcards\TcrdMain.exe
c:\program Files\TosHIBA\ConfigFree\NDSTray.exe
c:\program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
c:\Program Files\Common Files\Acronis\Schedule2\schedhlp,exe
c:\program Files\QuickTime\qttask.exe
D:\program Files\iTunes\iTunesHelper.exe
c:\program Files\epson\creativity Suite\Event Manager\EEventManager.exe
C:\program Files\HP\HP Software update\hpwuschd2.exe
c:\program Files\HP\Digital Imaging\bin\HpqsRmon.exe
C:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\windows\system32\taskeng.exe
C:\program Files\TOsHIBA\configFree\cFswMgr.exe
c:\windows\system32\NoTEPAD.EXE
D:\users\Kie\Desktop\HiJackThis\HijackThis.exe

RI - HKCU\software\Microsoft\Internet Explorer\Main,search Page = http://go.microsoft.com/fwlink/?LinkId=54896
RO - HKCU\software\Microsoft\Internet Explorer\Main,Start Page =
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_pag~uRL http://go.microsoft.com/fwlink/?Linkld=69157
RI - HKLM\software\Microsoft\Internet Explorer\Main,Default_search_uRL http://go.microsoft.com/fwlink/?LinkId=54896
RI - HKLM\software\Microsoft\Internet Explorer\Main,search Page = http://go.microsoft.com/fwlink/?LinkId=54896
RO - HKLM\software\Microsoft\Internet Explorer\Main,start page = http://go.microsoft.com/fwlink/?LinkId=69157
RO - HKLM\software\Microsoft\Internet Explorer\search,searchAssistant =
RO - HKLM\software\Microsoft\Internet Explorer\search,customize~earch =
RI - HKCU\software\Microsoft\windows\currentversion\Internet settings,proxyoverride = *.local
RO - HKCU\software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
02 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} *C:\PROGRA-I\TEXTHE-I\READAN-I\TEXTHE-3.DLL
02 - BHO: ArchiBar Toolbar - {24ccI362-11c6-4918-a2cO-bgee5a563185} - c:\program Files\ArchiBar\tbArcl.dll
02 - BHO: wormRadar.com IESiteBlocker.NavFilter *{3CA2F312-6F6E-4B53-A66E-4E65E497C8CO} - c:\program Files\AVG\AVG8\avgssie.dll (file missing)
02 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CFI0577473F7} *c:\program files\google\googletoolbarl.dll
02 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} *C:\program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
02 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40FO-B4AC-B7027CAE2FlA} *c:\program Files\EPSON\EPSON web-To-Page\EPsoN web-To-page.dll
02 - BHO: HP Smart BHO class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72EI16A856} *c:\program Files\HP\Digital Imaging\Smart web printing\hpswp_BHO.dll
03 - Toolbar: EPSON web-To-page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} *c:\program Files\EPSON\EPSON web-To-page\EPSON web-To-page.dll
03 - Toolbar: ArchiBar Toolbar - {24ccI362-11c6-4918-a2cO-bgee5a563185} *c:\program Files\ArchiBar\tbArcl.dll
03 - Toolbar: &Google - {2318C2BI-4965-11d4-9BI8-009027A5CD4F} - c:\program files\google\googletoolbarl.dll
04 - HKLM\ .. \Run: [windows Defender] %programFiles%\windows Defender\MSAscui.exe -hide
04 - HKLM\ .. \Run: [HotKeyscmds] C:\windows\system32\hkcmd.exe
04 - HKLM\ .. \Run: [persistence] c:\windows\system32\igfxpers.exe
04 - HKLM\ .. \Run: [SVPWUTIL] c:\program Files\TOSHIBA\Utilities\svPwuTIL.exe SVPwUTIL
04 - HKLM\ .. \Run: [topi] c:\program Files\TOSHIBA\Toshiba online Product Information\topi.exe -startup
04 - HKLM\ .. \Run: [RtHDVCpl] RtHDVcpl.exe
04 - HKLM\ .. \Run: [TPwrMain] %programFiles%\TOSHIBA\power saver\TPwrMain.EXE
04 - HKLM\ .. \Run: [HSON] %programFiles%\TOSHIBA\TBS\HSON.exe
04 - HKLM\ .. \Run: [smoothviewJ %programFiles%\Toshiba\smoothview\smoothview.exe
04 - HKLM\ .. \Run: [00TcrdMain] %programFiles%\TOSHIBA\Flashcards\TcrdMain.exe
04 - HKLM\ .. \Run: [NDSTray.exe] NDsTray.exe
04 - HKLM\ .. \Run: [Toshiba Registration] c:\program Files\Toshiba\Registration\ToshibaRegistration.exe
04 ~ HKLM\ .. \Run: [IAAnotif] c:\Program Files\Intel\Intel Matrix storage Manager\iaanotif.exe
04 - HKLM\ .. \Run: [IaNvSrv] C:\program Fi1es\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvsrv.exe
04 - HKLM\ .. \Run: [Acronis scheduler2 service] "c:\program Files\Common Files\Acronis\schedule2\schedhlp.exe"
04 - HKLM\ .. \Run: [QuickTime Task] "c:\program Files\QuickTime\qttask.exe" -atboottime
04 - HKLM\ .. \Run: [iTunesHelper] "D:\program Files\iTunes\iTunesHelper.exe"
04 - HKLM\ .. \Run: [EEventManager] c:\program Files\EPSON\creativity Suite\Event Manager\EEventManager.exe
04 - HKLM\ .. \Run: [HP software update] c:\program Files\HP\HP software update\HPWuschd2.exe
04 - HKLM\ .. \Run: [hpqsRMon] c:\program Files\HP\Digital Imaging\bin\hpqsRMon.exe
04 - HKLM\ .. \Run: [skytel] skytel.exe
04 - HKLM\ .. \Runonce: [Malwarebytes' Anti-Malware] c:\program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
04 - HKCU\ .. \Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
04 - startup: Adobe Gamma.lnk = c:\program Files\common Files\Adobe\calibration\Adobe Gamma Loader.exe
04 - startup: palm Registration.lnk = c:\program Files\palm\register.exe
04 - Global startup: Dataviz Inc Messenger.lnk = c:\program Files\common Files\Dataviz\DvzlncMsgr.exe
09 - Extra button: Research - {92780B25-18CC-41C8-B96E-3C9C571A8263} *C:\PROGRA~1\MICROS~1\Offi~e12\REFIEBAR.DLL
09 - Extra button: eBay - {C08CAF1D-COA3-40D5-9970-06D067EAC017} *http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
09 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} *c:\program Files\HP\Digital Imaging\smart web printin~\hpswp_BHO.dll
010 - Broken Internet access because of LSP provider c:\program files\f-secure internet security\fsps\program\fslsp.dll' missing
013 - Gopher prefix:
018 - protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} *c:\program Files\AVG\AVG8\avgpp.dll (file missing)
023 - Service: Acronis scheduler2 Service (Acrsch2Svc) - Acronis - c:\program Files\common Files\Acronis\schedule2\schedu12.exe
023 - Service: Adobe LM Service - Adobe Systems - c:\program Files\common Files\Adobe Systems shared\service\Adobelmsvc.exe
023 - service: Ati External Event utility - ATI Technologies Inc. *c:\windows\system32\Ati2evxx.exe
023 - Service: Autodesk Licensing Service - Autodesk - C:\program Files\common Files\Autodesk shared\service\Adskscsrv.exe
023 - service: configFree Service (CFSvcs) - TOSHIBA CORPORATION - c:\program Files\TOSHIBA\configFree\CFsvcs.exe
023 - service: DM1service - OLYMPUS IMAGING CORP. - c:\program Files\01ympus\DeviceDetector\DM1service.exe
023 - Service: Google software updater (gusvc) - Google - c:\program Files\Google\common\Google updater\GoogleupdaterServlce.exe
023 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel corporation - c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe 023 - Service: InstallDriver Table Manager (IDriverT) - Macrovlsion corporation - c:\program Files\Cqmmon Files\Installshield\oriver\11\Intel 32\IoriverT.exe
023 - Service: Installshield Licensing Service - Macrovision - c:\program Files\common Files\Installshield shared\service\InstallShield Licensing Service.exe
023 - service: ipod service - Apple Computer, Inc. - c:\program Files\iPod\bin\ipodservice.exe
023 - Service: symantec Core LC - symantec corporation - C:\program Files\Common Files\symantec shared\ccPo-Lc\symlcsvc.exe
023 - service: TOSHIBA Navi Support service (TNavisrv) - TOSHIBA corporation *C:\program Files\TosHIBA\TOSHIBA OVD PLAYER\TNaviSrv.exe
023 - service: TOSHIBA optical Disc Drive service (ToDOsrv) - TOSHIBA Corporation - C:\windows\system32\TODDsrv.exe
023 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA corporation - c:\program Files\TOSHIBA\power Saver\ToscoSrv.exe
023 - service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
023 - service: SecUROM User Access Service (V7) (userAccess7) - Unknown owner *c:\windows\system32\UAserv;ce7.exe
End of file - 8628 bytes

Thanks for all your help,
Rosie
 
Hello Rosie,

Sometimes TFC will hang if it removes a log of garbage, not to worry , it looks like your up and running.

Not sure if no internet is related to a malicious program, when your all clean that will tell us. Have you tried calling your ISP and telling them you cant get online??

Lets make sure there is no part of that rootkit left. This to you can transfer by disk

  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive.
  3. Open
    rootRepealDesktopIcon.png
    on your desktop.
  4. Click the
    reportTab.png
    tab.
  5. Click the
    btnScan.png
    button.
  6. Check all seven boxes:
    checkBoxes2.png
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the
    saveReport.png
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
 
Hello Ken

When I try to run RootRepeal, I get an error: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)

Should I try a different download?

Rosie
 
Yes, please do, just drag the one you are having problems with to the trash. There are 3 links for zip and 3 for rar, if your using zip, then try all three.

If that doesn't work than try this one.

Please download Rooter Rootkit Detector to your Desktop
  • Doubleclick it to start the tool.
  • A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
  • Post the report for me to see.
 
Hi Ken

Here's the Rooter log:

Rooter_2
Rooter.exe (v1.0.2) by Eric_71
.
seDebugprivilege granted successfully ...
.
windows vista. (6.0.6000)
[32_bits] - x86 Family 6 Model 15 stepping 10, GenUineIntel
.
[wscsvc] (security center) RUNNING (state:4)
[MpSSVC] RUNNING (state:4)
windows Firewall -> Enabled
windows Defender -> Enabled
User Account control (UAC) -> Enabled
.
Internet Explorer 7.0.6000.16830
.
C:\ [Fixed-NTFS] ( Total:80 Go - Free:43 Go )
D:\ [Fixed-NTFS] .. ( Total:63 Go - Free:27 Go )
F:\ [CD_Rom]
.
scan: 03:23.47
path : D:\userS\Kie\Desktop\Rooter.exe
User: Kie ( Administrator -> YES)
.
----------------------\\ Processes
.
Locked [system Process] (0)
Locked system (4)
_____ \systemRoot\system32\smss.exe (464)
_____ c:\windows\system32\csrss.exe (600)
_____ c:\windows\system32\wininit.exe (648)
_____ c:\windows\system32\csrss.exe (660)
_____ c:\windows\system32\services.exe (692)
_____ c:\windows\system32\lsass.exe (704)
_____ c:\windows\system32\lsm.exe (712)
_____ c:\windows\system32\winlogon.exe (780)
_____ c:\windoWs\system32\svchost.exe (932)
_____ c:\windows\Microsoft.Net\Framework\v3.0\wPF\presentationFontCache.exe (972)
_____ c:\windows\system32\svchost.exe (1016)
_____ c:\windows\system32\svchost.exe (1048)
_____ c:\windows\system32\Ati2evxx.exe (1152)
_____ c:\windows\system32\svchost.exe (1164)
_____ c:\windows\system32\svchost.exe (1204)
_____ c:\windows\system32\svchost.exe (1220)
Locked audiodg.exe (1336)
_____ c:\windows\system32\sLsvc.exe (1376)
_____ c:\windows\system32\svchost.exe (1468)
_____ c:\windows\system32\svchost.exe (1592)
_____ c:\windows\system32\Ati2evxx.exe (1700)
_____ c:\windows\system32\spoolsv.exe (1836)
_____ c:\windows\system32\svchost.exe (1860)
_____ C:\windows\system32\Dwm.exe (388)
_____ c:\windows\system32\taskeng.exe (592)
_____ c:\windows\Explorer.EXE (1000)
_____ c:\program Files\common Files\Acronis\schedule2\schedu12.exe (2044)
_____ c:\windows\system32\svchost,exe (1212)
_____ c:\program Files\TOSHIBA\ConfigFree\cFsvcs,exe (384)
_____ c:\program Files\olympus\DeviceDetector\DM1service.exe (904)
_____ c:\windows\system32\svchost.exe (1036)
_____ c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe (392)
_____ c:\windows\system32\svchost.exe (1412)
_____ c:\windows\system32\svchost.exe (2028)
_____ c:\windows\system32\svchost.exe (2056)
_____ c:\program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (2084)
_____ c:\windows\system32\ToDDSrv.exe (2104)
_____ c:\program Fi 1 es\ TOSHIBA \power Saver\ TosCoSrv. exe (2172)
_____ c:\program Files\Toshiba\Bluetooth Toshiba stack\TosBtSrv.exe (2212)
_____ C;\windows\system32\uAservice7.exe (2284)
_____ c:\windows\system32\svchost.exe (2300)
_____ c:\windows\system32\Searchlndexer.exe (2332)
_____ c:\program Files\windows Defender\MsAscui.exe (3508)
_____ c:\program Files\TosHIBA\Toshiba online Product Information\TOPI.exe (3556)
_____ c:\windows\RtHDVCpl.exe (3564)
_____ c:\program Files\TOSHIBA\power Saver\TPWrMain.exe (3572)
_____ c:\program Files\TosHIBA\Smoothview\smoothview.exe (3592)
_____ c:\program Files\TOSHIBA\Flashcards\TcrdMain.exe (3600)
_____ c:\program Files\ToSHIBA\configFree\NDSTray.exe (3608)
_____ c:\program Files\Intel\I.ntel Matrix Storage Manager\IMnotif.exe (3624)
_____ c:\program Files\common Files\Acronis\schedule2\schedhlp.exe (3640)
_____ c:\program Files\QuickTime\qttask.exe (3648)
_____ D:\program Files\iTunes\iTunesHelper.exe (3656)
_____ c:\program Files\epson\creativity Suite\Event Manager\EEventManager.exe (3664)
_____ c:\program Files\HP\HP software update\hpwuschd2.exe (3672)
_____ c:\program Files\HP\Digital Imaging\bin\HpqsRmon.exe (3680)
_____ c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3700)
_____ c:\program Files\ipod\bin\iPodService.exe (2276)
_____ c:\program Files\ToSHIBA\ConfigFree\CFswMgr.exe (2916)
_____ c:\windows\system32\taskeng.exe (3488)
Locked dllhost.exe (3184)
D:\users\Kie\Desktop\Rooter.exe (1272)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [sectors: 63 x 512 Bytes]
\Device\Harddisk0\partition1 (Start_offset:1048576 | Length:1572864000)
\Device\Harddisk0\part;tion2 --[ MBR ]-- (Start_offset:1573912576 | Length:86894444544)
\Device\Harddisk0\partition3 (Start_Offset:88468357120 | Length:68157440000)
\Device\Harddisk0\partition4 (Start_Offset:237850421760 | Length:12206315520)
.
----------------------\\ Scheduled Tasks
.
c:\Windows\Tasks\Applesoftwareupdate.job
c:\windows\Tasks\Google software updater.job
c:\windows\Tasks\SA.DAT
c:\windows\Tasks\sCHEDLGU.TXT
c:\windows\Tasks\user_Feed_synchronization-{364B15A7-9ABD-47BF-BD4E-c8850BA667FD }. job
.
----------------------\\ Registry
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 03:23.48
.
C:\Rooter$\Rooter_2.txt - (15/08/2009 I 03:23.48)


Thanks again for your help,

Rosie
 
Hello Rosie,

Rooter did not find anything bad.

Outside of no internet, how is your system running now??
 
Last edited:
Rosie,

I am going to leave this thread open for you for a week or so in case you need to post back, What I would like you do to is post on this windows forum, its our sister site, tell them you have no internet, that you posted here and we removed Vundo, a Rouge Antimalware Program and a Rootkit and that now you cannot access the internet. They can help you get back online. We just do malware removal in this forum. You can also link them to this thread so they can see what we have done.

http://forums.spybot.info/showthread.php?t=50685



Post here, let me know if they helped you
http://forums.whatthetech.com/Browsers_Internet_email_f123.html

Good Luck,

Ken :)
 
I'm very grateful for all your help, Ken. Thank you! :thanks:

I'll do as you advise re: posting on the other site and let you know the outcome.

What security protection would you advise my nephew to have on his now clean laptop to stop re-infection? Programs which update automatically might be advisable, perhaps :)

Rosie
 
Looks like you have Symantec Anti Virus installed, just keep in updated and run a scan at least once a week

Malwarebytes <-- This is the free version and yours to keep, open a few times a month, check for updates and run the Quick Scan removing what it finds

Windows Defender <-- You also have this installed, you can find it to run on Start > All Programs > Windows Defender.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Rosie, when you post in the other forum, post the link back here in this thread so I can follow along.

Ken :)
 
Thanks for the advice, Ken. Once I can get him on-line again I'll download your suggestions.

The Symantic, like the F-secure were time-limited programs that came with his laptop. He usually uses AVG which I have reinstalled and updated via CD from my laptop.

How do I get rid of the remnants of these old programs, I wonder? Will they interfere with AVG?

Rosie
 
Rosie,

I am linked to WTT so I can follow along.

Post a new HJT log and let me see whats installed.

Let me ask you a couple of questions also.

1. Do you have DSL or Cable Internet?
2. Do you use a Router ?
 
Hello Ken

I use a cable modem. I do not have a router.

I'll post a new HJT log later tonight or tomorrow.

Thanks for your help,

Rosie
 
Status
Not open for further replies.
Back
Top