• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.

sutra

Full Member
  • Content count

    25
  • Joined

  • Last visited

About sutra

  • Rank
    Member
  • Birthday
  1. Hello again, a bit better news this time! I uninstalled McAfee and Microsoft Security Firewalls and installed Comodo as recommended. I didn't see a great improvement on rebooting but noticed that the Avira umbrella on the task bar, although it came up quickly, was closed and that real time and web protection had been stopped. It then took quite a long time before the umbrella opened and real time and web protection had been activated and my wireless internet connection activated. Although I have never had any problems with Avira previously, I uninstalled it and, bingo, at the moment, on reboot the start up was much improved. Can you recommend an anti-virus program to replace Avira as at the moment I am running without one? Thanks again for your help. sutra
  2. Thanks for your reply and have followed instructions as listed. Apologies for the delay in replying,but I have been running various malware and anti-virus programs to see if any of them could detect any problems but everything seems to be ok, unless there are problems they cannot detect. On start up everything runs normally until it starts loading my security programs: Avira, MBAM, McAfee Firewall and my internet wireless connection then it takes an eternity before start up is completed. I have disabled then reinstalled the various security programs but it makes no difference. I have also tried to restore my laptop to a point before the problems started but after going through the motions it tells me that the restore to a previous point has failed and no alteration has been made to my pc. On trying to go further back all restore points have suddenly been deleted apart from the ones after the problems started. Is this the end of the line or is there anything else I can try? Thanks, sutra
  3. Hi again, have updated Firefox and Java as instructed. Things have improved a lot regarding internet and programs not responding but start up seems to have slowed down quite a lot. Any hints on speeding it up? Thanks once again. sutra
  4. Hi, Sorry about the delay in replying, I went on a short break with my wife. Internet start up has improved but still have occasional problems when trying to access websites. Whether this is the websites themselves or my computer I'm not sure as it's random and not one particular site or sites. I installed Chrome and tried it but had difficulty importing from Firefox, particularly bookmarks. When I tried to install the Firefox toolbar I was told it was incompatible with Chrome. Thanks for your help, much appreciated. sutra
  5. Thanks. Latest scan below as requested. # AdwCleaner v2.007 - Logfile created 11/13/2012 at 05:58:05 # Updated 06/11/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Administrator - HOME-X7EX4WXUZ0 # Boot Mode : Normal # Running from : C:\Documents and Settings\Administrator\My Documents\Downloads\adwcleaner(1).exe # Option [Delete] ***** [services] ***** Stopped & Deleted : DefaultTabUpdate ***** [Files / Folders] ***** File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\extensions\addon@defaulttab.com.xpi File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\searchplugins\Askcom.xml File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\searchplugins\search-here.xml File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job Folder Deleted : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AskSearch Folder Deleted : C:\Documents and Settings\Administrator\Application Data\AskToolbar Folder Deleted : C:\Documents and Settings\Administrator\Application Data\DefaultTab Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\extensions\toolbar@ask.com Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\AskToolbar Folder Deleted : C:\Program Files\Ask.com Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE} ***** [Registry] ***** Key Deleted : HKCU\Software\APN Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab Key Deleted : HKCU\Software\Ask.com Key Deleted : HKCU\Software\AskToolbar Key Deleted : HKCU\Software\Default Tab Key Deleted : HKCU\Software\DefaultTab Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0} Key Deleted : HKCU\Software\Softonic Key Deleted : HKLM\Software\APN Key Deleted : HKLM\Software\AskToolbar Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1 Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56} Key Deleted : HKLM\Software\Default Tab Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Mozilla Firefox v16.0.2 (en-US) Profile name : default File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\prefs.js Deleted : user_pref("browser.search.defaultengine", "Ask.com"); Deleted : user_pref("browser.search.defaultenginename", "Ask.com"); Deleted : user_pref("browser.search.order.1", "Ask.com"); Deleted : user_pref("extensions.asktb.FeaturePageVersion", "1"); Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\"); Deleted : user_pref("extensions.asktb.OOBEVersion", "1"); Deleted : user_pref("extensions.asktb.apn_dbr", "ff_11.0"); Deleted : user_pref("extensions.asktb.autofill-text-highlight-enabled", true); Deleted : user_pref("extensions.asktb.cbid", "^AGY"); Deleted : user_pref("extensions.asktb.config-updated", false); Deleted : user_pref("extensions.asktb.crumb", "2012.11.06+03.14.44-toolbar018iad-GB-TWFuY2hlc3RlcixVbml0ZWQgS2[...] Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://avira.ask.com/web?q={query}&o={o}&l={[...] Deleted : user_pref("extensions.asktb.domain", "avira-int.ask.com"); Deleted : user_pref("extensions.asktb.domainName", "avira-int.ask.com"); Deleted : user_pref("extensions.asktb.dtid", "^YYYYYY^YY^GB"); Deleted : user_pref("extensions.asktb.en_DF", ""); Deleted : user_pref("extensions.asktb.en_US", ""); Deleted : user_pref("extensions.asktb.ff-original-keyword-url", ""); Deleted : user_pref("extensions.asktb.first-launch-url", "hxxp://www.pdf995.com/download.html"); Deleted : user_pref("extensions.asktb.fresh-install", false); Deleted : user_pref("extensions.asktb.guid", "EFB457FC-A8C7-43C5-9C35-8E6ED25D9FBA"); Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...] Deleted : user_pref("extensions.asktb.if", "first"); Deleted : user_pref("extensions.asktb.l", "dis"); Deleted : user_pref("extensions.asktb.last-config-req", "1352704530612"); Deleted : user_pref("extensions.asktb.last-search-timestamp", "1352529835155"); Deleted : user_pref("extensions.asktb.locale", "en_US"); Deleted : user_pref("extensions.asktb.localePref", true); Deleted : user_pref("extensions.asktb.location", "Manchester,United Kingdom"); Deleted : user_pref("extensions.asktb.o", "APN10267"); Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true); Deleted : user_pref("extensions.asktb.qsrc", "2871"); Deleted : user_pref("extensions.asktb.r", "3"); Deleted : user_pref("extensions.asktb.sa", "YES"); Deleted : user_pref("extensions.asktb.saguid", "7F7BF147-9255-4138-8571-A215BD14941D"); Deleted : user_pref("extensions.asktb.search-history-queries", "601af0647bdc62aefe1b845a6"); Deleted : user_pref("extensions.asktb.search-plugin-suggestions-url", "hxxp://ss.websearch.ask.com/query?qsrc=[...] Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true); Deleted : user_pref("extensions.asktb.silent-upgrade", true); Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false); Deleted : user_pref("extensions.asktb.socialmini-first", true); Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000"); Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33"); Deleted : user_pref("extensions.asktb.socialmini-max-items", "30"); Deleted : user_pref("extensions.asktb.socialmini-native-on", true); Deleted : user_pref("extensions.asktb.socialmini-speed", "5000"); Deleted : user_pref("extensions.asktb.themeid", ""); Deleted : user_pref("extensions.asktb.timeinstalled", "05/11/2012 10:15:41"); Deleted : user_pref("extensions.asktb.to", ""); Deleted : user_pref("extensions.asktb.v", "3.15.10.100015"); Deleted : user_pref("extensions.asktb.version", "5.15.10.29781"); Deleted : user_pref("extensions.defaulttab.config", "{\"status\": \"ok\", \"config\": {\"dns_error_handling\":[...] Deleted : user_pref("extensions.enabledAddons", "toolbar@ask.com:3.15.10.100015,{972ce4c6-7e08-4474-a285-32081[...] Deleted : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-4&o=APN10267&loc[...] ************************* AdwCleaner[R1].txt - [9047 octets] - [12/11/2012 10:10:35] AdwCleaner[s1].txt - [9587 octets] - [13/11/2012 05:58:05] ########## EOF - C:\AdwCleaner[s1].txt - [9647 octets] ##########
  6. Once again,thanks for your reply. I reran mbam as you instructed and removed the Trojan passwords. On the second scan it showed one file (PUP.AdBundle) which I also removed. I check for viruses with Avira before downloading anything before copying it onto E, which is an external HD. I do periodically change my passwords where they are required. Internet connection is still slow although program not responding messages have improved. Below are scans as requested. Thanks. # AdwCleaner v2.007 - Logfile created 11/12/2012 at 10:10:35 # Updated 06/11/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Administrator - HOME-X7EX4WXUZ0 # Boot Mode : Normal # Running from : C:\Documents and Settings\Administrator\My Documents\Downloads\adwcleaner.exe # Option [search] ***** [services] ***** Found : DefaultTabUpdate ***** [Files / Folders] ***** File Found : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\extensions\addon@defaulttab.com.xpi File Found : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\searchplugins\Askcom.xml File Found : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\searchplugins\search-here.xml File Found : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job Folder Found : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AskSearch Folder Found : C:\Documents and Settings\Administrator\Application Data\DefaultTab Folder Found : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\extensions\toolbar@ask.com Folder Found : C:\Documents and Settings\Administrator\Local Settings\Application Data\AskToolbar Folder Found : C:\Program Files\Ask.com Folder Found : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE} ***** [Registry] ***** Key Found : HKCU\Software\APN Key Found : HKCU\Software\AppDataLow\Software\DefaultTab Key Found : HKCU\Software\Ask.com Key Found : HKCU\Software\AskToolbar Key Found : HKCU\Software\Default Tab Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0} Key Found : HKCU\Software\Softonic Key Found : HKLM\Software\APN Key Found : HKLM\Software\AskToolbar Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1 Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456} Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92} Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56} Key Found : HKLM\Software\Default Tab Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}] Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}] Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Mozilla Firefox v16.0.2 (en-US) Profile name : default File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjh77026.default\prefs.js Found : user_pref("browser.search.defaultengine", "Ask.com"); Found : user_pref("browser.search.defaultenginename", "Ask.com"); Found : user_pref("browser.search.order.1", "Ask.com"); Found : user_pref("extensions.asktb.FeaturePageVersion", "1"); Found : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\"); Found : user_pref("extensions.asktb.OOBEVersion", "1"); Found : user_pref("extensions.asktb.apn_dbr", "ff_11.0"); Found : user_pref("extensions.asktb.autofill-text-highlight-enabled", true); Found : user_pref("extensions.asktb.cbid", "^AGY"); Found : user_pref("extensions.asktb.config-updated", false); Found : user_pref("extensions.asktb.crumb", "2012.11.06+03.14.44-toolbar018iad-GB-TWFuY2hlc3RlcixVbml0ZWQgS2[...] Found : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://avira.ask.com/web?q={query}&o={o}&l={[...] Found : user_pref("extensions.asktb.domain", "avira-int.ask.com"); Found : user_pref("extensions.asktb.domainName", "avira-int.ask.com"); Found : user_pref("extensions.asktb.dtid", "^YYYYYY^YY^GB"); Found : user_pref("extensions.asktb.en_DF", ""); Found : user_pref("extensions.asktb.en_US", ""); Found : user_pref("extensions.asktb.ff-original-keyword-url", ""); Found : user_pref("extensions.asktb.first-launch-url", "hxxp://www.pdf995.com/download.html"); Found : user_pref("extensions.asktb.first-restart-after-config-update", true); Found : user_pref("extensions.asktb.fresh-install", false); Found : user_pref("extensions.asktb.guid", "EFB457FC-A8C7-43C5-9C35-8E6ED25D9FBA"); Found : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...] Found : user_pref("extensions.asktb.if", "first"); Found : user_pref("extensions.asktb.l", "dis"); Found : user_pref("extensions.asktb.last-config-req", "1352704530612"); Found : user_pref("extensions.asktb.last-search-timestamp", "1352529835155"); Found : user_pref("extensions.asktb.locale", "en_US"); Found : user_pref("extensions.asktb.localePref", true); Found : user_pref("extensions.asktb.location", "Manchester,United Kingdom"); Found : user_pref("extensions.asktb.o", "APN10267"); Found : user_pref("extensions.asktb.overlay-reloaded-using-restart", true); Found : user_pref("extensions.asktb.qsrc", "2871"); Found : user_pref("extensions.asktb.r", "3"); Found : user_pref("extensions.asktb.sa", "YES"); Found : user_pref("extensions.asktb.saguid", "7F7BF147-9255-4138-8571-A215BD14941D"); Found : user_pref("extensions.asktb.search-history-queries", "601af0647bdc62aefe1b845a6"); Found : user_pref("extensions.asktb.search-plugin-suggestions-url", "hxxp://ss.websearch.ask.com/query?qsrc=[...] Found : user_pref("extensions.asktb.search-suggestions-enabled", true); Found : user_pref("extensions.asktb.silent-upgrade", true); Found : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false); Found : user_pref("extensions.asktb.socialmini-first", true); Found : user_pref("extensions.asktb.socialmini-interval", "1200000"); Found : user_pref("extensions.asktb.socialmini-max-char-ticker", "33"); Found : user_pref("extensions.asktb.socialmini-max-items", "30"); Found : user_pref("extensions.asktb.socialmini-native-on", true); Found : user_pref("extensions.asktb.socialmini-speed", "5000"); Found : user_pref("extensions.asktb.themeid", ""); Found : user_pref("extensions.asktb.timeinstalled", "05/11/2012 10:15:41"); Found : user_pref("extensions.asktb.to", ""); Found : user_pref("extensions.asktb.v", "3.15.10.100015"); Found : user_pref("extensions.asktb.version", "5.15.10.29781"); Found : user_pref("extensions.defaulttab.config", "{\"status\": \"ok\", \"config\": {\"dns_error_handling\":[...] Found : user_pref("extensions.enabledAddons", "toolbar@ask.com:3.15.10.100015,{972ce4c6-7e08-4474-a285-32081[...] Found : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-4&o=APN10267&loc[...] ************************* AdwCleaner[R1].txt - [8918 octets] - [12/11/2012 10:10:35] ########## EOF - C:\AdwCleaner[R1].txt - [8978 octets] ########## C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005714.exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantined E:\InternationalPrimoPDF.exe Win32/OpenCandy application cleaned by deleting - quarantined E:\Set Up Folder\InternationalPrimoPDF.exe Win32/OpenCandy application cleaned by deleting - quarantined E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005750.exe Win32/OpenCandy application cleaned by deleting - quarantined E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP45\A0007192.exe Win32/OpenCandy application cleaned by deleting - quarantined E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP45\A0007267.exe Win32/OpenCandy application cleaned by deleting - quarantined E:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP368\A0051215.exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined E:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP386\A0054669.exe Win32/OpenCandy application cleaned by deleting - quarantined
  7. Thanks for the reply, have followed your instructions. Still slow when on the net but is ok when working offline. Have checked internet connections and configuration and result indicate they're ok. Results of latest mbam scan below. Thanks. Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.07.03 Windows XP Service Pack 3 x86 FAT32 Internet Explorer 8.0.6001.18702 Administrator :: HOME-X7EX4WXUZ0 [administrator] 11/11/2012 09:23:48 mbam-log-2012-11-11 (09-23-48).txt Scan type: Full scan (C:\|E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 297041 Time elapsed: 3 hour(s), 54 minute(s), 55 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005713.exe (PUP.AdBundle) -> Quarantined and deleted successfully. (end)
  8. Hi, My laptop has suddenly developed an extremely slow internet start up although it boots up as normal. Once on the net,opening programs or websites is very slow with many not responding. My o/s is xp pro and my default browser is Firefox although I have tried IE8 but it is still the same. I have recently upgraded from sp2 to sp3. Hope this info helps. Any help would be much appreciated. Thank You. Sorry, I forgot to include scans. Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.07.03 Windows XP Service Pack 3 x86 FAT32 Internet Explorer 8.0.6001.18702 Administrator :: HOME-X7EX4WXUZ0 [administrator] 07/11/2012 21:14:22 mbam-log-2012-11-07 (09-15-43).txt Scan type: Full scan (C:\|E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 292243 Time elapsed: 2 hour(s), 33 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 41 C:\Documents and Settings\Administrator\My Documents\Downloads\EZArticleCreator\EZArticleCreator\Software\EZ Article Creator.exe (Trojan.Passwords) -> No action taken. C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005713.exe (PUP.AdBundle) -> No action taken. E:\GraphicsWiz\GraphicsWiz.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\AtoZWebsiteCreation.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\5TrafficTactics.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\7FastWays.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\10GoogleSteps.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\10ProgrammingTricks.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\29WebsiteTricks.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\30MinuteMinisite.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\AdSenseCash.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\AudioMastery.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\AutomaticContent.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\BlogTraffic.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\CreateFreePDF.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\FreeGoogleTraffic.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\FreeToolbars.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\HugeKeywordLists.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\InstantSoftware.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\MasterWebGraphics.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\MaximizeAdSense.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\MembershipSite.exe (Trojan.Passwords) -> No action taken. E:\My Websites\website folder\Louis Alport\WebsiteSpy.exe (Trojan.Passwords) -> No action taken. E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005742.exe (Spyware.Passwords.Gen) -> No action taken. E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005744.exe (Spyware.Passwords.Gen) -> No action taken. E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP35\A0005745.exe (Spyware.Passwords.Gen) -> No action taken. E:\My Ebooks\My eBooks\cardtricks\output\cardtricks.exe (Trojan.Passwords) -> No action taken. E:\My Ebooks\My eBooks\Ebook reseller\zero2hero.exe (Trojan.Passwords) -> No action taken. E:\Course Folder\Dropshippers-List-UK.exe (Trojan.Passwords) -> No action taken. E:\Article and Book Folder\Dog Folder\Dog Breed Encyclopedia.exe (Trojan.Passwords) -> No action taken. E:\SqueezePageMastery\SqueezePageMastery.exe (Trojan.Passwords) -> No action taken. E:\Tools Folder\pdftoolkit\easy_pdf_toolkit.exe (Trojan.Passwords) -> No action taken. E:\Tools Folder\ofbarticleadvantagepro\ArticleAdvantagePro-BonusProducts\ArticleWiz.exe (Trojan.Passwords) -> No action taken. E:\Tools Folder\VAULT_GraphicsWizard_CoolTool_RR2476\GraphicsWizard_CoolTool\GraphicsWizard_CoolTool.exe (Trojan.Passwords) -> No action taken. E:\Traffic Folder\5TrafficTactics\5TrafficTactics.exe (Trojan.Passwords) -> No action taken. E:\PLR Folder\instantebooks_plr207\Instant eBooks\video-tutorial\CreateFreePDF.exe (Trojan.Passwords) -> No action taken. E:\Time Saving Folder\TimeSavingScriptsPack3\GraphicsWizardCoolToolMRR\GraphicsWizardCoolToolMRR\GraphicsWizard_CoolTool\GraphicsWizard_CoolTool.exe (Trojan.Passwords) -> No action taken. E:\Time Saving Folder\TimeSavingScriptsPack4\WeblinkerProLiteMRR\WeblinkerProLiteMRR\WeblinkerPro\weblinker-pro-lite.exe (Trojan.Passwords) -> No action taken. E:\James_Jordan-Supercharged_Traffic_Software_Package\Ultimate Backlink Builder Software\UltimateBacklinkBuilder.exe (Trojan.Passwords) -> No action taken. E:\Kindle Folder\KindleeBookGenerator\KindleeBookGenerator\Software\Kindle eBook Generator.exe (Spyware.Passwords.Gen) -> No action taken. E:\Clickbank Folder\Clickbank-offer\Email Followup.exe (Trojan.Passwords) -> No action taken. (end) DDS (Ver_2012-11-07.01) - FAT32_x86 Internet Explorer: 8.0.6001.18702 Run by Administrator at 13:09:25 on 2012-11-07 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.107 [GMT 0:00] . AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes ================ . C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Documents and Settings\Administrator\Application Data\DefaultTab\DefaultTab\DTUpdate.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\system32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\CPXBGSTA.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE C:\Program Files\Ask.com\Updater\Updater.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\msagent\AgentSvr.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k NetworkService C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . uWindow Title = Internet Explorer, optimized for Bing and MSN uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\documents and settings\administrator\application data\defaulttab\defaulttab\DefaultTabBHO.dll BHO: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned> EB: Encarta &Researcher: {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize mRun: [nwiz] nwiz.exe /installquiet mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [Tpwrtray] TPWRTRAY.EXE mRun: [TFncKy] TFncKy.exe /Type 20 mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe" mRun: [TFNF5] TFNF5.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [CPXBGSTA.EXE] CPXBGSTA.EXE START mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MPFTRAY.EXE mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: {9455301C-CF6B-11D3-A266-00C04F689C50} - {9455301C-CF6B-11D3-A266-00C04F689C50} IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: c:\program files\avira\antivir desktop\avsda.dll . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . . INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1351490167452 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1351497295629 TCP: NameServer = 192.168.1.254 TCP: Interfaces\{6DE3B4F1-49F9-4B91-A90C-C231E26ADBEB} : DHCPNameServer = 192.168.1.254 Handler: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - c:\program files\common files\microsoft shared\reference 2001\msero.dll Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pjh77026.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://home.bt.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-4&o=APN10267&locale=en_DF&apn_uid=EFB457FC-A8C7-43C5-9C35-8E6ED25D9FBA&apn_ptnrs=^AGY&apn_sauid=7F7BF147-9255-4138-8571-A215BD14941D&apn_dtid=^YYYYYY^YY^GB&&q= FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pjh77026.default\extensions\toolbar@ask.com\plugins\npAviraCallingID.dll FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll FF - ExtSQL: 2012-11-05 09:41; addon@defaulttab.com; c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pjh77026.default\extensions\addon@defaulttab.com.xpi FF - ExtSQL: 2012-11-05 10:15; toolbar@ask.com; c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pjh77026.default\extensions\toolbar@ask.com . ============= SERVICES / DRIVERS =============== . R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-11-5 36552] R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2012-3-16 55936] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-11-5 84256] R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-11-5 108320] R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-11-5 560416] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-11-5 83792] R2 DefaultTabUpdate;DefaultTabUpdate;c:\documents and settings\administrator\application data\defaulttab\defaulttab\DTUpdate.exe [2012-11-5 107520] R3 CPXBG_ICB;CPX Wireless LAN 802.11g Driver;c:\windows\system32\drivers\CPXBGICB.sys [2012-10-28 57024] . =============== Created Last 30 ================ . 2012-11-07 10:01:27 -------- d-----w- c:\program files\Trend Micro 2012-11-07 09:14:06 -------- d-----w- c:\windows\ie8updates 2012-11-07 08:07:11 3072 ------w- c:\windows\system32\iacenc.dll 2012-11-07 08:07:11 3072 ------w- c:\windows\system32\dllcache\iacenc.dll 2012-11-07 08:02:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll 2012-11-07 08:02:14 630272 ------w- c:\windows\system32\dllcache\msfeeds.dll 2012-11-07 08:02:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2012-11-07 08:02:12 2000384 ------w- c:\windows\system32\dllcache\iertutil.dll 2012-11-07 08:02:12 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2012-11-07 08:02:11 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2012-11-07 08:02:11 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll 2012-11-07 08:02:09 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2012-11-07 08:00:19 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2012-11-07 07:59:37 401408 ------w- c:\windows\system32\dllcache\rpcss.dll 2012-11-07 07:59:37 284160 ------w- c:\windows\system32\dllcache\pdh.dll 2012-11-07 07:59:36 473600 ------w- c:\windows\system32\dllcache\fastprox.dll 2012-11-07 07:59:36 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe 2012-11-07 07:59:36 110592 ------w- c:\windows\system32\dllcache\services.exe 2012-11-07 07:59:35 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll 2012-11-07 07:59:34 617472 ------w- c:\windows\system32\dllcache\advapi32.dll 2012-11-07 07:58:19 105472 ------w- c:\windows\system32\dllcache\mup.sys 2012-11-07 07:54:48 139784 ------w- c:\windows\system32\dllcache\rdpwd.sys 2012-11-07 07:54:32 331776 ------w- c:\windows\system32\dllcache\msadce.dll 2012-11-07 07:53:48 293376 ------w- c:\windows\system32\browserchoice.exe 2012-11-07 07:53:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2012-11-07 07:48:35 718336 ------w- c:\windows\system32\dllcache\ntdll.dll 2012-11-07 07:48:29 2148352 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2012-11-07 07:48:28 2192640 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2012-11-07 07:48:28 2026496 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2012-11-07 07:48:27 2069120 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2012-11-07 07:48:20 45568 ------w- c:\windows\system32\dllcache\wab.exe 2012-11-07 07:46:21 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll 2012-11-07 07:46:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2012-11-07 07:43:43 218112 ------w- c:\windows\system32\dllcache\wordpad.exe 2012-11-07 07:27:59 536576 ------w- c:\windows\system32\dllcache\msado15.dll 2012-11-06 21:38:30 -------- d-----w- c:\windows\system32\PreInstall 2012-11-06 17:56:52 -------- d-----w- c:\program files\Eusing Free Registry Cleaner 2012-11-06 17:12:41 74703 ----a-w- c:\windows\system32\mfc45.dll 2012-11-06 17:11:53 -------- d-----w- c:\program files\iolo 2012-11-06 17:11:53 -------- d-----w- c:\documents and settings\all users\application data\iolo 2012-11-06 11:13:12 -------- d-----w- c:\windows\system32\SoftwareDistribution 2012-11-06 08:55:42 -------- d-----w- c:\program files\VideoLAN 2012-11-06 08:17:53 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe 2012-11-05 17:13:04 -------- d-----w- c:\documents and settings\administrator\application data\CallingID 2012-11-05 16:54:07 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-11-05 16:54:07 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy 2012-11-05 10:22:10 -------- d-----w- c:\documents and settings\administrator\application data\Avira 2012-11-05 10:15:31 -------- d-----w- c:\program files\Ask.com 2012-11-05 10:15:27 -------- d-----w- c:\documents and settings\administrator\local settings\application data\AskToolbar 2012-11-05 10:14:53 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2012-11-05 10:14:53 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys 2012-11-05 10:14:47 -------- d-----w- c:\program files\Avira 2012-11-05 10:14:47 -------- d-----w- c:\documents and settings\all users\application data\Avira 2012-11-05 08:44:00 -------- d-----w- c:\documents and settings\administrator\application data\DefaultTab 2012-11-05 08:41:28 -------- d-----w- c:\windows\system32\CatRoot_bak 2012-10-29 07:39:36 -------- d-----w- C:\81cadeae6267b182ee9f 2012-10-29 07:33:22 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE 2012-10-29 07:30:11 -------- d-sh--w- c:\documents and settings\administrator\IETldCache 2012-10-29 07:09:45 -------- d--h--w- c:\windows\ie8 2012-10-29 07:09:30 -------- d--h--w- c:\windows\msdownld.tmp 2012-10-29 05:54:28 -------- d-sh--w- c:\documents and settings\administrator\UserData 2012-10-28 17:38:46 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-10-28 17:30:17 -------- d--h--w- c:\windows\$hf_mig$ 2012-10-28 17:30:10 294912 ------w- c:\windows\system32\dllcache\msctf.dll 2012-10-28 09:04:08 -------- d-----w- c:\windows\system32\wbem\AutoRecover 2012-10-28 08:27:09 -------- d-----w- c:\windows\ServicePackFiles 2012-10-28 08:22:52 2897920 ------w- c:\windows\system32\xpsp2res.dll 2012-10-28 08:20:41 19528 ----a-w- c:\windows\002308_.tmp 2012-10-28 08:20:16 26144 ----a-w- c:\windows\system32\spupdsvc.exe 2012-10-28 08:16:40 -------- d-----w- c:\windows\EHome 2012-10-28 06:53:02 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-10-28 05:06:57 57024 ----a-w- c:\windows\system32\drivers\CPXBGICB.sys 2012-10-28 05:06:57 337995 ----a-w- c:\windows\system32\CPXBGCFG.cpl 2012-10-28 05:06:47 215040 ----a-w- c:\windows\system32\CPXBGSTA.exe 2012-10-28 05:06:39 106496 ----a-w- c:\windows\system32\CPXBGRES.dll 2012-10-28 05:05:50 79360 ----a-w- c:\windows\system32\CPXBGIOC.dll 2012-10-28 05:05:50 -------- d-----w- c:\windows\system32\SUtemp . ==================== Find3M ==================== . 2012-09-29 19:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-08-28 15:14:54 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14:54 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07:16 385024 ----a-w- c:\windows\system32\html.iec 2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll . ============= FINISH: 13:10:19.73 =============== Results of screen317's Security Check version 0.99.54 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Out of date HijackThis installed! Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.65.1.1000 HijackThis 2.0.2 CCleaner Eusing Free Registry Cleaner Java version out of Date! Adobe Flash Player 11.4.402.287 Mozilla Firefox (16.0.2) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbam.exe Avira Antivir avgnt.exe Avira Antivir avguard.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 10% ````````````````````End of Log``````````````````````
  9. Hi once again, I have deleted the programs listed in HJT but, sorry to say, no improvement in start up but once start up is completed everything runs quite well. I enclose HJT log as requested. sutra Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 08:05:33, on 27/01/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\thpsrv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Avira\AntiVir Desktop\update.exe C:\Program Files\Avira\AntiVir Desktop\updrgui.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Program Files\Avira\AntiVir Desktop\update.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- End of file - 6832 bytes
  10. Hi, The Dark Knight, I checked and unchecked system restore but start up still taking 4/5 minutes. With regards to unnecessary programs, would it be ok to delete them all? With regards to the ESET log, after the scan is completed it shows the number of infected files and whether I want to remove them, which I don't. I click on the show details and the infected files are shown. There doesn't appear to be any link to bring up a log file or that it has been downloaded onto my computer. Below are the files from the previous scan.Also Combo Log. C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application C:\Program Files\Trend Micro\HiJackThis\backups\backup-20120122-094750-233.dll Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\Qoobox\Quarantine\E\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe.vir a variant of Win32/SoftonicDownloader.A application C:\Qoobox\Quarantine\E\Set Up Folder\asc-setup.exe.vir a variant of Win32/Toolbar.Widgi application C:\Qoobox\Quarantine\E\Set Up Folder\cnet_EFRCSetup_exe.exe.vir a variant of Win32/InstallCore.D application C:\Qoobox\Quarantine\E\Set Up Folder\imf-setup.exe.vir a variant of Win32/Toolbar.Widgi application E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application ComboFix 12-01-23.02 - Brian 26/01/2012 7:01.4.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1430 [GMT 0:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Brian\Desktop\CFScript 2.txt AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . FILE :: "c:\documents and settings\Brian\My Documents\Downloads\imf-setup.exe" "e:\set up folder\cnet_EFRCSetup_exe.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Brian\My Documents\Downloads\imf-setup.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 ))))))))))))))))))))))))))))))) . . 2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET 2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro 2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-01-16 06:51 . 2012-01-23 19:02 -------- d-----w- c:\documents and settings\Brian\.thumbnails 2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll 2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll 2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll 2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe 2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm 2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess 2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player 2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318} 2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar 2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll 2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll 2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll 2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll 2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz 2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software 2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak 2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1} 2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll 2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll 2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll 2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll 2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll 2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-01-22_10.38.00 ))))))))))))))))))))))))))))))))))))))))) . - 2006-06-06 09:55 . 2012-01-22 09:53 71572 c:\windows\system32\perfc009.dat + 2006-06-06 09:55 . 2012-01-25 08:38 71572 c:\windows\system32\perfc009.dat + 2006-06-06 09:55 . 2012-01-25 08:38 441908 c:\windows\system32\perfh009.dat - 2006-06-06 09:55 . 2012-01-22 09:53 441908 c:\windows\system32\perfh009.dat + 2011-06-06 12:55 . 2011-06-06 12:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632] "TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="thpsrv" [X] "SkyTel"="SkyTel.EXE" [2006-04-24 1448960] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204] "TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400] "TOSDCR"="TOSDCR.EXE" [2005-12-12 57344] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672] "QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912] "Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940] "NDSTray.exe"="ndstray.exe" [bU] "TPSMain"="tpsmain.exe" [2006-05-19 299008] "Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\Brian\Start Menu\Programs\Startup\ Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor] 2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144] R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224] R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824] R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016] S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc WINRM REG_MULTI_SZ WINRM . . ------- Supplementary Scan ------- . uStart Page = hxxp://btyahoo.com/ LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://home.bt.yahoo.com/ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-26 07:14 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(912) c:\program files\Avira\AntiVir Desktop\avsda.dll . - - - - - - - > 'explorer.exe'(2936) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\acs.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\windows\system32\ThpSrv.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\windows\SkyTel.EXE c:\windows\AGRSMMSG.exe c:\windows\system32\thpsrv.exe c:\windows\RTHDCPL.EXE c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\windows\system32\tpsmain.exe c:\windows\system32\TPSBattM.exe c:\program files\Apoint2K\Apntex.exe . ************************************************************************** . Completion time: 2012-01-26 07:18:29 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-26 07:18 ComboFix2.txt 2012-01-25 08:40 ComboFix3.txt 2012-01-24 06:50 ComboFix4.txt 2012-01-22 10:43 . Pre-Run: 303,337,869,312 bytes free Post-Run: 303,328,432,128 bytes free . - - End Of File - - A2C8332B42F2D05C25CA469EA73AE704
  11. Save this as CFScript.txt, in the same location as ComboFix.exe. Referring to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the ComboFix.txt in your next reply. ========== Next, please follow the instructions below to reset System Restore: On the Desktop, right-click My Computer > Properties > System Restore. Check Turn off System Restore. Click Apply ( a window will pop up and ask if you really want to turn it off). Click Yes. Please wait a few moments to let it clear. Now, please remove the check from Turn off System Restore. Click Apply, and then click OK. Your startup issue could be due to too many programs starting up when you boot your computer. Please re-run HJT and post its log in your next reply. Finally, please run a free online scan with the ESET Online Scanner. Note: You will need to use Internet Explorer for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. ========== In your next reply, please post the following: ComboFix.txt. Log from HJT. log.txt. Are there any other issues on your computer? Hello again, My computer seems to be running ok apart from start up which is now taking about 4/5 minutes to complete. When I power up I get the XP Microsoft screen, then the message "Windows is starting up" followed by the "Welcome" screen. This takes about 2 minutes. I then get the desktop but without any icons. After about 90 seconds the icons load and it starts to load running programs in the bottom right hand corner, this takes around 1 minute. Once start up is complete when I click on a program or website they come up quite quickly. Once again, thanks for your help. I won't know until reboot if start up time has improved. I enclose logs as requested ComboFix 12-01-23.02 - Brian 25/01/2012 8:22.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1307 [GMT 0:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Brian\Desktop\CFScript..txt AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . FILE :: "e:\igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe" "e:\set up folder\asc-setup.exe" "e:\set up folder\asc-setup.exee:\set up folder\cnet_EFRCSetup_exe.exe" "e:\set up folder\cnet_EFRCSetup_exe.exe" "e:\set up folder\imf-setup.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . e:\igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe e:\set up folder\asc-setup.exe e:\set up folder\cnet_EFRCSetup_exe.exe e:\set up folder\imf-setup.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 ))))))))))))))))))))))))))))))) . . 2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET 2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro 2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-01-16 06:51 . 2012-01-23 19:02 -------- d-----w- c:\documents and settings\Brian\.thumbnails 2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll 2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll 2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll 2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe 2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm 2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess 2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player 2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318} 2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar 2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll 2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll 2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll 2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll 2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz 2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software 2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak 2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1} 2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll 2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll 2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll 2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll 2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2006-06-06 09:54 33280 ----a-w- c:\windows\system32\csrsrv.dll 2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-01-22_10.38.00 ))))))))))))))))))))))))))))))))))))))))) . - 2006-06-06 09:55 . 2012-01-22 09:53 71572 c:\windows\system32\perfc009.dat + 2006-06-06 09:55 . 2012-01-25 06:29 71572 c:\windows\system32\perfc009.dat + 2006-06-06 09:55 . 2012-01-25 06:29 441908 c:\windows\system32\perfh009.dat - 2006-06-06 09:55 . 2012-01-22 09:53 441908 c:\windows\system32\perfh009.dat + 2011-06-06 12:55 . 2011-06-06 12:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632] "TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="thpsrv" [X] "SkyTel"="SkyTel.EXE" [2006-04-24 1448960] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204] "TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400] "TOSDCR"="TOSDCR.EXE" [2005-12-12 57344] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672] "QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912] "Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940] "NDSTray.exe"="ndstray.exe" [bU] "TPSMain"="tpsmain.exe" [2006-05-19 299008] "Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\Brian\Start Menu\Programs\Startup\ Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor] 2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144] R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224] R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824] R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016] S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc WINRM REG_MULTI_SZ WINRM . . ------- Supplementary Scan ------- . uStart Page = hxxp://btyahoo.com/ LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://home.bt.yahoo.com/ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-25 08:35 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(912) c:\program files\Avira\AntiVir Desktop\avsda.dll . - - - - - - - > 'explorer.exe'(3004) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\acs.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\windows\system32\ThpSrv.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\windows\SkyTel.EXE c:\windows\AGRSMMSG.exe c:\windows\system32\thpsrv.exe c:\windows\RTHDCPL.EXE c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\windows\system32\tpsmain.exe c:\windows\system32\TPSBattM.exe c:\program files\Apoint2K\Apntex.exe . ************************************************************************** . Completion time: 2012-01-25 08:40:11 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-25 08:40 ComboFix2.txt 2012-01-24 06:50 ComboFix3.txt 2012-01-22 10:43 . Pre-Run: 297,477,885,952 bytes free Post-Run: 297,315,336,192 bytes free . - - End Of File - - 3352079AF8FF9CA2264D3001D235FF57 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 13:00:32, on 25/01/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\SkyTel.EXE C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe E:\QuickTime\QTTask.exe C:\program files\microsoft works\wkssb.exe C:\windows\system32\dla\dlactrlw.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\tpsmain.exe C:\WINDOWS\system32\TPSBattM.exe C:\program files\apoint2k\apoint.exe C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE C:\program files\toshiba\toscdspd\toscdspd.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobile connect\bin\mobileconnect.exe /silent O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoft works\wkssb.exe /allusers O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe O4 - HKLM\..\Run: [TPSMain] tpsmain.exe O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- End of file - 9606 bytes C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application C:\Program Files\Trend Micro\HiJackThis\backups\backup-20120122-094750-233.dll Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\Qoobox\Quarantine\E\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe.vir a variant of Win32/SoftonicDownloader.A application C:\Qoobox\Quarantine\E\Set Up Folder\asc-setup.exe.vir a variant of Win32/Toolbar.Widgi application C:\Qoobox\Quarantine\E\Set Up Folder\cnet_EFRCSetup_exe.exe.vir a variant of Win32/InstallCore.D application C:\Qoobox\Quarantine\E\Set Up Folder\imf-setup.exe.vir a variant of Win32/Toolbar.Widgi application E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application
  12. Save this as CFScript.txt, in the same location as ComboFix.exe. Referring to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the ComboFix.txt in your next reply. ========== Please also run a free online scan with the ESET Online Scanner. Note: You will need to use Internet Explorer for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. ========== In your next post, please reply with following: The state of your computer and any current issues. ComboFix.txt. log.txt. Hello again, My computer seems to be running fine apart from start up which is now taking 4/5 minutes. When I power up I get the "XP is stating up" message which lasts for about 30 seconds, then the "welcome" screen which lasts for about 45 seconds followed by the desktop but without desktop icons. This lasts for around two minutes when the desktop items start appearing, after which running programs start appearing in the bottom right hand corner taking about 35/40 seconds. Once start up has finished, when I click on a program or website they appear quite quickly. I enclose logs as requested. Thanks once again. sutra ComboFix 12-01-23.02 - Brian 24/01/2012 6:36.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1417 [GMT 0:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . FILE :: "e:\iobit security 360\is360srv.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Brian\Application Data\searchqutoolbar c:\program files\Ask.com c:\program files\Ask.com\assets\oobe\b.png c:\program files\Ask.com\assets\oobe\bl.png c:\program files\Ask.com\assets\oobe\br.png c:\program files\Ask.com\assets\oobe\l.png c:\program files\Ask.com\assets\oobe\pointer.png c:\program files\Ask.com\assets\oobe\r.png c:\program files\Ask.com\assets\oobe\t.png c:\program files\Ask.com\assets\oobe\tl.png c:\program files\Ask.com\assets\oobe\tr.png c:\program files\Ask.com\cb_4f.ico c:\program files\Ask.com\cobrand.ico c:\program files\Ask.com\config.xml c:\program files\Ask.com\favicon.ico c:\program files\Ask.com\fv_4e.ico c:\program files\Ask.com\mupcfg.xml c:\program files\Ask.com\precache.exe c:\program files\Ask.com\SaUpdate.exe c:\program files\Ask.com\Updater\config.xml c:\program files\Ask.com\Updater\Updater.exe c:\program files\Ask.com\UpdateTask.exe e:\iobit security 360\is360srv.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_IS360SERVICE -------\Service_IS360service . . ((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 ))))))))))))))))))))))))))))))) . . 2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET 2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro 2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-01-16 06:51 . 2012-01-23 19:02 -------- d-----w- c:\documents and settings\Brian\.thumbnails 2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll 2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll 2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll 2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe 2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm 2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess 2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player 2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318} 2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar 2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll 2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll 2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll 2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll 2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz 2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software 2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak 2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1} 2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll 2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll 2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll 2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll 2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2006-06-06 09:54 33280 ----a-w- c:\windows\system32\csrsrv.dll 2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-01-22_10.38.00 ))))))))))))))))))))))))))))))))))))))))) . - 2006-06-06 09:55 . 2012-01-22 09:53 71572 c:\windows\system32\perfc009.dat + 2006-06-06 09:55 . 2012-01-24 06:30 71572 c:\windows\system32\perfc009.dat + 2006-06-06 09:55 . 2012-01-24 06:30 441908 c:\windows\system32\perfh009.dat - 2006-06-06 09:55 . 2012-01-22 09:53 441908 c:\windows\system32\perfh009.dat + 2011-06-06 12:55 . 2011-06-06 12:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632] "TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="thpsrv" [X] "SkyTel"="SkyTel.EXE" [2006-04-24 1448960] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204] "TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400] "TOSDCR"="TOSDCR.EXE" [2005-12-12 57344] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672] "QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912] "Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940] "NDSTray.exe"="ndstray.exe" [bU] "TPSMain"="tpsmain.exe" [2006-05-19 299008] "Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\Brian\Start Menu\Programs\Startup\ Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor] 2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144] R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224] R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824] R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016] S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc WINRM REG_MULTI_SZ WINRM . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://btyahoo.com/ LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\ FF - prefs.js: browser.search.selectedEngine - Google . - - - - ORPHANS REMOVED - - - - . HKLM-Run-ApnUpdater - c:\program files\ask.com\updater\updater.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-24 06:47 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(912) c:\program files\Avira\AntiVir Desktop\avsda.dll . - - - - - - - > 'explorer.exe'(1712) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\acs.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\windows\system32\ThpSrv.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\windows\SkyTel.EXE c:\windows\AGRSMMSG.exe c:\windows\system32\thpsrv.exe c:\windows\RTHDCPL.EXE c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\windows\system32\tpsmain.exe c:\windows\system32\TPSBattM.exe c:\program files\Apoint2K\Apntex.exe . ************************************************************************** . Completion time: 2012-01-24 06:50:21 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-24 06:50 ComboFix2.txt 2012-01-22 10:43 . Pre-Run: 297,629,835,264 bytes free Post-Run: 297,620,238,336 bytes free . - - End Of File - - 9F68D897A64841ED6A27E9370441F956 C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021551.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021552.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021553.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021554.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021555.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021556.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023563.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023564.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023565.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023566.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023567.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023568.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023714.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023720.exe a variant of Win32/Toolbar.Widgi application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023723.exe a variant of Win32/Toolbar.Widgi application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023726.exe a variant of Win32/Toolbar.Widgi application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023733.exe a variant of Win32/SoftonicDownloader.A application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015059.exe a variant of Win32/Toolbar.MyWebSearch.O application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015061.dll Win32/Toolbar.MyWebSearch application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015062.dll probably a variant of Win32/FunWeb.AA application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015063.dll Win32/Toolbar.MyWebSearch application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015068.dll probably a variant of Win32/Toolbar.MyWebSearch.F application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015069.dll probably a variant of Win32/Toolbar.MyWebSearch.B application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015072.dll a variant of Win32/Toolbar.MyWebSearch application E:\Set Up Folder\asc-setup.exe a variant of Win32/Toolbar.Widgi application E:\Set Up Folder\cnet_EFRCSetup_exe.exe a variant of Win32/InstallCore.D application E:\Set Up Folder\imf-setup.exe a variant of Win32/Toolbar.Widgi application E:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP136\A0023286.exe a variant of Win32/Toolbar.Widgi application E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe a variant of Win32/SoftonicDownloader.A application Operating memory a variant of Win32/Toolbar.SearchSuite application
  13. Hi, The Dark Knight, I've followed your instructions as best I could. I couldn't see any of the programs you listed in add/remove. I've also deleted the items listed in HJT log. I've downloaded and run TDS SKiller. After the scan it shows a window that it has scanned 210 items and no threats were found. No reboot is required, I clicked on report and the log came up. I select all but for some reason I can't copy and paste it as requested. It doesn't appear I am being redirected as when I open up my browser (Firefox) my selected home page appears with no reference to searchqu. I enclose Combofix log and fresh HJT log as requested. Once again, your help is much appreciated. ComboFix 12-01-21.02 - Brian 22/01/2012 10:31:43.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1306 [GMT 0:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Brian\WINDOWS c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI e:\recipe~1\75RECI~1\MISSle~1.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 ))))))))))))))))))))))))))))))) . . 2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET 2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro 2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-01-19 12:23 . 2012-01-19 12:23 -------- d-----w- c:\documents and settings\Brian\Application Data\searchqutoolbar 2012-01-16 06:51 . 2012-01-16 06:51 -------- d-----w- c:\documents and settings\Brian\.thumbnails 2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll 2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll 2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll 2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe 2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm 2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess 2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player 2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318} 2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar 2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll 2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll 2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll 2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll 2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz 2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software 2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak 2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1} 2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll 2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll 2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll 2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll 2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2006-06-06 09:54 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:33 . 2006-06-06 09:55 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632] "TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="thpsrv" [X] "SkyTel"="SkyTel.EXE" [2006-04-24 1448960] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204] "TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400] "TOSDCR"="TOSDCR.EXE" [2005-12-12 57344] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672] "QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912] "ApnUpdater"="c:\program files\ask.com\updater\updater.exe" [2011-09-08 888488] "Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940] "NDSTray.exe"="ndstray.exe" [bU] "TPSMain"="tpsmain.exe" [2006-05-19 299008] "Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\Brian\Start Menu\Programs\Startup\ Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor] 2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144] R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224] R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824] R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016] S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336] S4 IS360service;IS360service;e:\iobit security 360\is360srv.exe [29/03/2011 14:25 312152] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc WINRM REG_MULTI_SZ WINRM . Contents of the 'Scheduled Tasks' folder . 2012-01-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2011-11-21 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://btyahoo.com/ LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406 FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q= . - - - - ORPHANS REMOVED - - - - . Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) Toolbar-10 - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-22 10:39 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(912) c:\program files\Avira\AntiVir Desktop\avsda.dll . - - - - - - - > 'explorer.exe'(2676) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\acs.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\windows\system32\ThpSrv.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\system32\rundll32.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\windows\SkyTel.EXE c:\windows\AGRSMMSG.exe c:\windows\system32\thpsrv.exe c:\windows\RTHDCPL.EXE c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\windows\system32\tpsmain.exe c:\windows\system32\TPSBattM.exe c:\program files\Apoint2K\Apntex.exe . ************************************************************************** . Completion time: 2012-01-22 10:43:03 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-22 10:43 . Pre-Run: 297,693,462,528 bytes free Post-Run: 297,733,439,488 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg . - - End Of File - - 342D0637E681798766949171DCADF315 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:13:21, on 22/01/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\SkyTel.EXE C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe E:\QuickTime\QTTask.exe C:\program files\ask.com\updater\updater.exe C:\program files\microsoft works\wkssb.exe C:\windows\system32\dla\dlactrlw.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\tpsmain.exe C:\program files\apoint2k\apoint.exe C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE C:\WINDOWS\system32\TPSBattM.exe C:\program files\toshiba\toscdspd\toscdspd.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobile connect\bin\mobileconnect.exe /silent O4 - HKLM\..\Run: [ApnUpdater] c:\program files\ask.com\updater\updater.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoft works\wkssb.exe /allusers O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe O4 - HKLM\..\Run: [TPSMain] tpsmain.exe O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- End of file - 9630 bytes
  14. Hi, Budfred, First, may I apologize for any inconvenience I may have caused. I only tried IOBit in desperation.When it didn't work I immediately uninstalled it. I enclose logs as requested in FAQ's, hope they help. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 09:08:56, on 20/01/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\svchost.exe E:\IObit Security 360\IS360srv.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE C:\PROGRAM FILES\ASK.COM\UPDATER\UPDATER.EXE C:\PROGRAM FILES\TOSHIBA\TOSCDSPD\TOSCDSPD.EXE C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE C:\PROGRAM FILES\APOINT2K\APOINT.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKSSHARED\WKCALREM.EXE C:\WINDOWS\system32\TPSMAIN.EXE C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\TPSBattM.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SkyTel.EXE C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe E:\IObit Security 360\IS360tray.exe E:\QuickTime\QTTask.exe C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://go.microsoft....k/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} -C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} -C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} -C:\Program Files\Ask.com\GenericAskToolbar.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA ZoomingUtility\SmoothView.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\WirelessHotkey\TosHKCW.exe" O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\MicrosoftWorks\WkDetect.exe O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP SoftwareUpdate\HPWuSchd2.exe O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM O4 - HKLM\..\Run: [iObit Security 360] "E:\IObit Security 360\IS360tray.exe" /autostart O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobileconnect\bin\mobileconnect.exe /silent O4 - HKLM\..\Run: [ApnUpdater] c:\program files\ask.com\updater\updater.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoftworks\wkssb.exe /allusers O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe O4 - HKLM\..\Run: [TPSMain] tpsmain.exe O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"/background O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUSMASTER 2\MMONITOR.EXE" O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [TOSCDSPD]C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'Administrator') O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe (User 'Administrator') O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [MSMSGS]"C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE(User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\ImageExpert\IXApplet.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\DigitalImaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MicrosoftOffice\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Search - http://tbedits.dailyburn.com/one-toolbaredits/menusearch.jhtml?s=100000606&p=YNxdm005YYgb&si=&a=732AFEDF-A2C9-4355-AC9E-BE77D89973F9&n=2011102608 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} -C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} -C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dllC:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner -C:\WINDOWS\system32\acs.exe O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH &Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH &Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH &Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: IS360service - IObit - E:\IObit Security 360\IS360srv.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation -C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation -C:\WINDOWS\system32\ThpSrv.exe O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone -C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe EOF - 11983 bytes Malwarebytes Anti-Malware 1.60.0.1800 www.malwarebytes.org Database version: v2012.01.20.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Brian :: BRIAN-HOME [administrator] 20/01/2012 07:23:23 mbam-log-2012-01-20 (07-23-23).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 183662 Time elapsed: 3 minute(s), 32 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Brian at 7:46:09 on 2012-01-20 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1157 [GMT 0:00] . AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt E:\IObit Security 360\IS360srv.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE C:\PROGRAM FILES\ASK.COM\UPDATER\UPDATER.EXE C:\PROGRAM FILES\TOSHIBA\TOSCDSPD\TOSCDSPD.EXE C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE C:\PROGRAM FILES\APOINT2K\APOINT.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\system32\TPSMAIN.EXE C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\TPSBattM.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\SkyTel.EXE C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe E:\IObit Security 360\IS360tray.exe E:\QuickTime\QTTask.exe C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\wuauclt.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://btyahoo.com/ BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - c:\progra~1\wi371a~1\datamngr\BROWSE~1.DLL BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL BHO: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File EB: Encarta &Researcher: {9455301c-cf6b-11d3-a266-00c04f689c50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMONITOR.EXE" uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe mRun: [skyTel] SkyTel.EXE mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [TPSODDCtl] TPSODDCtl.exe mRun: [ThpSrv] thpsrv /logon mRun: [TFNF5] TFNF5.exe mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [TOSDCR] TOSDCR.EXE mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe" mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM mRun: [iObit Security 360] "e:\iobit security 360\IS360tray.exe" /autostart mRun: [QuickTime Task] "e:\quicktime\QTTask.exe" -atboottime mRun: [DATAMNGR] c:\progra~1\wi371a~1\datamngr\DATAMN~1.EXE mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [MobileConnect] %programfiles%\vodafone\vodafone mobile connect\bin\mobileconnect.exe /silent mRun: [ApnUpdater] c:\program files\ask.com\updater\updater.exe mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\wkssb.exe /allusers mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [DLA] c:\windows\system32\dla\dlactrlw.exe mRun: [NDSTray.exe] ndstray.exe mRun: [TPSMain] tpsmain.exe mRun: [Apoint] c:\program files\apoint2k\apoint.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\brian\startm~1\programs\startup\camiov~1.lnk - c:\program files\sierra imaging\image expert\IXApplet.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe IE: &Search - http://tbedits.dailyburn.com/one-toolbaredits/menusearch.jhtml?s=100000606&p=YNxdm005YYgb&si=&a=732AFEDF-A2C9-4355-AC9E-BE77D89973F9&n=2011102608 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {9455301C-CF6B-11D3-A266-00C04F689C50} - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\program files\avira\antivir desktop\avsda.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{3628E500-E42D-4E58-A852-DC147F216A97} : DhcpNameServer = 192.168.1.254 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Handler: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - c:\program files\common files\microsoft shared\reference 2001\msero.dll Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\brian\application data\mozilla\firefox\profiles\tw9h3p8f.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406 FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q= FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll . ============= SERVICES / DRIVERS =============== . R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-6 6144] R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-6 36000] R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2011-9-22 55936] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-6 86224] R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-6 110032] R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-10-6 463824] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-6 74640] R2 IS360service;IS360service;e:\iobit security 360\is360srv.exe [2011-3-29 312152] R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-20 40776] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [2004-3-22 390016] S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-6 35968] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-6-6 14336] . =============== Created Last 30 ================ . 2012-01-20 07:22:29 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-19 13:45:48 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-01-19 12:23:09 -------- d-----w- c:\documents and settings\brian\application data\searchqutoolbar 2012-01-17 09:13:39 -------- d-----w- c:\program files\common files\ODBC 2012-01-16 06:51:06 -------- d-----w- c:\documents and settings\brian\.thumbnails 2012-01-14 10:17:31 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll 2012-01-14 10:17:31 176128 -c----w- c:\windows\system32\dllcache\winmm.dll 2012-01-14 10:15:20 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll 2012-01-14 10:14:23 60416 -c----w- c:\windows\system32\dllcache\packager.exe 2012-01-14 10:05:14 -------- d-----w- c:\windows\system32\winrm 2012-01-12 07:27:09 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess 2012-01-11 06:46:26 -------- d-----w- c:\documents and settings\brian\local settings\application data\Ilivid Player 2012-01-11 06:46:17 -------- dc-h--w- c:\documents and settings\all users\application data\{B49A644A-1076-4A3D-B124-DAA7862F2318} 2012-01-11 06:44:54 -------- d-----w- c:\program files\Windows iLivid Toolbar 2012-01-10 05:13:33 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll 2012-01-10 05:13:33 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll 2012-01-10 05:13:33 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll 2012-01-10 05:13:33 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll 2012-01-05 11:30:46 -------- d-----w- c:\program files\Facebook Buzz 2012-01-04 18:31:39 -------- d-----w- c:\windows\system32\CatRoot_bak 2012-01-04 06:15:07 -------- d-----w- c:\documents and settings\all users\application data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1} 2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll 2011-12-29 10:33:19 -------- d-----w- c:\program files\eBook Maestro FREE . ==================== Find3M ==================== . 2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll 2011-11-12 07:49:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll 2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll 2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe . ============= FINISH: 7:47:03.93 =============== Results of screen317's Security Check version 0.99.30 Windows XP Service Pack 3 x86 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira Free Antivirus McAfee Personal Firewall Plus Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Spybot - Search & Destroy CCleaner Eusing Free Registry Cleaner Adobe Flash Player 11.1.102.55 Adobe Reader X (10.1.2) Mozilla Firefox 8.0. Firefox out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Malwarebytes' Anti-Malware mbam.exe Avira Antivir avgnt.exe Avira Antivir avguard.exe ``````````End of Log```````````` Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sTART_SHOWRECENTDOCS] to be changed to: 1Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sHOWSUPERHIDDEN] to be changed to: 1Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0 C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021551.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021552.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021553.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021554.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021555.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021556.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023563.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023564.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023565.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023566.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023567.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023568.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023714.exe Win32/RegistryBooster application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023720.exe a variant of Win32/Toolbar.Widgi application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023723.exe a variant of Win32/Toolbar.Widgi application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023726.exe a variant of Win32/Toolbar.Widgi application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023733.exe a variant of Win32/SoftonicDownloader.A application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015059.exe a variant of Win32/Toolbar.MyWebSearch.O application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015061.dll Win32/Toolbar.MyWebSearch application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015062.dll probably a variant of Win32/FunWeb.AA application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015063.dll Win32/Toolbar.MyWebSearch application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015068.dll probably a variant of Win32/Toolbar.MyWebSearch.F application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015069.dll probably a variant of Win32/Toolbar.MyWebSearch.B application C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015072.dll a variant of Win32/Toolbar.MyWebSearch application E:\Set Up Folder\asc-setup.exe a variant of Win32/Toolbar.Widgi application E:\Set Up Folder\cnet_EFRCSetup_exe.exe a variant of Win32/InstallCore.D application E:\Set Up Folder\imf-setup.exe a variant of Win32/Toolbar.Widgi application E:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP136\A0023286.exe a variant of Win32/Toolbar.Widgi application E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe a variant of Win32/SoftonicDownloader.A application Operating memory a variant of Win32/Toolbar.SearchSuite application EDIT: I have corrected the spaces in your HJT log as these logs are hard to read when spaced out. When using Notepad, please turn off "word wrap"
  15. Hi, Can anybody help. Pleeease! I've tried everything I know to get rid of searchqu. I've entered any file or folder name relating to searchqu in search all files and folders in C:/Local Disc but nothing shows up I've deleted the folder and all its contents in H/Key/Machine/Software I've changed the home page to default, but still, every time I reopen Firefox, it reverts to search.com. Also deep scans with my malware and spyware programes fail to reveal anything.In desperation I've even tried ASC and IObit. Any help would be much appreciated.Thanks. Jacksastar Edit: Please read the Forum FAQ and post the requested logs. We need the information in order to help you. EDIT: Also, IObit software is a rogue organization which reportedly stole information from other tools to create their programs... We do not generally work with their logs, but we do need the other ones we ask for in the FAQ... We recommend that you remove IObit since it may also install its own versions of malware... I disabled the link you posted since it may lead other people to get infected - please do not post potential active malware links in the forum... As cnm noted above, please read our FAQ and post the logs noted...