Jump to content


Photo

Browser Hijacking


  • This topic is locked This topic is locked
13 replies to this topic

#1 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 19 January 2012 - 08:34 AM

Hi,

Can anybody help. Pleeease!

I've tried everything I know to get rid of searchqu.
I've entered any file or folder name relating to searchqu in search all
files and folders in C:/Local Disc but nothing shows up
I've deleted the folder and all its contents in H/Key/Machine/Software
I've changed the home page to default, but still, every time I reopen
Firefox, it reverts to search.com.
Also deep scans with my malware and spyware programes fail to reveal
anything.In desperation I've even tried ASC and IObit.
Any help would be much appreciated.Thanks.

Jacksastar

Edit: Please read the Forum FAQ and post the requested logs. We need the information in order to help you.

EDIT: Also, IObit software is a rogue organization which reportedly stole information from other tools to create their programs... We do not generally work with their logs, but we do need the other ones we ask for in the FAQ... We recommend that you remove IObit since it may also install its own versions of malware... I disabled the link you posted since it may lead other people to get infected - please do not post potential active malware links in the forum... As cnm noted above, please read our FAQ and post the logs noted...

Edited by Budfred, 19 January 2012 - 11:11 PM.


#2 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 20 January 2012 - 06:58 AM

Hi,

Can anybody help. Pleeease!

I've tried everything I know to get rid of searchqu.
I've entered any file or folder name relating to searchqu in search all
files and folders in C:/Local Disc but nothing shows up
I've deleted the folder and all its contents in H/Key/Machine/Software
I've changed the home page to default, but still, every time I reopen
Firefox, it reverts to search.com.
Also deep scans with my malware and spyware programes fail to reveal
anything.In desperation I've even tried ASC and IObit.
Any help would be much appreciated.Thanks.

Jacksastar

Edit: Please read the Forum FAQ and post the requested logs. We need the information in order to help you.

EDIT: Also, IObit software is a rogue organization which reportedly stole information from other tools to create their programs... We do not generally work with their logs, but we do need the other ones we ask for in the FAQ... We recommend that you remove IObit since it may also install its own versions of malware... I disabled the link you posted since it may lead other people to get infected - please do not post potential active malware links in the forum... As cnm noted above, please read our FAQ and post the logs noted...


Hi, Budfred,

First, may I apologize for any inconvenience I may have caused.
I only tried IOBit in desperation.When it didn't work I immediately
uninstalled it. I enclose logs as requested in FAQ's, hope they help.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:08:56, on 20/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
E:\IObit Security 360\IS360srv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\ASK.COM\UPDATER\UPDATER.EXE
C:\PROGRAM FILES\TOSHIBA\TOSCDSPD\TOSCDSPD.EXE
C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
C:\PROGRAM FILES\APOINT2K\APOINT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKSSHARED\WKCALREM.EXE
C:\WINDOWS\system32\TPSMAIN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\IObit Security 360\IS360tray.exe
E:\QuickTime\QTTask.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} -C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} -C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} -C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA ZoomingUtility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\WirelessHotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\MicrosoftWorks\WkDetect.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP SoftwareUpdate\HPWuSchd2.exe
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [IObit Security 360] "E:\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobileconnect\bin\mobileconnect.exe /silent
O4 - HKLM\..\Run: [ApnUpdater] c:\program files\ask.com\updater\updater.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoftworks\wkssb.exe /allusers
O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe
O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe
O4 - HKLM\..\Run: [TPSMain] tpsmain.exe
O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"/background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUSMASTER 2\MMONITOR.EXE"
O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [TOSCDSPD]C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [MSMSGS]"C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\ImageExpert\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\DigitalImaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MicrosoftOffice\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - http://tbedits.daily...F9&n=2011102608
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} -C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} -C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dllC:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner -C:\WINDOWS\system32\acs.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH &Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH &Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH &Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS360service - IObit - E:\IObit Security 360\IS360srv.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation -C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation -C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone -C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

EOF - 11983 bytes

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.20.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brian :: BRIAN-HOME [administrator]

20/01/2012 07:23:23
mbam-log-2012-01-20 (07-23-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183662
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Brian at 7:46:09 on 2012-01-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1157 [GMT 0:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
E:\IObit Security 360\IS360srv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\ASK.COM\UPDATER\UPDATER.EXE
C:\PROGRAM FILES\TOSHIBA\TOSCDSPD\TOSCDSPD.EXE
C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
C:\PROGRAM FILES\APOINT2K\APOINT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\system32\TPSMAIN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\IObit Security 360\IS360tray.exe
E:\QuickTime\QTTask.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://btyahoo.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - c:\progra~1\wi371a~1\datamngr\BROWSE~1.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Encarta &Researcher: {9455301c-cf6b-11d3-a266-00c04f689c50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMONITOR.EXE"
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [ThpSrv] thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [IObit Security 360] "e:\iobit security 360\IS360tray.exe" /autostart
mRun: [QuickTime Task] "e:\quicktime\QTTask.exe" -atboottime
mRun: [DATAMNGR] c:\progra~1\wi371a~1\datamngr\DATAMN~1.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MobileConnect] %programfiles%\vodafone\vodafone mobile connect\bin\mobileconnect.exe /silent
mRun: [ApnUpdater] c:\program files\ask.com\updater\updater.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\wkssb.exe /allusers
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [DLA] c:\windows\system32\dla\dlactrlw.exe
mRun: [NDSTray.exe] ndstray.exe
mRun: [TPSMain] tpsmain.exe
mRun: [Apoint] c:\program files\apoint2k\apoint.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\brian\startm~1\programs\startup\camiov~1.lnk - c:\program files\sierra imaging\image expert\IXApplet.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: &Search - http://tbedits.daily...F9&n=2011102608
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {9455301C-CF6B-11D3-A266-00C04F689C50} - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3628E500-E42D-4E58-A852-DC147F216A97} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL
Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - c:\program files\common files\microsoft shared\reference 2001\msero.dll
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\brian\application data\mozilla\firefox\profiles\tw9h3p8f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-6 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-6 36000]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2011-9-22 55936]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-6 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-6 110032]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-10-6 463824]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-6 74640]
R2 IS360service;IS360service;e:\iobit security 360\is360srv.exe [2011-3-29 312152]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-20 40776]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [2004-3-22 390016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-6 35968]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-6-6 14336]
.
=============== Created Last 30 ================
.
2012-01-20 07:22:29 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-19 13:45:48 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-19 12:23:09 -------- d-----w- c:\documents and settings\brian\application data\searchqutoolbar
2012-01-17 09:13:39 -------- d-----w- c:\program files\common files\ODBC
2012-01-16 06:51:06 -------- d-----w- c:\documents and settings\brian\.thumbnails
2012-01-14 10:17:31 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-01-14 10:17:31 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-01-14 10:15:20 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-01-14 10:14:23 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-14 10:05:14 -------- d-----w- c:\windows\system32\winrm
2012-01-12 07:27:09 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-01-11 06:46:26 -------- d-----w- c:\documents and settings\brian\local settings\application data\Ilivid Player
2012-01-11 06:46:17 -------- dc-h--w- c:\documents and settings\all users\application data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-11 06:44:54 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-01-10 05:13:33 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-10 05:13:33 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-10 05:13:33 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-10 05:13:33 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-05 11:30:46 -------- d-----w- c:\program files\Facebook Buzz
2012-01-04 18:31:39 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-01-04 06:15:07 -------- d-----w- c:\documents and settings\all users\application data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-29 10:33:19 -------- d-----w- c:\program files\eBook Maestro FREE
.
==================== Find3M ====================
.
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-12 07:49:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 7:47:03.93 ===============

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira Free Antivirus
McAfee Personal Firewall Plus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
CCleaner
Eusing Free Registry Cleaner
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.2)
Mozilla Firefox 8.0. Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[START_SHOWRECENTDOCS] to be changed to: 1Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SHOWSUPERHIDDEN] to be changed to: 1Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021551.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021552.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021553.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021554.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021555.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021556.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023563.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023564.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023565.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023566.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023567.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023568.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023714.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023720.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023723.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023726.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023733.exe a variant of Win32/SoftonicDownloader.A application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015059.exe a variant of Win32/Toolbar.MyWebSearch.O application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015061.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015062.dll probably a variant of Win32/FunWeb.AA application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015063.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015068.dll probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015069.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015072.dll a variant of Win32/Toolbar.MyWebSearch application
E:\Set Up Folder\asc-setup.exe a variant of Win32/Toolbar.Widgi application
E:\Set Up Folder\cnet_EFRCSetup_exe.exe a variant of Win32/InstallCore.D application
E:\Set Up Folder\imf-setup.exe a variant of Win32/Toolbar.Widgi application
E:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP136\A0023286.exe a variant of Win32/Toolbar.Widgi application
E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application
E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe a variant of Win32/SoftonicDownloader.A application
Operating memory a variant of Win32/Toolbar.SearchSuite application

EDIT: I have corrected the spaces in your HJT log as these logs are hard to read when spaced out. When using Notepad, please turn off "word wrap"

Edited by Rocket Grannie, 20 January 2012 - 05:56 PM.
Fixed HJT format


#3 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 20 January 2012 - 08:17 PM

Welcome sutra to SpywareInfo. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :)

You have the Ask Toolbar (AskBarDis) installed. I strongly recommend you remove the Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit

Please go to Start > Control Panel > Add or Remove Programs and remove the following programs (if present):

  • AskBarDis
  • Bearshare
  • DataMngr
  • IObit Security 360
  • MediaBar
  • Searchqu Toolbar
T-Tools has created a free program that has been designed specifically to remove every last trace of the entries of IObit programs left behind if and when you had decided to uninstall one or more of these programs. Please download BitRemover from here:

http://www.t-tools.nl/bitremoveren.php

Please save the program to your Desktop and double-click on the program to run it.

Once you have finished removing these programs please restart your computer.
==========

Next, please use HijackThis to do a little more cleanup:

  • Please open HijackThis.
  • Click Do a system scan only
  • Check these entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [IObit Security 360] "E:\IObit Security 360\IS360tray.exe" /autostart
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
O8 - Extra context menu item: &Search - http://tbedits.daily...F9&n=2011102608
O23 - Service: IS360service - IObit - E:\IObit Security 360\IS360srv.exe


If you removed Ask earlier then please check this entry (if present):

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} -C:\Program Files\Ask.com\GenericAskToolbar.dll


  • Please close all other open windows and click Fix checked.
  • Close HijackThis.
  • Reboot your computer.
==========

Next, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Finally, please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
In your next reply, please include the TDSSKiller_log.txt.
==========
In your next post, please reply with the following:
  • Fresh HJT log.
  • ComboFix.txt.
  • Log from TDSSKiller.

How is your computer currently running? Are you still being redirected?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#4 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 23 January 2012 - 02:17 AM

Welcome sutra to SpywareInfo. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :)

You have the Ask Toolbar (AskBarDis) installed. I strongly recommend you remove the Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit

Please go to Start > Control Panel > Add or Remove Programs and remove the following programs (if present):

  • AskBarDis
  • Bearshare
  • DataMngr
  • IObit Security 360
  • MediaBar
  • Searchqu Toolbar
T-Tools has created a free program that has been designed specifically to remove every last trace of the entries of IObit programs left behind if and when you had decided to uninstall one or more of these programs. Please download BitRemover from here:

http://www.t-tools.nl/bitremoveren.php

Please save the program to your Desktop and double-click on the program to run it.

Once you have finished removing these programs please restart your computer.
==========

Next, please use HijackThis to do a little more cleanup:

  • Please open HijackThis.
  • Click Do a system scan only
  • Check these entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} -C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [IObit Security 360] "E:\IObit Security 360\IS360tray.exe" /autostart
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
O8 - Extra context menu item: &Search - http://tbedits.daily...F9&n=2011102608
O23 - Service: IS360service - IObit - E:\IObit Security 360\IS360srv.exe


If you removed Ask earlier then please check this entry (if present):

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} -C:\Program Files\Ask.com\GenericAskToolbar.dll


  • Please close all other open windows and click Fix checked.
  • Close HijackThis.
  • Reboot your computer.
==========

Next, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Finally, please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
In your next reply, please include the TDSSKiller_log.txt.
==========
In your next post, please reply with the following:
  • Fresh HJT log.
  • ComboFix.txt.
  • Log from TDSSKiller.

How is your computer currently running? Are you still being redirected?



Hi, The Dark Knight,

I've followed your instructions as best I could. I couldn't see any of the
programs you listed in add/remove. I've also deleted the items listed in HJT log.
I've downloaded and run TDS SKiller. After the scan it shows a window that it
has scanned 210 items and no threats were found. No reboot is required, I clicked
on report and the log came up. I select all but for some reason I can't copy
and paste it as requested.

It doesn't appear I am being redirected as when I open up my browser (Firefox) my
selected home page appears with no reference to searchqu. I enclose Combofix log
and fresh HJT log as requested. Once again, your help is much appreciated.

ComboFix 12-01-21.02 - Brian 22/01/2012 10:31:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1306 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Brian\WINDOWS
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
e:\recipe~1\75RECI~1\MISSle~1.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET
2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro
2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-19 12:23 . 2012-01-19 12:23 -------- d-----w- c:\documents and settings\Brian\Application Data\searchqutoolbar
2012-01-16 06:51 . 2012-01-16 06:51 -------- d-----w- c:\documents and settings\Brian\.thumbnails
2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm
2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player
2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz
2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-06-06 09:54 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2006-06-06 09:55 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632]
"TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SkyTel"="SkyTel.EXE" [2006-04-24 1448960]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204]
"TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 57344]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672]
"QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912]
"ApnUpdater"="c:\program files\ask.com\updater\updater.exe" [2011-09-08 888488]
"Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940]
"NDSTray.exe"="ndstray.exe" [BU]
"TPSMain"="tpsmain.exe" [2006-05-19 299008]
"Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Brian\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336]
S4 IS360service;IS360service;e:\iobit security 360\is360srv.exe [29/03/2011 14:25 312152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-21 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://btyahoo.com/
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-10 - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 10:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(912)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\SkyTel.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\thpsrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\tpsmain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2012-01-22 10:43:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-22 10:43
.
Pre-Run: 297,693,462,528 bytes free
Post-Run: 297,733,439,488 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
.
- - End Of File - - 342D0637E681798766949171DCADF315

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:13:21, on 22/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\QuickTime\QTTask.exe
C:\program files\ask.com\updater\updater.exe
C:\program files\microsoft works\wkssb.exe
C:\windows\system32\dla\dlactrlw.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\tpsmain.exe
C:\program files\apoint2k\apoint.exe
C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\program files\toshiba\toscdspd\toscdspd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobile connect\bin\mobileconnect.exe /silent
O4 - HKLM\..\Run: [ApnUpdater] c:\program files\ask.com\updater\updater.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoft works\wkssb.exe /allusers
O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe
O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe
O4 - HKLM\..\Run: [TPSMain] tpsmain.exe
O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE"
O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 9630 bytes

#5 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 23 January 2012 - 03:38 AM

Hey sutra. :)

Just a quick note, please don't don't quote my previous instructions as I can just scroll above if I need to. :thumbup:

Good to hear you aren't being redirected. Are there any current issues on your computer?


Please follow these instructions to remove the remaining malicious entries:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:

    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::

    Driver::
    IS360service

    File::
    e:\iobit security 360\is360srv.exe

    Firefox::
    FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q=

    Folder::
    c:\documents and settings\Brian\Application Data\searchqutoolbar
    c:\program files\Ask.com

  • Save this as CFScript.txt, in the same location as ComboFix.exe.

    Posted Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.


Please post the ComboFix.txt in your next reply.
==========

Please also run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
==========

In your next post, please reply with following:
  • The state of your computer and any current issues.
  • ComboFix.txt.
  • log.txt.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#6 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 24 January 2012 - 04:37 AM

Hey sutra. :)

Just a quick note, please don't don't quote my previous instructions as I can just scroll above if I need to. :thumbup:

Good to hear you aren't being redirected. Are there any current issues on your computer?


Please follow these instructions to remove the remaining malicious entries:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:

    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.


    killall::

    Driver::
    IS360service

    File::
    e:\iobit security 360\is360srv.exe

    Firefox::
    FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q=

    Folder::
    c:\documents and settings\Brian\Application Data\searchqutoolbar
    c:\program files\Ask.com

  • Save this as CFScript.txt, in the same location as ComboFix.exe.

    Posted Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.


Please post the ComboFix.txt in your next reply.
==========

Please also run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
==========

In your next post, please reply with following:
  • The state of your computer and any current issues.
  • ComboFix.txt.
  • log.txt.


Hello again,

My computer seems to be running fine apart from start up which is now
taking 4/5 minutes. When I power up I get the "XP is stating up" message
which lasts for about 30 seconds, then the "welcome" screen which lasts
for about 45 seconds followed by the desktop but without desktop icons.
This lasts for around two minutes when the desktop items start appearing,
after which running programs start appearing in the bottom right hand
corner taking about 35/40 seconds. Once start up has finished, when I click
on a program or website they appear quite quickly.

I enclose logs as requested. Thanks once again.

sutra

ComboFix 12-01-23.02 - Brian 24/01/2012 6:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1417 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"e:\iobit security 360\is360srv.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brian\Application Data\searchqutoolbar
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cb_4f.ico
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_4e.ico
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\precache.exe
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\Updater\config.xml
c:\program files\Ask.com\Updater\Updater.exe
c:\program files\Ask.com\UpdateTask.exe
e:\iobit security 360\is360srv.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IS360SERVICE
-------\Service_IS360service
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET
2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro
2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-16 06:51 . 2012-01-23 19:02 -------- d-----w- c:\documents and settings\Brian\.thumbnails
2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm
2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player
2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz
2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-06-06 09:54 33280 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-22_10.38.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-06-06 09:55 . 2012-01-22 09:53 71572 c:\windows\system32\perfc009.dat
+ 2006-06-06 09:55 . 2012-01-24 06:30 71572 c:\windows\system32\perfc009.dat
+ 2006-06-06 09:55 . 2012-01-24 06:30 441908 c:\windows\system32\perfh009.dat
- 2006-06-06 09:55 . 2012-01-22 09:53 441908 c:\windows\system32\perfh009.dat
+ 2011-06-06 12:55 . 2011-06-06 12:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632]
"TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SkyTel"="SkyTel.EXE" [2006-04-24 1448960]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204]
"TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 57344]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672]
"QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912]
"Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940]
"NDSTray.exe"="ndstray.exe" [BU]
"TPSMain"="tpsmain.exe" [2006-05-19 299008]
"Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Brian\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://btyahoo.com/
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ApnUpdater - c:\program files\ask.com\updater\updater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 06:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(912)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(1712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\SkyTel.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\thpsrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\tpsmain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2012-01-24 06:50:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-24 06:50
ComboFix2.txt 2012-01-22 10:43
.
Pre-Run: 297,629,835,264 bytes free
Post-Run: 297,620,238,336 bytes free
.
- - End Of File - - 9F68D897A64841ED6A27E9370441F956

C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021551.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021552.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021553.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021554.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021555.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP116\A0021556.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023563.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023564.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023565.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023566.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023567.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP140\A0023568.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023714.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023720.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023723.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023726.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP141\A0023733.exe a variant of Win32/SoftonicDownloader.A application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015059.exe a variant of Win32/Toolbar.MyWebSearch.O application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015061.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015062.dll probably a variant of Win32/FunWeb.AA application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015063.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015068.dll probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015069.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP67\A0015072.dll a variant of Win32/Toolbar.MyWebSearch application
E:\Set Up Folder\asc-setup.exe a variant of Win32/Toolbar.Widgi application
E:\Set Up Folder\cnet_EFRCSetup_exe.exe a variant of Win32/InstallCore.D application
E:\Set Up Folder\imf-setup.exe a variant of Win32/Toolbar.Widgi application
E:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP136\A0023286.exe a variant of Win32/Toolbar.Widgi application
E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application
E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe a variant of Win32/SoftonicDownloader.A application
Operating memory a variant of Win32/Toolbar.SearchSuite application

#7 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 24 January 2012 - 06:19 PM

Hello sutra. :)

I'm glad things are running fine on your computer. :thumbup:

It appears Windows iLivid Toolbar has become infected. Please follow these instructions to uninstall it (you can always reinstall it later if you want to):

Please go to Add or Remove Programs and Remove the following (if present):

  • Windows iLivid Toolbar
===========

Next,
  • please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:

    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::

    File::
    E:\Set Up Folder\asc-setup.exeE:\Set Up Folder\cnet_EFRCSetup_exe.exe
    E:\Set Up Folder\imf-setup.exe
    E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe
    E:\Set Up Folder\asc-setup.exe
    E:\Set Up Folder\cnet_EFRCSetup_exe.exe
    E:\Set Up Folder\imf-setup.exe
    E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe

  • Save this as CFScript.txt, in the same location as ComboFix.exe.

    Posted Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.


Please post the ComboFix.txt in your next reply.
==========

Next, please follow the instructions below to reset System Restore:

On the Desktop, right-click My Computer > Properties > System Restore.
Check Turn off System Restore.
Click Apply ( a window will pop up and ask if you really want to turn it off).
Click Yes.
Please wait a few moments to let it clear.
Now, please remove the check from Turn off System Restore.
Click Apply, and then click OK.


Your startup issue could be due to too many programs starting up when you boot your computer. Please re-run HJT and post its log in your next reply.


Finally, please run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
==========

In your next reply, please post the following:
  • ComboFix.txt.
  • Log from HJT.
  • log.txt.
Are there any other issues on your computer?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#8 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 25 January 2012 - 11:09 AM

Hello sutra. :)

I'm glad things are running fine on your computer. :thumbup:

It appears Windows iLivid Toolbar has become infected. Please follow these instructions to uninstall it (you can always reinstall it later if you want to):

Please go to Add or Remove Programs and Remove the following (if present):

  • Windows iLivid Toolbar
===========

Next,
  • please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:

    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.


    killall::

    File::
    E:\Set Up Folder\asc-setup.exeE:\Set Up Folder\cnet_EFRCSetup_exe.exe
    E:\Set Up Folder\imf-setup.exe
    E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe
    E:\Set Up Folder\asc-setup.exe
    E:\Set Up Folder\cnet_EFRCSetup_exe.exe
    E:\Set Up Folder\imf-setup.exe
    E:\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe

  • Save this as CFScript.txt, in the same location as ComboFix.exe.

    Posted Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.


Please post the ComboFix.txt in your next reply.
==========

Next, please follow the instructions below to reset System Restore:

On the Desktop, right-click My Computer > Properties > System Restore.
Check Turn off System Restore.
Click Apply ( a window will pop up and ask if you really want to turn it off).
Click Yes.
Please wait a few moments to let it clear.
Now, please remove the check from Turn off System Restore.
Click Apply, and then click OK.


Your startup issue could be due to too many programs starting up when you boot your computer. Please re-run HJT and post its log in your next reply.


Finally, please run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
==========

In your next reply, please post the following:
  • ComboFix.txt.
  • Log from HJT.
  • log.txt.
Are there any other issues on your computer?


Hello again,

My computer seems to be running ok apart from start up which is now
taking about 4/5 minutes to complete. When I power up I get the XP
Microsoft screen, then the message "Windows is starting up" followed
by the "Welcome" screen. This takes about 2 minutes. I then get the
desktop but without any icons. After about 90 seconds the icons load
and it starts to load running programs in the bottom right hand corner,
this takes around 1 minute. Once start up is complete when I click on
a program or website they come up quite quickly.

Once again, thanks for your help. I won't know until reboot if
start up time has improved. I enclose logs as requested

ComboFix 12-01-23.02 - Brian 25/01/2012 8:22.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1307 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript..txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"e:\igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe"
"e:\set up folder\asc-setup.exe"
"e:\set up folder\asc-setup.exee:\set up folder\cnet_EFRCSetup_exe.exe"
"e:\set up folder\cnet_EFRCSetup_exe.exe"
"e:\set up folder\imf-setup.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe
e:\set up folder\asc-setup.exe
e:\set up folder\cnet_EFRCSetup_exe.exe
e:\set up folder\imf-setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET
2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro
2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-16 06:51 . 2012-01-23 19:02 -------- d-----w- c:\documents and settings\Brian\.thumbnails
2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm
2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player
2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz
2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-06-06 09:54 33280 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-22_10.38.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-06-06 09:55 . 2012-01-22 09:53 71572 c:\windows\system32\perfc009.dat
+ 2006-06-06 09:55 . 2012-01-25 06:29 71572 c:\windows\system32\perfc009.dat
+ 2006-06-06 09:55 . 2012-01-25 06:29 441908 c:\windows\system32\perfh009.dat
- 2006-06-06 09:55 . 2012-01-22 09:53 441908 c:\windows\system32\perfh009.dat
+ 2011-06-06 12:55 . 2011-06-06 12:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632]
"TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SkyTel"="SkyTel.EXE" [2006-04-24 1448960]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204]
"TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 57344]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672]
"QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912]
"Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940]
"NDSTray.exe"="ndstray.exe" [BU]
"TPSMain"="tpsmain.exe" [2006-05-19 299008]
"Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Brian\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://btyahoo.com/
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.bt.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-25 08:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(912)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\SkyTel.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\thpsrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\tpsmain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2012-01-25 08:40:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-25 08:40
ComboFix2.txt 2012-01-24 06:50
ComboFix3.txt 2012-01-22 10:43
.
Pre-Run: 297,477,885,952 bytes free
Post-Run: 297,315,336,192 bytes free
.
- - End Of File - - 3352079AF8FF9CA2264D3001D235FF57

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:00:32, on 25/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\QuickTime\QTTask.exe
C:\program files\microsoft works\wkssb.exe
C:\windows\system32\dla\dlactrlw.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\tpsmain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\program files\apoint2k\apoint.exe
C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE
C:\program files\toshiba\toscdspd\toscdspd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobile connect\bin\mobileconnect.exe /silent
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoft works\wkssb.exe /allusers
O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe
O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe
O4 - HKLM\..\Run: [TPSMain] tpsmain.exe
O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE"
O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 9606 bytes

C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Trend Micro\HiJackThis\backups\backup-20120122-094750-233.dll Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\Qoobox\Quarantine\E\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe.vir a variant of Win32/SoftonicDownloader.A application
C:\Qoobox\Quarantine\E\Set Up Folder\asc-setup.exe.vir a variant of Win32/Toolbar.Widgi application
C:\Qoobox\Quarantine\E\Set Up Folder\cnet_EFRCSetup_exe.exe.vir a variant of Win32/InstallCore.D application
C:\Qoobox\Quarantine\E\Set Up Folder\imf-setup.exe.vir a variant of Win32/Toolbar.Widgi application
E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application

#9 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 25 January 2012 - 05:11 PM

Hello sutra. :)

Please use the Posted Image button to reply so my post is not posted back to me.


Just a little more cleanup:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:

    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::

    File::
    C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe
    E:\Set Up Folder\cnet_EFRCSetup_exe.exe

  • Save this as CFScript.txt, in the same location as ComboFix.exe.

    Posted Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.
Please post the ComboFix.txt in your next reply.
==========

I notice in HJT that you have the following programs loading when you start your computer (all of the below are unnecessary):

[SkyTel] (part of the Realtek audio chipsets but isn't needed on startup)
[00THotkey] (allows you to use the play buttons on your laptop)
[000StTHK] (allows you to use Hotkeys)
[TFNF5] (allows you to use more Hotkeys)
[SmoothView] (allows for automatic zoom in some programs)
[TouchED] (TouchPad on/off utility)
[TosHKCW.exe] (extra functions for Hotkeys)
[WorksFUD] (a marketing program for Microsoft Works)
[Microsoft Works Update Detection] (checks for updates for Microsoft Works)
[HP Software Update] (checks for updates for HP software)
[OM2_Monitor] (imaging program)
[QuickTime Task] (runs Quicktime)
[Adobe ARM] (allows Adobe to load faster)
[MobileConnect] (for Vodaphone)
[Microsoft Works Portfolio] (part of Microsoft Works)
[DLA] (part of RecordNow)
[NDSTray.exe] (part of ConfigFree Tray)
[TPSMain] (part of Toshiba Power Saver)
[Apoint] (part of the TouchPad
[OM2_Monitor] (part of an imaging program)
[TOSCDSPD] (part of the CD/DVD drivers)
Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (part of CreativePro)
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (part of HP)
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (part of Microsoft Office)
Microsoft Works Calendar Reminders.lnk = ? (Microsoft Works Calendar)

In your next post please give me an indication if you would like to remove any of the above from startup and I will give you instructions on how to do so.


Also, you didn't attach the log from ESET in your last post. Please post it in your next reply.
===========

Please provide the following when you reply:
  • ComboFix.txt.
  • Programs you want removed from startup.
  • ESET log.

Edited by The Dark Knight, 25 January 2012 - 05:55 PM.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#10 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 26 January 2012 - 05:04 AM

Hi, The Dark Knight,

I checked and unchecked system restore but
start up still taking 4/5 minutes.

With regards to unnecessary programs, would it
be ok to delete them all?

With regards to the ESET log, after the scan is
completed it shows the number of infected files
and whether I want to remove them, which I don't.
I click on the show details and the infected files
are shown. There doesn't appear to be any link
to bring up a log file or that it has been downloaded
onto my computer.
Below are the files from the previous scan.Also Combo Log.

C:\Documents and Settings\Brian\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Trend Micro\HiJackThis\backups\backup-20120122-094750-233.dll Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\Qoobox\Quarantine\E\Igor\giveawaytemplate\SoftonicDownloader_for_nvu.exe.vir a variant of Win32/SoftonicDownloader.A application
C:\Qoobox\Quarantine\E\Set Up Folder\asc-setup.exe.vir a variant of Win32/Toolbar.Widgi application
C:\Qoobox\Quarantine\E\Set Up Folder\cnet_EFRCSetup_exe.exe.vir a variant of Win32/InstallCore.D application
C:\Qoobox\Quarantine\E\Set Up Folder\imf-setup.exe.vir a variant of Win32/Toolbar.Widgi application
E:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP97\A0024128.exe a variant of Win32/Toolbar.Widgi application

ComboFix 12-01-23.02 - Brian 26/01/2012 7:01.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1430 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript 2.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\documents and settings\Brian\My Documents\Downloads\imf-setup.exe"
"e:\set up folder\cnet_EFRCSetup_exe.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brian\My Documents\Downloads\imf-setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
.
.
2012-01-20 09:16 . 2012-01-20 09:16 -------- d-----w- c:\program files\ESET
2012-01-20 09:08 . 2012-01-20 09:08 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-20 09:08 . 2012-01-20 09:08 -------- d-----w- c:\program files\Trend Micro
2012-01-19 13:45 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-16 06:51 . 2012-01-23 19:02 -------- d-----w- c:\documents and settings\Brian\.thumbnails
2012-01-14 10:17 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-01-14 10:17 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-01-14 10:15 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-01-14 10:14 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-14 10:05 . 2012-01-14 10:05 -------- d-----w- c:\windows\system32\winrm
2012-01-12 07:27 . 2012-01-12 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-01-11 06:46 . 2012-01-11 06:46 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Ilivid Player
2012-01-11 06:46 . 2012-01-11 06:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-11 06:44 . 2012-01-11 06:45 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-01-10 05:13 . 2012-01-10 05:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 05:13 . 2012-01-10 05:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 05:13 . 2012-01-10 05:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 05:13 . 2012-01-10 05:13 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-05 14:22 . 2012-01-05 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-05 11:30 . 2012-01-05 11:35 -------- d-----w- c:\program files\Facebook Buzz
2012-01-04 19:21 . 2012-01-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2012-01-04 19:17 . 2012-01-04 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-29 10:33 . 2012-01-14 07:31 -------- d-----w- c:\program files\eBook Maestro FREE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2011-09-22 13:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 08:03 . 2011-10-06 06:52 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-06-06 09:55 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-06-06 09:55 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-06-06 09:55 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-06-06 09:55 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-06-06 09:55 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-12 07:49 . 2011-10-04 17:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2006-06-06 09:55 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-06-06 09:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-06-06 09:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-06-06 09:54 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-06-06 09:55 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-06-06 09:55 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-06-06 09:55 1288704 ----a-w- c:\windows\system32\ole32.dll
2012-01-10 05:13 . 2011-10-14 06:35 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-22_10.38.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-06-06 09:55 . 2012-01-22 09:53 71572 c:\windows\system32\perfc009.dat
+ 2006-06-06 09:55 . 2012-01-25 08:38 71572 c:\windows\system32\perfc009.dat
+ 2006-06-06 09:55 . 2012-01-25 08:38 441908 c:\windows\system32\perfh009.dat
- 2006-06-06 09:55 . 2012-01-22 09:53 441908 c:\windows\system32\perfh009.dat
+ 2011-06-06 12:55 . 2011-06-06 12:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS MASTER 2\MMONITOR.EXE" [2009-11-25 95632]
"TOSCDSPD"="c:\program files\toshiba\toscdspd\toscdspd.exe" [2005-04-11 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SkyTel"="SkyTel.EXE" [2006-04-24 1448960]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204]
"TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 57344]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-06-30 24576]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-06-29 28739]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672]
"QuickTime Task"="e:\quicktime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MobileConnect"="c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe" [2008-10-09 2086912]
"Microsoft Works Portfolio"="c:\program files\microsoft works\wkssb.exe" [2000-07-03 311350]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"DLA"="c:\windows\system32\dla\dlactrlw.exe" [2005-10-06 122940]
"NDSTray.exe"="ndstray.exe" [BU]
"TPSMain"="tpsmain.exe" [2006-05-19 299008]
"Apoint"="c:\program files\apoint2k\apoint.exe" [2004-03-24 196608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Brian\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2011-9-23 98816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-29 24633]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-11-25 20:42 95632 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 22:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [06/06/2006 13:27 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [06/10/2011 06:52 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [06/10/2011 06:52 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06/10/2011 06:52 463824]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [22/03/2004 15:50 390016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [06/06/2006 13:49 35968]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [06/06/2006 09:55 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://btyahoo.com/
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tw9h3p8f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.bt.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-26 07:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,80,b1,96,27,61,73,41,b3,53,d9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(912)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(2936)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\SkyTel.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\thpsrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\tpsmain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2012-01-26 07:18:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-26 07:18
ComboFix2.txt 2012-01-25 08:40
ComboFix3.txt 2012-01-24 06:50
ComboFix4.txt 2012-01-22 10:43
.
Pre-Run: 303,337,869,312 bytes free
Post-Run: 303,328,432,128 bytes free
.
- - End Of File - - A2C8332B42F2D05C25CA469EA73AE704

#11 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 26 January 2012 - 06:01 AM

Hey sutra. :)

Please use HijackThis to remove all those programs from startup:

  • Please open HijackThis.
  • Click Do a system scan only
  • Check these entries (if present):

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA ZoomingUtility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\WirelessHotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\MicrosoftWorks\WkDetect.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP SoftwareUpdate\HPWuSchd2.exe
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\QTTask.exe" -atboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\vodafone\vodafone mobileconnect\bin\mobileconnect.exe /silent
O4 - HKLM\..\Run: [ApnUpdater] c:\program files\ask.com\updater\updater.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\program files\microsoftworks\wkssb.exe /allusers
O4 - HKLM\..\Run: [DLA] c:\windows\system32\dla\dlactrlw.exe
O4 - HKLM\..\Run: [NDSTray.exe] ndstray.exe
O4 - HKLM\..\Run: [TPSMain] tpsmain.exe
O4 - HKLM\..\Run: [Apoint] c:\program files\apoint2k\apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"/background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\PROGRAM FILES\OLYMPUS\OLYMPUSMASTER 2\MMONITOR.EXE"
O4 - HKCU\..\Run: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [TOSCDSPD]C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-376223065-1116662459-1246894612-500\..\Run: [MSMSGS]"C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?


  • Please close all other open windows and click Fix checked.
  • Close HijackThis.
  • Reboot your computer.
==========

Please post a fresh HJT log in your next post and please let me know if your startup has improved. :thumbup:

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#12 sutra

sutra

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 27 January 2012 - 03:13 AM

Hi once again,

I have deleted the programs listed in HJT but, sorry to say, no
improvement in start up but once start up is completed
everything runs quite well.

I enclose HJT log as requested.

sutra

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:05:33, on 27/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Program Files\Avira\AntiVir Desktop\updrgui.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btyahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [igfxtray] c:\windows\system32\igfxtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 6832 bytes

#13 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 27 January 2012 - 06:03 AM

Hello sutra. :)

I do not believe the slow startup is due to malware, which is good news. :thumbup:

You could try the tips mentioned here:

http://www.wikihow.c...-Startup-Faster

If that doesn't help, please consider visiting BleepingComputer and getting help from one of the tech experts there. :thumbup:
==========

Finally, to ensure you reduce the likelihood of future infections, I recommend following the suggestions in this guide.

Please consider checking out the security add-ons for Mozilla Firefox (in particular Adblock Plus, NoScript and Web of Trust).

Please consider installing and running the following program; it has a free version:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.


Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.


Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please also read Tony Klein's excellent article: So how did I get infected in the first place?

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#14 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 02 February 2012 - 09:25 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button