• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
TheChosenOne1123

Need help fast...

38 posts in this topic

ok since no one replied in the other forum i decided to put it here since i'm in need of desperate help of my sister's labtop, she is begging me to fix

 

*new log down in other posts. do not notice this log, it is old.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:15:02 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\00THotkey.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE

C:\WINDOWS\System32\TFNF5.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\SxgTkBar.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\sysupd.exe

C:\docume~1\yen\locals~1\temp\RwLS.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\pexvwsi.exe

C:\WINDOWS\System32\JxzW8.exe

C:\WINDOWS\System32\Rfq78ld.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe

O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe

O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\MvuC1.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11486288ceff44fd8a03/...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7646.6992824074

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...ad.1.0.9.14.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

 

THis is for my sister's computer. First of all, i'll tell you the full story.

 

About 4 weeks ago there was suddenly an outburst of spyware on her computer, she dunno why, and i simply used ad-aware to delete them well most of em but some of em was still there, she said it was ok. about 2 weeks later, wala! another outburst of spyware, then i used ad-aware but it couldn't delete ALL of it, so i downloaded spybot and SpywareBlaster and HijackThis and used spybot to get rid of a lot (most of it), but my sister still complains of getting ads. (btw, every 2 weeks her computer is hijacked by spyware of some kind) and it instals unwanted programs on her computer, too. So i thouht Spybot could get rid of them , but it couldn't get rid of all. no matter what i try, 2 is always there, which are DSO exploit and TSCASH (which i checked info, is 0190 dialor, which i'm really scared of, i mean my parents might get extremely mad at the next phone bill) and sometimes this thing called VX2 may come back. ad-aware 6 detects VX2 as VX2.BetterInternet. with some tracking cookies. Spybot just says VX2 something. well , (i think TSplus and betterinternet thingy may have some relation). so i got fed up and decided to try HijackThis, since there were still annoying pop ups on my sis computer and i knew if i still didn't get rid of them, it would eventually install even more spyware and adware on her labtop. when i first used HijackThis, i saw some programs which said : Host (IP adress here) and a lot of weird sites, like www. worldsex. com and www. gator. com , etc. i didnt know how they got there, since my sister only goes to music sites like mtv.com. i decided to delete some of them right away, not knowing what they were, but ALL of them looked suspicious, i deleted the ones that siad sex and one that said mptraffic, and i scanned a new log and the others were gone (even gator and the ones i didnt delete, lol, they might still be hiding with somethign that says Host: (IP address of Labtop) but Spybot still detects VX2 and DXO Exploit and TSCash. Well hopefully my HijackLog will explain and try to delete all of them, because When i went to the Run file that Spybot said TScash was, i tried to delete it but spybot said it couldn't be deleted cuz it's in use. btw it also said another thing below TScash was a file called 0910 dialor, which is the component dealing with TSCash spyware. I need to get rid of all these ads by deleting All the spyware and adware left, which ad-aware and spybot simply cannot delete now. oh btw i accidently opened the file that spybot said Tscash was in, which was C:\Windows\Sysupd, i dunno if it can damage my computer by opening it lol.

Hopefully someone can help me, my sister can't take it much longer, me and my family are anxious, because i'm worried about it. An overview again, and please help as soon as possible, i cant take it much longer

 

 

Ad-Aware detects : VX2.betterinternet. and its components (around 20 in total) and some program called Stop Pop. [Desciption: Fake pop-up blocker that gives popups ]

Spybot Detects: TSCash, 5 DXExploit files, and sometimes something called VX2 (doesn't always detect Vx2, it might be hidden)

btw, can anyone tell me , if they have any knowledge of where VX2 . betterineternet comes out of? i think it might be the one giving my sis labtop an outbreak of spyware and hijacked homepages every few weeks. well hopefull someone can help. and when i delete all of them (even tho i dunno what happened to the HijackTHis thing that said Host: IP: GATOR and Host:IP:www.gator.com and even more, i simply deleted the porn ones and the others went away lol) i might also have a virus or trojan or worm or joke program making the spyware but my sis does not want to scan using Norton 2004 PRofessional. lol . i hope Spywareblaster can prevent anymore spyware from coming in. Thx in advance anyone, and god bless ! *btw, did i tell you that the 5 DXO exploit is also in my computer? o_O and someone tell me if it is dangerous, also lol*

Edited by TheChosenOne1123

Share this post


Link to post
Share on other sites

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

 

I deleted the following file cuz I just checked the BHO thingy around here and said it was TwainTec adware which looked suspicious. so basically that's probably out, but i'll post a new log file when i can get backto my sis labtop

Share this post


Link to post
Share on other sites

you might got charged on the phone when you clicked the dialer...disconect the phoneline from comp whn not in uce so you can evoid getting charged. ;)

Share this post


Link to post
Share on other sites

look into msconfig and look at things that start at startup if it you didn't install it uncheck it. please be careful of what you uncheck you computer might fail to turn on again.

Share this post


Link to post
Share on other sites

uhm ok i'm just gonna uncheck "sysupd" at startup for now. and for chris22, my parents don't really allow me to do anything dealing with the computer or phone lines or that shit, so i gotta find a way to get rid of it, btw if i get rid of it will it not be there or charge my phone line anymore? lol [sorry for asking, very new to spyware and adware and not know much about these computer things] i'm like OH SHIT when chris22 told me that happen.

Share this post


Link to post
Share on other sites

erm, can anyone tell me from the log just how many problems i have? o_O?i might have to reinstall my sister's whole labtop, just too slow to do anything, will that help btw, or is not worth it? (btw, if i don't, i will install Norton Anti Virus 2004 and try to remove using that, will housecall detect and remove also?)

Edited by TheChosenOne1123

Share this post


Link to post
Share on other sites

btw, i just found a way to remove TSCash (1090 dailer), but i need to reboot her labtop into safe mode, which is pretty complicated for me o_O last time i pressed f8 constantly it said "cannot load : ########### " except the # was squares, and wheni checked HijackThis again, it had 2 new entries like ######### and ######, weird eh?

Share this post


Link to post
Share on other sites

btw, can anyone tel me a way to find if u have n-CASE on ur labtop, i see this "ncase ads uninstaller" in C:\Windows, when i try to open it it says that file cannot be located in the registry and to type mpdd (something like that ) in search and delete those files...don't quite get it..o_O looks suspicious

Share this post


Link to post
Share on other sites

new hijack log

 

Logfile of HijackThis v1.97.7

Scan saved at 4:12:08 PM, on 5/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\sysupd.exe

C:\WINDOWS\System32\pexvwsi.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\docume~1\yen\locals~1\temp\RwLS.exe

C:\docume~1\yen\locals~1\temp\cqifH.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\SxgTkBar.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\TFNF5.exe

C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\System32\Sqk2.exe

C:\WINDOWS\System32\Lnoe7L.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

F1 - win.ini: load=?????? ??????

F1 - win.ini: run=?????? ??????

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll

O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF5916.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Lryrg9.exe

O4 - HKLM\..\Run: [safeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF5916.dll

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe

O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe

O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11486288ceff44fd8a03/...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7646.6992824074

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...ad.1.0.9.14.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites

btw, i can't restart her computer in safe mode, i press f8 when it boots up but then it displays that weird message ( square square square) again and again. The message with the squares in my hijack log is the exact message i get. is there an easier way to get rid of this? ;_;

Share this post


Link to post
Share on other sites

anyone, lol? i'm desperate :( I clicked fix on

 

F1 - win.ini: load=??? ??? ??? ? ? ?

F1 - win.ini: run=??? ??? ??? ? ? ?

 

so hopefully they won't be there anymore. some spyware/virus/trojan i think i saw.

 

 

-dpusys (notepad said some weird things about dpusys, like (McAffee, Norton, and some other virus scanners, i dunno why it mentioned it when i opened dpusys in notepad, btw will it send me a virus? or is dpusys already a virus sent by spyware i have? pointers, please, thx, i cannot find it in the spyware guide database or around the forums.

 

-Twain-Tec.dll , twaintec32, twain, and some more files programs with twain in the name.

 

-some weird program i just saw called 'nCASE ads uninstaller', when i try to open it it says cannot be located in the registry folder and to go to mdpp (sometin like that) and remove from there. btw, i used ad-aware and spybot , but they never detected n-CASE. can anyone tell from the HJ log if it is there?

 

-TSCash is still there, i just need to restart her labtop in safe mode, which i can't do, every time i try to do it, it displays a weird message when logging on (like ####### cannot load). Somebody told me it happens when u press F8 too soon.

 

-I didn't use Norton 2004 or that Housecall yet, i will once her labtop gets faster (i think spyware/trojan slowing it down dramatically, at least 5 minutes to get to the main page thingy)

 

-how dangerous can Vx2.betterinternet (ad-aware) / Vx2.F (spybot) be? or that twain-tec shit? i already know TSCash can be quite the deadly, i need to remove it soon as possible.

 

-hopefully if nothing works, i will try to reinstall my sis labtop and hopefully everything will be back to normal (except that she has sooo many things she download like AIM and stuff she says she do not want. lol)

 

-OR....SpywareBlaster / Spybot protection will help me later on.

Share this post


Link to post
Share on other sites

oh, btw now it shows 2 sysupd in the regedit file, one says "sysupd" and another "shortcut to sysupd" , i renamed the first sysupd cuz i thought i couldn't remove it unless done so, changed it to "DeLSpYware" and automatically the "Shortcut to sysupid" turned into "sysupd" once i changed the name (rename) of the first sysupd.

Share this post


Link to post
Share on other sites

Download Peper Uninstaller from here - http://www.downloads.subratam.org/uninst.exe.

Then Run this uninstaller (you must be online for the uninstall to be successful).

 

Finally, you are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder. Then post a fresh HijackThis log as we have more works to do.

Share this post


Link to post
Share on other sites

oh, and yes i will do what u said about HijackThis. btw, are there some viruses/ trojans/ spyware/ adware that prevent her labtop from going into safe mode?

Share this post


Link to post
Share on other sites

btw, just for note on anyone who cares, (this is for my computer not my sis' labtop), wenever i view the IE or monitor a lot, these weird green OR purple lines start appearing on one of my monitors (the main one, i have dual-screen) and they have a tendecy of appearing quite often, and if a lot of them appear on the screen at once, then the monitor shuts off saying (DVI- ? - D ) [normally says (DVI-X-D when i turn it off / on ] My other minitor in the dual screen has no problems or weird graphically lines appearing. a friend told me it has something to do with color (i guess i was playing too much GTA on my monitor, so he told me it used up way too much color i didn't know by that time. so now the main monitor is screwed up like hell and nothing is happening to the other one cuz the other one shuts off automatically while the main monitor can play GTA and the 2nd one is shut off) i set the Color Resolution to 16 bit, but either the lines start appearing as much or even MORE, or the main minotor shuts on and off way too many times when i'm not even doing anything on it... well i guess my computer uses a lot of color, that probably is the main problem, but can it even be a virus or hacker? btw, i disabled system restore to see if that may be the problem.

Edited by TheChosenOne1123

Share this post


Link to post
Share on other sites

TheChosenOne,

 

Lets complete one problem at a time. Your Sister's Laptop has lots other craps too which we will have to fight against. If you want, Please start a new thread with "your" problems because it sometimes gets confusing with two problems in "same" thread.

 

Regarding Peper-Peper Trojan, also called Troj/Peper-A, Trojan.Peper.A and SandBoxer, downloads files to the user's computer, possibly adware which will open pop-up windows.

And I dont know of viruses/ trojans/ spyware/ adware that prevent preventing safe mode boot. I will love to know if there is any ;)

 

Regards

Share this post


Link to post
Share on other sites

alright , i uninstalled using the Peper thing link u gaveme, i didn't need to do anything lol ,it did everything for me real quick o_O ;_:

 

i saved HijackTHis into MyDocuments using the HijackTHis i created.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:08:49 AM, on 5/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\pexvwsi.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\SxgTkBar.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\TFNF5.exe

C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\sysupd.exe

C:\Program Files\AIM95\aim.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Yen\My Documents\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll

O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF51e4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe

O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe

O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [safeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF51e4.dll

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11486288ceff44fd8a03/...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7646.6992824074

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...ad.1.0.9.14.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

 

 

is that better? lol

Share this post


Link to post
Share on other sites

Hello ,

 

Peper is gone it seems. :)

 

Download Spybot S & D and Ad-Aware

 

press ctrl, alt and del and end task

 

C:\WINDOWS\System32\pexvwsi.exe

C:\WINDOWS\sysupd.exe

 

Now fix the following entries in HijackThis,

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe

O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe

O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11486288ceff44fd8a03/...ip/RdxIE601.cab

 

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

 

C:\WINDOWS\System32\pexvwsi.exe

C:\WINDOWS\sysupd.exe

C:\docume~1\yen\locals~1\temp\RwLS.exe

C:\docume~1\yen\locals~1\temp\cqifH.exe

C:\WINDOWS\System32\wnsintsv.exe

 

Then delete whole temp folder. Now Reboot in normal mode, Run Spybot and check for updates. Then run full scan with it. Reboot and Run Ad-aware now and check for updates. Then run complete scan.

 

Reboot in normal mode and post a fresh log

 

Regards

Share this post


Link to post
Share on other sites

Finally i get the chance to use her labtop.

 

I deleted the entries u fixed after ending sysupd task, but it keeps coming back! I renamed sysupd to "SpywareDelete" and another one just came back after renaming it. btw, sysupd also keeps starting up when I go to "Msconfig" where i uncheck sysupd, ANOTHER one shows right up!

 

 

F8 is a bit hard for me, so is there another way to boot into safe mode? like using "msconfig" and "Diagnostic Setup" ? or is f8 the only way?

Share this post


Link to post
Share on other sites

ah hell no..now HijackThis detects TVMedia and some CleverIEHooker in Spybot, how does my sister keep getting this krap? luckily my cousin will help me get into safe mode later on, . ok i'll post if i have any more problems or when i'm done doing what Subtaram said to do. for nows, laterz

Share this post


Link to post
Share on other sites

Hi TheChosenOne1123,

 

Are you still waiting for help? If you are, please reply, and I will get you some expert help. You have nasty things here to deal with.

Share this post


Link to post
Share on other sites

Yeah, can you get an expert to see my problems?

 

The symptoms are getting worse.

 

When my sister tries to print from her labtop into my printer it prints out some of the words, but the others are messed up-sometimes the words don't appear at all, or they are combined with other letters making a weird symbol and there are weird symbols all around the place.

 

Recently she has more Spyware, i suppose, and there's absolutely nothing i suppose i can do till i can get it in safe mode. my friggin sister doesnt want my cuzin to come and reboot to safe mode she is very stubborn.

 

i'm afriad Twaintec.dll may be "Adware.Binet." , which , in Symantec's database, is also known as "Download.Trojan" and something else. The symptoms are might install other trojans or files and is ...uhm...kinda hard for me to remove... her computer right now is totally messed up, TOTALLY messed up, she even has TV media now, idunno how the heck that got in her computer, right now Popup blocker has blocked about 1300 popups in like 2 weeks. (considering she NEVER used to get popups)

 

i'll post a fresh log around tommorow, IF i can ever access her computer, which i think will probably get worse by then...please god, if you can help it would be appreciated

Share this post


Link to post
Share on other sites

alright, thx dude, i appreciate it, i dunno how much longer it can last...her homepage hasn't been hijacked for a while, thank god for that, and one problem which can be dealt with later is this thing isee when browsing C:\Windows, "n-CASE ads uninstaller", which is weird. also, another thing, i keep seeing this thing called "dpusys.d" and some other dpusys stuff. i opened it in notepad and it display some weird message displaying the name of McAfee, Norton, and some other virus scanners.

 

Btw, can anyone tell exactly HOW many problems there are? if there are more than 20, then screw that,i 'm gonna throw her friggin labtop off a building lol

Share this post


Link to post
Share on other sites

Hello again,

 

Please post a fresh log. And we will go from there. Do NOT do anything of your own. We will see you through. :)

 

Regards

Edited by Subratam

Share this post


Link to post
Share on other sites

Thanks Subtaram and others, i appreciate your help. i'm pretty sure at least one of her spyware or trojan progs are installing another trojan, not sure lolz.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:03:23 AM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\TFNF5.exe

C:\WINDOWS\System32\SxgTkBar.exe

C:\Program Files\QuickTime\qttask.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\tavhdb.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\sysupd.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Documents and Settings\Yen\My Documents\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll

O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF1117.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [honuhv] C:\WINDOWS\tavhdb.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [safeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1117.dll

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7646.6992824074

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...ad.1.0.9.14.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

 

 

I can't quite restart in safe mode and can't delete sysupd , whenever i try to disable it from starting up using msconfig, another sysupd comes up and i can't disable the 2nd one...god this is getting annoying..i MUSt access safe mode soon!

Share this post


Link to post
Share on other sites

Omfg woot woot i finally managed to delete sysupd (1090 dialer), without the use of safe mode! this is an unusual but working way

 

1. i fixed [Run] Sysupd entry in HijackThis.

2.While i fixed, i had WIndows Task Manager open and when it fixed, i automatically put "End process" on sysupd.exe

 

3. I also had Windows Explorer at C:\WINDOWS open and ready to delete Sysupd (application), when i end process sysupd.exe i automatically deleted SysupD in C:\Windows and it went to recycle bin

 

4. I then emptied Recycle bin right away.

 

 

lol, it was easy to do, i was like OMFG IT's FINALLY GONE!!! but i don't know yet, might still be in the REgeistry or anywhere, after seemingly deleting this dailer, i used spybot and it didn't detect TSCash anymore. So i'm guessing it's gone for now, never gonna come back correct? unless some program in my sis computer install it at every reboot...then i'm really screwed...lol

 

and oh, those 4 techniques i think you have 5 seconds to do everything before sysupd loads again and shows that error deleting message.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 8:22:39 AM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\TFNF5.exe

C:\WINDOWS\System32\SxgTkBar.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\tavhdb.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\00THotkey.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Documents and Settings\Yen\My Documents\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll

O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF1117.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [honuhv] C:\WINDOWS\tavhdb.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [safeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1117.dll

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7646.6992824074

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...ad.1.0.9.14.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites

Hello ,

 

press ctrl, alt and del and end task

 

C:\WINDOWS\tavhdb.exe

 

Now fix the following entries in HijackThis,

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [honuhv] C:\WINDOWS\tavhdb.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

 

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

 

C:\WINDOWS\tavhdb.exe

C:\Program Files\webHancer

C:\Program Files\TV Media

 

Reboot in normal mode and post a fresh log

 

Regards

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0