Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My control Panel dissapered and I already did the Deckard's System


  • Please log in to reply

#1
cj490

cj490

    New Member

  • Member
  • Pip
  • 7 posts
I have been dealing with these viruses for over 3 months!! My computer is Windows XP tablet PC edition and I dowloaded AVG and a bunch of other things but nothing work. I am in need of help urgently. Please help before it just shuts down one day!!!

here is the note pad things from Deckard's System Scanning




Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-20 20:59:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
32: 2008-05-21 01:01:35 UTC - RP32 - Deckard's System Scanner Restore Point
31: 2008-05-20 01:45:08 UTC - RP31 - System Checkpoint
30: 2008-04-15 01:19:57 UTC - RP30 - Restore Operation
29: 2008-03-31 23:50:38 UTC - RP29 - Restore Operation
28: 2008-02-16 00:53:13 UTC - RP28 - System Checkpoint


-- First Restore Point --
1: 2007-11-29 21:12:23 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 94% (more than 75%).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-20 21:20:54
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\Documents and Settings\Administrator\hfpkmm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TME3\TMESRV31.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tabtip.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\WINDOWS\agrsmmsg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\TME3\TMERzCtl.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\TME3\TMETEMnu.exe
C:\Program Files\Toshiba\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\Toshiba\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TouchED\TouchED.exe
C:\Symbol Commander\Sensiva.exe
C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tpa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wmedia32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\service.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Toshiba\IVP\ISM\Ivpsvmgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F0 - win.ini: run=C:\WINDOWS\mmhren1.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\hfpkmm.exe \s
F3 - REG:win.ini: Run=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\hfpkmm.exe \s
O1 - Hosts: 10.18.250.4 ad.doubleclick.net
O1 - Hosts: 10.18.250.4 ad.fastclick.net
O1 - Hosts: 10.18.250.4 ads.fastclick.net
O1 - Hosts: 10.18.250.4 ar.atwola.com
O1 - Hosts: 10.18.250.4 atdmt.com
O1 - Hosts: 10.18.250.4 avp.ch
O1 - Hosts: 10.18.250.4 avp.com
O1 - Hosts: 10.18.250.4 avp.ru
O1 - Hosts: 10.18.250.4 awaps.net
O1 - Hosts: 10.18.250.4 banner.fastclick.net
O1 - Hosts: 10.18.250.4 banners.fastclick.net
O1 - Hosts: 10.18.250.4 ca.com
O1 - Hosts: 10.18.250.4 click.atdmt.com
O1 - Hosts: 10.18.250.4 clicks.atdmt.com
O1 - Hosts: 10.18.250.4 customer.symantec.com
O1 - Hosts: 10.18.250.4 dispatch.mcafee.com
O1 - Hosts: 10.18.250.4 download.mcafee.com
O1 - Hosts: 10.18.250.4 download.microsoft.com
O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads.microsoft.com
O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 engine.awaps.net
O1 - Hosts: 10.18.250.4 f-secure.com
O1 - Hosts: 10.18.250.4 fastclick.net
O1 - Hosts: 10.18.250.4 ftp.avp.ch
O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.f-secure.com
O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru
O1 - Hosts: 10.18.250.4 ftp.sophos.com
O1 - Hosts: 10.18.250.4 go.microsoft.com
O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky.com
O1 - Hosts: 10.18.250.4 liveupdate.symantec.com
O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 10.18.250.4 mast.mcafee.com
O1 - Hosts: 10.18.250.4 mcafee.com
O1 - Hosts: 10.18.250.4 media.fastclick.net
O1 - Hosts: 10.18.250.4 microsoft.com
O1 - Hosts: 10.18.250.4 msdn.microsoft.com
O1 - Hosts: 10.18.250.4 my-etrust.com
O1 - Hosts: 10.18.250.4 nai.com
O1 - Hosts: 10.18.250.4 networkassociates.com
O1 - Hosts: 10.18.250.4 norton.com
O1 - Hosts: 10.18.250.4 office.microsoft.com
O1 - Hosts: 10.18.250.4 pandasoftware.com
O1 - Hosts: 10.18.250.4 phx.corporate-ir.net
O1 - Hosts: 10.18.250.4 rads.mcafee.com
O1 - Hosts: 10.18.250.4 secure.nai.com
O1 - Hosts: 10.18.250.4 securityresponse.symantec.com
O1 - Hosts: 10.18.250.4 service1.symantec.com
O1 - Hosts: 10.18.250.4 sophos.com
O1 - Hosts: 10.18.250.4 spd.atdmt.com
O1 - Hosts: 10.18.250.4 support.microsoft.com
O1 - Hosts: 10.18.250.4 symantec.com
O1 - Hosts: 10.18.250.4 trendmicro.com
O1 - Hosts: 10.18.250.4 update.symantec.com
O1 - Hosts: 10.18.250.4 updates.symantec.com
O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 us.mcafee.com
O1 - Hosts: 10.18.250.4 vil.nai.com
O1 - Hosts: 10.18.250.4 viruslist.com
O1 - Hosts: 10.18.250.4 viruslist.ru
O1 - Hosts: 10.18.250.4 virusscan.jotti.org
O1 - Hosts: 10.18.250.4 virustotal.com
O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com
O1 - Hosts: 10.18.250.4 www.avp.ch
O1 - Hosts: 10.18.250.4 www.avp.com
O1 - Hosts: 10.18.250.4 www.avp.ru
O1 - Hosts: 10.18.250.4 www.awaps.net
O1 - Hosts: 10.18.250.4 www.ca.com
O1 - Hosts: 10.18.250.4 www.f-secure.com
O1 - Hosts: 10.18.250.4 www.fastclick.net
O1 - Hosts: 10.18.250.4 www.grisoft.com
O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 www.kaspersky.com
O1 - Hosts: 10.18.250.4 www.kaspersky.ru
O1 - Hosts: 10.18.250.4 www.mcafee.com
O1 - Hosts: 10.18.250.4 www.microsoft.com
O1 - Hosts: 10.18.250.4 www.my-etrust.com
O1 - Hosts: 10.18.250.4 www.nai.com
O1 - Hosts: 10.18.250.4 www.networkassociates.com
O1 - Hosts: 10.18.250.4 www.pandasoftware.com
O1 - Hosts: 10.18.250.4 www.sophos.com
O1 - Hosts: 10.18.250.4 www.symantec.com
O1 - Hosts: 10.18.250.4 www.trendmicro.com
O1 - Hosts: 10.18.250.4 www.viruslist.com
O1 - Hosts: 10.18.250.4 www.viruslist.ru
O1 - Hosts: 10.18.250.4 www.virustotal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Module - {1B05A5AC-CBE0-4133-945A-3A28C053446F} - wsots32.dll (file missing)
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: C:\WINDOWS\System32\J8dj3jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\J8dj3jg.dll (file missing)
O2 - BHO: C:\WINDOWS\System32\Hfkr4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Hfkr4g.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect /keeploaded
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\AVSystemCare\ptask.exe
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinMed] winmed.exe
O4 - HKLM\..\Run: [jwpp] C:\WINDOWS\System32\jwpp.exe \u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AntiVirusProMFC] C:\Program Files\Antivirus Pro\AntiVirus Pro.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZDLM.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\TEMP\jweudjtu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\TEMP\jweudjtu.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C487F60B-59B9-47D9-BFDF-AB26786F8823} () - http://zone.msn.com/...oo.cab62201.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: ibuntu - C:\WINDOWS\System32\ibuntu.dll (file missing)
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\System32\LogCrypt.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\System32\WLCtrl32.dll (file missing)
O21 - SSODL: ylyXWSPPdZuJIY - {E4D0B51E-4E7A-1FB4-0232-CE9CBBFE5D61} - C:\WINDOWS\System32\wwp.dll (file missing)
O21 - SSODL: CDKernel - {2d538402-ba69-45bb-baf3-9ec86602c3ee} - C:\WINDOWS\Installer\{2d538402-ba69-45bb-baf3-9ec86602c3ee}\CDKernel.dll (file missing)
O21 - SSODL: SysBoot - {166cc5b9-efcd-4c8f-87d9-98274d97cee5} - C:\WINDOWS\Installer\{166cc5b9-efcd-4c8f-87d9-98274d97cee5}\SysBoot.dll (file missing)
O21 - SSODL: DriveSys - {35b9ff6a-32fb-44ef-8838-dd5c572139f6} - C:\WINDOWS\Installer\{35b9ff6a-32fb-44ef-8838-dd5c572139f6}\DriveSys.dll (file missing)
O21 - SSODL: SysChk - {c4cd3e04-0306-4d64-a2b2-4f21a5b8ee4e} - C:\WINDOWS\Installer\{c4cd3e04-0306-4d64-a2b2-4f21a5b8ee4e}\SysChk.dll (file missing)
O21 - SSODL: zip - {8201f1df-7cc2-4b3c-81d3-7a99a8406206} - C:\WINDOWS\Installer\{8201f1df-7cc2-4b3c-81d3-7a99a8406206}\zip.dll (file missing)
O21 - SSODL: KernelKernel - {cb11f2b8-7df3-4b6f-9746-4ecb8626f566} - C:\WINDOWS\Installer\{cb11f2b8-7df3-4b6f-9746-4ecb8626f566}\KernelKernel.dll (file missing)
O21 - SSODL: PrxRunOnce - {370876e6-ce85-4861-abe2-924702fccb2a} - C:\WINDOWS\Installer\{370876e6-ce85-4861-abe2-924702fccb2a}\PrxRunOnce.dll (file missing)
O21 - SSODL: RomSys - {95699ecf-bcf6-4e2d-9a7f-b4309576108a} - C:\WINDOWS\Installer\{95699ecf-bcf6-4e2d-9a7f-b4309576108a}\RomSys.dll (file missing)
O21 - SSODL: ComponentUnknown - {c6bf150f-6a7c-439d-9550-3f6ea26f44b5} - C:\WINDOWS\Installer\{c6bf150f-6a7c-439d-9550-3f6ea26f44b5}\ComponentUnknown.dll (file missing)
O21 - SSODL: MonDrive - {5b224e86-8a8c-43a3-be81-65ca5b428d1b} - C:\WINDOWS\Installer\{5b224e86-8a8c-43a3-be81-65ca5b428d1b}\MonDrive.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\J8dj3jg.dll (file missing)
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Hfkr4g.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe -A
O23 - Service: Distributed Transaction Coordinator MSDTCstisvc (MSDTCstisvc) - Unknown owner - C:\WINDOWS\System32\00THotkeyh.exe srv
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine oseSamSs (oseSamSs) - Unknown owner - C:\WINDOWS\system32\actxprxyx.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - C:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\Toshiba\TME3\TMESRV31.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 22364 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Jnr61 - c:\windows\system32\drivers\jnr61.sys
R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 TMEI3E - c:\windows\system32\drivers\tmei3e.sys <Not Verified; Toshiba Corporation; Toshiba Mobile Extension>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 tossmbnt - c:\windows\system32\drivers\tossmbnt.sys
R3 Passthru (Service) - c:\windows\system32\drivers\ndisio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>

S1 krnllds (Kernel CryptoModule) - c:\windows\system32\krnllds.sys (file missing)
S3 Dim15 - c:\windows\system32\drivers\dim15.sys
S3 Glp72 - c:\windows\system32\drivers\glp72.sys
S3 Otx26 - c:\windows\system32\drivers\otx26.sys
S3 Puy48 - c:\windows\system32\drivers\puy48.sys
S3 Secdrv - c:\windows\system32\drivers\secdrv.sys (file missing)
S3 service.sys - c:\windows\system32\service.sys
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 tcpsr - c:\windows\system32\drivers\tcpsr.sys
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 Tmesrv (Tmesrv3) - "c:\program files\toshiba\tme3\tmesrv31.exe" /service <Not Verified; TOSHIBA; TOSHIBA MobileExtension Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 AppMgmtAvg7UpdSvc (Application Management AppMgmtAvg7UpdSvc) - c:\windows\system32\agilix capture portr.exe srv <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S2 Microsoft PS Service - c:\windows\system32\_svchost.exe -a (file missing)
S2 MSDTCstisvc (Distributed Transaction Coordinator MSDTCstisvc) - c:\windows\system32\00thotkeyh.exe srv (file missing)
S2 oseHidServ (Office Source Engine oseHidServ) - c:\windows\system32\acluif.exe srv <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S2 oseSamSs (Office Source Engine oseSamSs) - c:\windows\system32\actxprxyx.exe srv
S2 wuauservAppMgmt (Automatic Updates wuauservAppMgmt) - c:\windows\system32\adsnwy.exe srv <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2008-05-20 18:34:04 18368 --a------ C:\WINDOWS\System32\service.sys
2008-05-13 20:33:58 58368 --a------ C:\Documents and Settings\Administrator\xvumaeo.exe
2008-05-12 21:57:26 58368 --a------ C:\Documents and Settings\Administrator\lpfa.exe
2008-05-12 21:44:13 6784 --a------ C:\WINDOWS\System32\drivers\tcpsr.sys
2008-05-11 18:13:23 58368 --a------ C:\Documents and Settings\Administrator\nmfcmax.exe
2008-05-10 22:10:00 58368 --a------ C:\Documents and Settings\Administrator\yjr.exe
2008-05-09 17:10:30 58368 --a------ C:\Documents and Settings\Administrator\sflen.exe
2008-05-08 20:23:05 58368 --a------ C:\Documents and Settings\Administrator\smqdm.exe
2008-05-07 17:35:13 58368 --a------ C:\Documents and Settings\Administrator\qbi.exe
2008-05-06 16:12:38 58368 --a------ C:\Documents and Settings\Administrator\cxbw.exe
2008-05-06 16:03:26 58368 --a------ C:\Documents and Settings\Administrator\nbxomc.exe
2008-05-02 20:14:36 58368 --a------ C:\Documents and Settings\Administrator\bevf.exe
2008-05-02 20:11:51 169248 --a------ C:\WINDOWS\System32\drivers\ndisio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
2008-04-22 15:48:19 6400 --a------ C:\WINDOWS\System32\drivers\Glp72.sys
2008-04-21 17:37:28 6400 --a------ C:\WINDOWS\System32\drivers\Puy48.sys
2008-04-20 19:05:10 112 --a-s---- C:\WINDOWS\System32\3188191268.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-20 18:35:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-13 20:52:08 22016 --ahs---- C:\WINDOWS\System32\1031r.dll
2008-04-13 20:50:30 41984 -r-hs---- C:\WINDOWS\System32\actxprxyx.exe
2008-04-12 17:17:57 22016 --ahs---- C:\WINDOWS\System32\69771i.dll
2008-04-08 18:27:40 57344 --a------ C:\WINDOWS\System32\jwpp.exe
2008-04-08 18:16:00 57344 --a------ C:\WINDOWS\System32\447736.exe
2008-04-08 18:05:30 57344 --a------ C:\WINDOWS\System32\808643.exe
2008-04-08 17:44:49 57344 --a------ C:\WINDOWS\System32\311236.exe
2008-04-08 17:34:10 57344 --a------ C:\WINDOWS\System32\626047.exe
2008-04-08 17:23:43 57344 --a------ C:\WINDOWS\System32\237374.exe
2008-04-08 17:17:30 22016 --ahs---- C:\WINDOWS\System32\a3dw.dll
2008-04-08 17:13:09 57344 --a------ C:\WINDOWS\System32\69771.exe
2008-03-19 15:01:22 22016 --ahs---- C:\WINDOWS\System32\0_exceptionb.dll
2008-03-13 20:26:30 22016 --ahs---- C:\WINDOWS\System32\acleditz.dll
2008-03-11 22:29:08 25712 --a------ C:\WINDOWS\System32\winmed.exe
2008-03-11 22:18:58 25712 --a------ C:\WINDOWS\System32\48380.exe
2008-03-11 22:10:46 22016 --ahs---- C:\WINDOWS\System32\1037h.dll
2008-03-05 19:23:37 38400 -r-hs---- C:\WINDOWS\System32\adsnwy.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-03 18:37:26 38400 -r-hs---- C:\WINDOWS\System32\Agilix Capture Portr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-28 19:52:43 15380 --a------ C:\WINDOWS\System32\279623.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B05A5AC-CBE0-4133-945A-3A28C053446F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
01/03/2008 12:27 PM 111968 --a------ C:\Program Files\AOL Search\AOLSearch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
C:\WINDOWS\System32\J8dj3jg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
C:\WINDOWS\System32\Hfkr4g.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/17/2003 09:02 PM]
"nwiz"="nwiz.exe" [10/17/2003 09:02 PM C:\WINDOWS\system32\nwiz.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [01/02/2003 08:16 PM]
"AGRSMMSG"="AGRSMMSG.exe" [04/18/2003 03:20 PM C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [07/17/2003 09:38 PM]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [10/17/2003 02:30 AM]
"CrossMenu"="C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe" [10/18/2003 07:17 PM]
"TapButt"="C:\Program Files\Toshiba\TapButton\TapButt.exe" [10/24/2003 05:03 AM]
"000StTHK"="000StTHK.exe" [06/24/2001 12:28 AM C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [10/24/2003 02:27 AM C:\WINDOWS\system32\TPSMain.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [12/10/2003 12:50 AM]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [10/06/2003 09:43 PM]
"TFNF5"="TFNF5.exe" [10/15/2003 08:03 PM C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [12/03/2003 04:26 PM]
"TAcelMgr"="C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [10/14/2003 06:55 PM]
"TSkrMain"="C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [10/20/2003 10:44 PM]
"TosRotation"="C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [01/29/2004 08:48 PM]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [01/21/2003 10:00 PM]
"Sensiva"="C:\Symbol Commander\Sensiva.exe" [10/01/2002 05:57 PM]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [09/09/2002 07:07 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [10/20/2003 12:39 PM]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [07/15/2003 01:52 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [12/10/2003 03:36 AM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [08/08/2003 07:54 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"WMedia32"="wmedia32.exe" [02/08/2008 09:22 PM C:\WINDOWS\system32\wmedia32.exe]
"bm"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []
"ptask"="C:\Program Files\AVSystemCare\ptask.exe" []
"service.exe"="C:\WINDOWS\System32\service.exe" [02/09/2008 02:23 PM]
"Microsoft hren1"="C:\WINDOWS\mmhren1.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/17/2008 05:03 PM]
"WinMed"="winmed.exe" [03/11/2008 10:29 PM C:\WINDOWS\system32\winmed.exe]
"jwpp"="C:\WINDOWS\System32\jwpp.exe" [04/08/2008 06:27 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [03/31/2003 08:00 AM]
"NVIEW"="nview.dll,nViewLoadHook" []
"AntiVirusProMFC"="C:\Program Files\Antivirus Pro\AntiVirus Pro.exe" []
"Zinio DLM"="C:\Program Files\Zinio\ZDLM.exe" []
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=%windir%\help\wizard.hta
"Service Pack 1"=C:\WINDOWS\TEMP\jweudjtu.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
.protected [2/10/2008 1:49:17 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.protected [2/10/2008 1:49:18 AM]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [10/17/2003 3:31:40 AM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [8/6/2003 5:23:32 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/3/2004 7:38:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoFolderOptions"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\System32\J8dj3jg.dll [ ]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\System32\Hfkr4g.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ylyXWSPPdZuJIY"= {E4D0B51E-4E7A-1FB4-0232-CE9CBBFE5D61} - C:\WINDOWS\System32\wwp.dll [ ]
"CDKernel"= {2d538402-ba69-45bb-baf3-9ec86602c3ee} - C:\WINDOWS\Installer\{2d538402-ba69-45bb-baf3-9ec86602c3ee}\CDKernel.dll [ ]
"SysBoot"= {166cc5b9-efcd-4c8f-87d9-98274d97cee5} - C:\WINDOWS\Installer\{166cc5b9-efcd-4c8f-87d9-98274d97cee5}\SysBoot.dll [ ]
"DriveSys"= {35b9ff6a-32fb-44ef-8838-dd5c572139f6} - C:\WINDOWS\Installer\{35b9ff6a-32fb-44ef-8838-dd5c572139f6}\DriveSys.dll [ ]
"SysChk"= {c4cd3e04-0306-4d64-a2b2-4f21a5b8ee4e} - C:\WINDOWS\Installer\{c4cd3e04-0306-4d64-a2b2-4f21a5b8ee4e}\SysChk.dll [ ]
"zip"= {8201f1df-7cc2-4b3c-81d3-7a99a8406206} - C:\WINDOWS\Installer\{8201f1df-7cc2-4b3c-81d3-7a99a8406206}\zip.dll [ ]
"KernelKernel"= {cb11f2b8-7df3-4b6f-9746-4ecb8626f566} - C:\WINDOWS\Installer\{cb11f2b8-7df3-4b6f-9746-4ecb8626f566}\KernelKernel.dll [ ]
"PrxRunOnce"= {370876e6-ce85-4861-abe2-924702fccb2a} - C:\WINDOWS\Installer\{370876e6-ce85-4861-abe2-924702fccb2a}\PrxRunOnce.dll [ ]
"RomSys"= {95699ecf-bcf6-4e2d-9a7f-b4309576108a} - C:\WINDOWS\Installer\{95699ecf-bcf6-4e2d-9a7f-b4309576108a}\RomSys.dll [ ]
"ComponentUnknown"= {c6bf150f-6a7c-439d-9550-3f6ea26f44b5} - C:\WINDOWS\Installer\{c6bf150f-6a7c-439d-9550-3f6ea26f44b5}\ComponentUnknown.dll [ ]
"MonDrive"= {5b224e86-8a8c-43a3-be81-65ca5b428d1b} - C:\WINDOWS\Installer\{5b224e86-8a8c-43a3-be81-65ca5b428d1b}\MonDrive.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\hfpkmm.exe \s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu]
ibuntu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]
LogCrypt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\WINDOWS\System32\loginkey.dll 07/15/2003 01:52 PM 61952 C:\WINDOWS\system32\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 12/16/2003 09:32 AM 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 08/29/2002 07:41 AM 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 08/29/2002 07:41 AM 25600 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jnr61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"




-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net

90 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-20 21:33:24 ------------







Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1500MHz
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 511.3 MiB / 82.59 MiB
Pagefile Memory (total/avail): 1250.17 MiB / 489.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.83 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 30.8 GiB free.

\\.\PHYSICALDRIVE0 - TOSHIBA MK4026GAX - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
AUState says computer is ready and waiting.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JANELY-FERNANDE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\JANELY-FERNANDE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Mozilla Firefox
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=JANELY-FERNANDE
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{B5D8CCBF-08D8-46C0-8B04-3BC0CAEDA094}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIM Toolbar 5.0 --> "C:\Program Files\AOL\AIM Toolbar 5.0\uninstall.exe"
Alias SketchBook Pro 1.01 --> MsiExec.exe /X{0698BDA1-ACF3-4A5F-8A9B-F655C9E49AFC}
Alps Pointing-device Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AOL Search --> C:\Program Files\AOL Search\uninstaller.exe AOL Search
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Drag'n Drop CD+DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDC146FA-73E0-4FA1-A353-841EA14BF600}\Setup.exe" -l0x9 deleteall
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
FranklinCovey TabletPlanner --> MsiExec.exe /I{20348F6A-38D0-45F6-A103-C6FB2CD5695B}
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wireless --> MsiExec.exe /I{85376E80-1A9D-4b13-92FE-5B0797FFB7DA}
Internet Explorer Q828750 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q828750.inf
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0510E9B6-C4C9-4C1D-8FE9-89EDDAA54958}\SETUP.EXE" -L0x9
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvts.inf
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,[email protected]
Outlook Express Update Q330994 --> C:\WINDOWS\Q330994.exe C:\WINDOWS\INF\Q330994.inf
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SurfHere by Toshiba --> MsiExec.exe /X{A962C8E1-4F0B-4BA9-806E-B8D9A3B31F82}
Symbol Commander --> C:\WINDOWS\svae_unst.exe
Tablet Input Panel - English -->
Tablet Input Panel - English (US) -->
TOSHIBA Accelerometer Utilities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Acceleration Utilities\Uninst.isu" -c"C:\Program Files\TOSHIBA\Acceleration Utilities\SETUPSUB.dll"
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Display Devices Change Utility --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TDspBtn.inf,DefaultUninstall,5
TOSHIBA Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA M200 Demo Screen Saver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{596EB055-A16F-4125-80A5-6AD728F2907B}\Setup.exe"
TOSHIBA Mobile Extension3 for Windows XP V3.59.00.XP --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME3\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME3\uninstx.dll"
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\System32\TPSDel.dll"
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA Rotation Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53554FA3-F658-40F4-A7C6-4CD6F776A8F0}\Setup.exe"
TOSHIBA SD Memory Boot Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F816A1EB-392D-459C-A5A2-8C8B9CD75446}\Setup.exe"
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F69B66A8-61C9-424C-AFA1-7EC6093AC5AD}\setup.exe"
TOSHIBA Tablet Access Code Logon Utility V1.00.00 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TSigReco\Uninst.isu" -c"C:\Program Files\TOSHIBA\TSigReco\TSigInst.dll"
Toshiba Tbiosdrv Driver --> C:\PROGRA~1\Toshiba\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\Toshiba\TOSHIB~1\INSTALL.LOG
TOSHIBA TouchPad On/Off Utility V2.05.00 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TouchED\Uninst.isu" -c"C:\Program Files\TOSHIBA\TouchED\tpedinst.dll"
TOSHIBA Utilities --&
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello cj490

Welcome to G2Go. :)
=====================
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
=======================
Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
============
Next::

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum
===================
Then::

Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#3
cj490

cj490

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Rebooting

Service krnllds - Deleted
Service NdisWon - Deleted
Service service.sys - Deleted
Service tcpsr - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\tcpsr.sys - Deleted
C:\WINDOWS\system32\service.sys - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted



Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\SystemDefender - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 19:14:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Xxth58]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Xxth58]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\tsdhd.sys 25888 bytes executable
C:\WINDOWS\system32\drivers\tunmp.sys 9856 bytes executable
C:\WINDOWS\system32\drivers\TVALZ.SYS 9216 bytes executable
C:\WINDOWS\system32\drivers\udfs.sys 64000 bytes executable
C:\WINDOWS\system32\drivers\update.sys 137088 bytes executable
C:\WINDOWS\system32\drivers\usb8023.sys 11136 bytes executable
C:\WINDOWS\system32\drivers\usbcamd.sys 23808 bytes executable
C:\WINDOWS\system32\drivers\usbcamd2.sys 23936 bytes executable
C:\WINDOWS\system32\drivers\usbd.sys 4736 bytes executable
C:\WINDOWS\system32\drivers\usbehci.sys 25216 bytes executable
C:\WINDOWS\system32\drivers\usbhub.sys 53120 bytes executable
C:\WINDOWS\system32\drivers\usbintel.sys 15232 bytes executable
C:\WINDOWS\system32\drivers\usbport.sys 138752 bytes executable
C:\WINDOWS\system32\drivers\usbprint.sys 24960 bytes executable
C:\WINDOWS\system32\drivers\USBSTOR.SYS 21760 bytes executable
C:\WINDOWS\system32\drivers\usbuhci.sys 19328 bytes executable
C:\WINDOWS\system32\drivers\vdmindvd.sys 58112 bytes executable
C:\WINDOWS\system32\drivers\vga.sys 19712 bytes executable
C:\WINDOWS\system32\drivers\videoprt.sys 70912 bytes executable
C:\WINDOWS\system32\drivers\volsnap.sys 49152 bytes executable
C:\WINDOWS\system32\drivers\w22n51.sys 1646720 bytes executable
C:\WINDOWS\system32\drivers\w70n51.sys 979840 bytes executable
C:\WINDOWS\system32\drivers\wacompen.sys 13056 bytes executable
C:\WINDOWS\system32\drivers\wanarp.sys 33280 bytes executable
C:\WINDOWS\system32\drivers\wdmaud.sys 77440 bytes executable
C:\WINDOWS\system32\drivers\wmilib.sys 4352 bytes executable
C:\WINDOWS\system32\drivers\ws2ifsl.sys 12032 bytes executable
C:\WINDOWS\system32\drivers\wstcodec.sys 18688 bytes executable
C:\WINDOWS\system32\drivers\Xxth58.sys 167936 bytes executable
C:\WINDOWS\system32\drivers\tsbvcap.sys 21376 bytes executable
C:\WINDOWS\system32\drivers\symavc32.sys 167936 bytes executable
C:\WINDOWS\system32\drivers\tostrans.sys 16320 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 32


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 8 Apr 2008 57,344 ...H. --- "C:\Documents and Settings\Administrator\hfpkmm.exe"
Wed 19 Mar 2008 22,016 A.SH. --- "C:\WINDOWS\system32\0_exceptionb.dll"
Sun 13 Apr 2008 22,016 A.SH. --- "C:\WINDOWS\system32\1031r.dll"
Tue 11 Mar 2008 22,016 A.SH. --- "C:\WINDOWS\system32\1037h.dll"
Sat 12 Apr 2008 22,016 A.SH. --- "C:\WINDOWS\system32\69771i.dll"
Tue 8 Apr 2008 22,016 A.SH. --- "C:\WINDOWS\system32\a3dw.dll"
Thu 13 Mar 2008 22,016 A.SH. --- "C:\WINDOWS\system32\acleditz.dll"
Fri 8 Feb 2008 38,400 ..SHR --- "C:\WINDOWS\system32\acluif.exe"
Sun 13 Apr 2008 41,984 ..SHR --- "C:\WINDOWS\system32\actxprxyx.exe"
Wed 5 Mar 2008 38,400 ..SHR --- "C:\WINDOWS\system32\adsnwy.exe"
Mon 3 Mar 2008 38,400 ..SHR --- "C:\WINDOWS\system32\Agilix Capture Portr.exe"

Finished!
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay please go ahead and run Combofix please.
Post that log and a new Hijackthis log.
  • 0

#5
cj490

cj490

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok but I need serious help on that!! Since I have a tablet PC I dont want to download normal Windows XP because the tablet won't work?? HELP!!!
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Combofix will run on Tablet PC Edition.
Please go ahead and run combofix.
When you install the Recovery Console choose the XP Pro version for your edition.
  • 0

#7
cj490

cj490

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I dont have the CDs. If I download Windows XP then I will no longer have Tablet PC Edition! What do I do??
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You do not need any cd's.
Please reread the instructions.
You are not installing an operating system it is only a small download that gives us a recovery option after removal of some malware.
It is not xp it is only the recovery console.
When you download it drag and drop it into combofix.
Then when it asks you to scan for infected files choose No.
Post the rc.txt log it produces.
  • 0

#9
cj490

cj490

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Now double click on Combofix to run it then post the resulting log and a new Hijackthis log.
  • 0

#11
cj490

cj490

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-05-21.3 - Administrator 2008-05-22 21:52:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.91 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\Documents and Settings\Administrator\Application Data\AVSystemCare
C:\Documents and Settings\Administrator\Application Data\AVSystemCare\Logs\threats.log
C:\Documents and Settings\Administrator\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Program Files\SysCleaner
C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\.protected
C:\WINDOWS\Installer\{166cc5b9-efcd-4c8f-87d9-98274d97cee5}\SysBoot.dll
C:\WINDOWS\Installer\{2d538402-ba69-45bb-baf3-9ec86602c3ee}\CDKernel.dll
C:\WINDOWS\Installer\{35b9ff6a-32fb-44ef-8838-dd5c572139f6}\DriveSys.dll
C:\WINDOWS\Installer\{370876e6-ce85-4861-abe2-924702fccb2a}\PrxRunOnce.dll
C:\WINDOWS\Installer\{5b224e86-8a8c-43a3-be81-65ca5b428d1b}\MonDrive.dll
C:\WINDOWS\Installer\{8201f1df-7cc2-4b3c-81d3-7a99a8406206}\zip.dll
C:\WINDOWS\Installer\{95699ecf-bcf6-4e2d-9a7f-b4309576108a}\RomSys.dll
C:\WINDOWS\Installer\{c4cd3e04-0306-4d64-a2b2-4f21a5b8ee4e}\SysChk.dll
C:\WINDOWS\Installer\{c6bf150f-6a7c-439d-9550-3f6ea26f44b5}\ComponentUnknown.dll
C:\WINDOWS\Installer\{cb11f2b8-7df3-4b6f-9746-4ecb8626f566}\KernelKernel.dll
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\237374.exe
C:\WINDOWS\system32\279623.exe
C:\WINDOWS\system32\311236.exe
C:\WINDOWS\system32\447736.exe
C:\WINDOWS\system32\48380.exe
C:\WINDOWS\system32\626047.exe
C:\WINDOWS\system32\69771.exe
C:\WINDOWS\system32\808643.exe
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\drivers\etc\.protected
c:\windows\system32\Drivers\Jnr61.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\svchost.t__

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP
-------\Legacy_JNR61
-------\Legacy_MICROSOFT_PS_SERVICE
-------\Legacy_NWSAPAGENT
-------\Legacy_RUNTIME
-------\Legacy_SERVICE.SYS
-------\Service_Jnr61
-------\Service_Microsoft PS Service
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-22 21:16 . 2008-05-22 21:16 244 --ah----- C:\sqmnoopt05.sqm
2008-05-22 21:16 . 2008-05-22 21:16 232 --ah----- C:\sqmdata05.sqm
2008-05-22 19:46 . 2008-05-22 19:46 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-05-22 19:04 . 2008-05-22 19:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-22 18:54 . 2008-05-22 19:17 <DIR> d-------- C:\SDFix
2008-05-20 20:59 . 2008-05-20 20:59 <DIR> d-------- C:\Deckard
2008-05-13 20:33 . 2008-05-13 20:33 58,368 --a------ C:\Documents and Settings\Administrator\xvumaeo.exe
2008-05-12 21:57 . 2008-05-12 21:57 58,368 --a------ C:\Documents and Settings\Administrator\lpfa.exe
2008-05-11 18:13 . 2008-05-11 18:13 58,368 --a------ C:\Documents and Settings\Administrator\nmfcmax.exe
2008-05-10 22:10 . 2008-05-10 22:10 58,368 --a------ C:\Documents and Settings\Administrator\yjr.exe
2008-05-09 17:10 . 2008-05-09 17:10 58,368 --a------ C:\Documents and Settings\Administrator\sflen.exe
2008-05-08 20:23 . 2008-05-08 20:23 58,368 --a------ C:\Documents and Settings\Administrator\smqdm.exe
2008-05-07 17:35 . 2008-05-07 17:35 58,368 --a------ C:\Documents and Settings\Administrator\qbi.exe
2008-05-06 17:24 . 2008-05-06 17:24 268 --ah----- C:\sqmdata04.sqm
2008-05-06 17:24 . 2008-05-06 17:24 244 --ah----- C:\sqmnoopt04.sqm
2008-05-06 17:16 . 2008-05-06 17:16 268 --ah----- C:\sqmdata03.sqm
2008-05-06 17:16 . 2008-05-06 17:16 244 --ah----- C:\sqmnoopt03.sqm
2008-05-06 16:12 . 2008-05-06 16:12 58,368 --a------ C:\Documents and Settings\Administrator\cxbw.exe
2008-05-06 16:03 . 2008-05-06 16:03 58,368 --a------ C:\Documents and Settings\Administrator\nbxomc.exe
2008-05-02 20:14 . 2008-05-02 20:14 58,368 --a------ C:\Documents and Settings\Administrator\bevf.exe
2008-05-02 20:11 . 2008-05-13 20:33 169,248 --a------ C:\WINDOWS\system32\drivers\ndisio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 19:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-08 22:27 57,344 ---h--w C:\Documents and Settings\Administrator\hfpkmm.exe
2008-02-09 01:19 38,400 --sh--r C:\WINDOWS\system32\acluif.exe
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2008-01-03 12:27 111968 --a------ C:\Program Files\AOL Search\AOLSearch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 08:00 13312]
"NVIEW"="nview.dll" [2003-10-17 21:02 852039 C:\WINDOWS\system32\nview.dll]
"AntiVirusProMFC"="C:\Program Files\Antivirus Pro\AntiVirus Pro.exe" [ ]
"Zinio DLM"="C:\Program Files\Zinio\ZDLM.exe" [ ]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-17 21:02 4866048]
"nwiz"="nwiz.exe" [2003-10-17 21:02 323584 C:\WINDOWS\system32\nwiz.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 20:16 172032]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 15:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 21:38 159744]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-10-17 02:30 258048]
"CrossMenu"="C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe" [2003-10-18 19:17 798720]
"TapButt"="C:\Program Files\Toshiba\TapButton\TapButt.exe" [2003-10-24 05:03 163840]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2003-10-24 02:27 278528 C:\WINDOWS\system32\TPSMain.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2003-12-10 00:50 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2003-10-06 21:43 77824]
"TFNF5"="TFNF5.exe" [2003-10-15 20:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 16:26 131072]
"TAcelMgr"="C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2003-10-14 18:55 86016]
"TSkrMain"="C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2003-10-20 22:44 45056]
"TosRotation"="C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2004-01-29 20:48 266240]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 22:00 126976]
"Sensiva"="C:\Symbol Commander\Sensiva.exe" [2002-10-01 17:57 2052096]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 19:07 49152]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39 159744]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2003-07-15 13:52 197120]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [2003-08-08 19:54 1175552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 17:03 579584]
"jwpp"="C:\WINDOWS\System32\jwpp.exe" [2008-04-08 18:27 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="%windir%\help\wizard.hta" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-12 19:33 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2003-10-17 03:31:40 372736]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 17:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-02-03 19:38:18 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ylyXWSPPdZuJIY"= {E4D0B51E-4E7A-1FB4-0232-CE9CBBFE5D61} - C:\WINDOWS\System32\wwp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\WINDOWS\System32\loginkey.dll 2003-07-15 13:52 61952 C:\WINDOWS\system32\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 07:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2002-08-29 07:41 25600 C:\WINDOWS\system32\tpgwlnot.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\findfast.exe"=

R1 TMEI3E;TMEI3E;C:\WINDOWS\System32\Drivers\TMEI3E.SYS [2002-09-26 17:15]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\System32\DRIVERS\TBtnKey.sys [2002-09-13 02:48]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\System32\DRIVERS\tosrfec.sys [2003-02-04 16:12]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys [2003-05-14 21:38]
R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\System32\DRIVERS\wacompen.sys [2002-08-28 21:28]
S2 AppMgmtAvg7UpdSvc;Application Management AppMgmtAvg7UpdSvc;C:\WINDOWS\System32\Agilix Capture Portr.exe [2008-03-03 18:37]
S2 MSDTCstisvc;Distributed Transaction Coordinator MSDTCstisvc;C:\WINDOWS\System32\00THotkeyh.exe []
S2 oseHidServ;Office Source Engine oseHidServ;C:\WINDOWS\System32\acluif.exe [2008-02-08 21:19]
S2 oseSamSs;Office Source Engine oseSamSs;C:\WINDOWS\System32\actxprxyx.exe [2008-04-13 20:50]
S2 wuauservAppMgmt;Automatic Updates wuauservAppMgmt;C:\WINDOWS\System32\adsnwy.exe [2008-03-05 19:23]
S3 Dim15;Dim15;C:\WINDOWS\System32\drivers\Dim15.sys []
S3 Glp72;Glp72;C:\WINDOWS\System32\drivers\Glp72.sys []
S3 Otx26;Otx26;C:\WINDOWS\System32\drivers\Otx26.sys []
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys [2003-02-12 13:03]
S3 Puy48;Puy48;C:\WINDOWS\System32\drivers\Puy48.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 21:59:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\tunmp.sys 9856 bytes executable
C:\WINDOWS\system32\drivers\TVALZ.SYS 9216 bytes executable
C:\WINDOWS\system32\drivers\udfs.sys 64000 bytes executable
C:\WINDOWS\system32\drivers\update.sys 137088 bytes executable
C:\WINDOWS\system32\drivers\usb8023.sys 11136 bytes executable
C:\WINDOWS\system32\drivers\usbcamd.sys 23808 bytes executable
C:\WINDOWS\system32\drivers\usbcamd2.sys 23936 bytes executable
C:\WINDOWS\system32\drivers\usbd.sys 4736 bytes executable
C:\WINDOWS\system32\drivers\usbehci.sys 25216 bytes executable
C:\WINDOWS\system32\drivers\usbhub.sys 53120 bytes executable
C:\WINDOWS\system32\drivers\usbintel.sys 15232 bytes executable
C:\WINDOWS\system32\drivers\usbport.sys 138752 bytes executable
C:\WINDOWS\system32\drivers\usbprint.sys 24960 bytes executable
C:\WINDOWS\system32\drivers\USBSTOR.SYS 21760 bytes executable
C:\WINDOWS\system32\drivers\usbuhci.sys 19328 bytes executable
C:\WINDOWS\system32\drivers\vdmindvd.sys 58112 bytes executable
C:\WINDOWS\system32\drivers\vga.sys 19712 bytes executable
C:\WINDOWS\system32\drivers\videoprt.sys 70912 bytes executable
C:\WINDOWS\system32\drivers\volsnap.sys 49152 bytes executable
C:\WINDOWS\system32\drivers\w22n51.sys 1646720 bytes executable
C:\WINDOWS\system32\drivers\w70n51.sys 979840 bytes executable
C:\WINDOWS\system32\drivers\wacompen.sys 13056 bytes executable
C:\WINDOWS\system32\drivers\wanarp.sys 33280 bytes executable
C:\WINDOWS\system32\drivers\wdmaud.sys 77440 bytes executable
C:\WINDOWS\system32\drivers\wmilib.sys 4352 bytes executable
C:\WINDOWS\system32\drivers\ws2ifsl.sys 12032 bytes executable
C:\WINDOWS\system32\drivers\wstcodec.sys 18688 bytes executable
C:\WINDOWS\system32\drivers\Xxth58.sys 167936 bytes executable

scan completed successfully
hidden files: 28

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Xxth58]

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tpa.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Toshiba\TME3\TMETEMnu.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\1XConfig.exe
.
**************************************************************************
.
Completion time: 2008-05-22 22:02:27 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-23 02:02:22

Pre-Run: 32,776,355,840 bytes free
Post-Run: 32,885,374,976 bytes free

238
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

Driver::
Viewpoint Manager Service
Dim15
Glp72
Otx26
Puy48
Xxth58

File::
C:\WINDOWS\system32\drivers\Xxth58.sys 
C:\WINDOWS\System32\drivers\Dim15.sys 
C:\WINDOWS\System32\drivers\Glp72.sys 
C:\WINDOWS\System32\drivers\Otx26.sys 
C:\WINDOWS\System32\drivers\Puy48.sys
C:\Documents and Settings\Administrator\xvumaeo.exe
C:\Documents and Settings\Administrator\lpfa.exe
C:\Documents and Settings\Administrator\nmfcmax.exe
C:\Documents and Settings\Administrator\yjr.exe
C:\Documents and Settings\Administrator\sflen.exe
C:\Documents and Settings\Administrator\smqdm.exe
C:\Documents and Settings\Administrator\qbi.exe
C:\Documents and Settings\Administrator\cxbw.exe
C:\Documents and Settings\Administrator\nbxomc.exe
C:\Documents and Settings\Administrator\bevf.exe
C:\Documents and Settings\Administrator\hfpkmm.exe
C:\WINDOWS\system32\acluif.exe
C:\WINDOWS\System32\jwpp.exe
C:\WINDOWS\System32\wwp.dll 
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Xxth58]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiVirusProMFC"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jwpp"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ylyXWSPPdZuJIY"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\findfast.exe"=-
Folder::
C:\Program Files\Antivirus Pro
C:\Program Files\Viewpoint


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by kahdah, 23 May 2008 - 11:22 AM.

  • 0

#13
cj490

cj490

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I did it and nothing happened!! Do I try again??
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
delete your version of Combofix and then download it again.
Then recreate the CFscript the same way and then drag and drop it onto Combofix.
Post that log and a new Hijackthis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP