Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

a better internet & aurora infestation [RESOLVED]


  • This topic is locked This topic is locked

#31
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I am stumped right about now so it is time for some outside analysis. First I am going to ask you to submit a file for testing. The process takes less than 5 minutes. Depending on the results, we will proceed from there.

There is a file in your log of which I am unsure and of which there exists very little informatiion. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\dsr.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Regards,

Trevuren

  • 0

Advertisements


#32
markswmsj

markswmsj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Service load: 0% 100%

File: dsr.dll
Status: INFECTED/MALWARE
MD5 38ee1bd59165fdd85deef431bf0b0eab
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found not a virus Adware.DrSearch
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Adroar.1 (probable variant)
  • 0

#33
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Strange that only 2 small outfits pick it up but identify it totally differently and as a possible variant.

How is your system working?

Trevuren
  • 0

#34
markswmsj

markswmsj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
So for it has been much bitter. No recent pop ups.
I will keep you posted.
Thank you for your help.
  • 0

#35
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Just for your information, those two files are popping up all over the net now. A new baddie on the block that is spreading. It is difficult to keep up with them but we do our best


Trevuren
  • 0

#36
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I need you to run a small script that will pick all instances of two files in your registry. The program is to be run twice, once for each item and I would like you to post the results in seperate posts for clarity reasons. Thanks. Hopefully, some of my people can come up with a solution to fix the problem.

1. Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/

2. Start it and paste in dsr.dll , wait for it to complete the search, click ok at the prompt.

3. Then when wordpad opens, copy the content back into this thread please.


Once the report has been posted, please repeat the procedure with the following file: dinst.exe and post those results also.


Trevuren
  • 0

#37
markswmsj

markswmsj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "dsr.dll" 07/28/2005 12:26:30 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00F1D395-4744-40f0-A611-980F61AE2C59}\InprocServer32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B51FC2F-C687-40a3-B54A-BB9EBF8D407F}\InprocServer32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CE27D4DF-714B-4427-95EB-923FE53ADF8E}\InprocServer32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D2FE40-5674-4b77-802B-EC86B6C2C41D}\InprocServer32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E311D3A5-4A3B-4e49-9E0A-B40FAE1F0B28}\InprocServer32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}\1.0\0\win32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\msaddsr.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\msaddsr.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\msaddsr.dll]

[HKEY_USERS\S-1-5-21-2415692910-1118669034-1301502347-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="dsr.dll"

[HKEY_USERS\S-1-5-21-2415692910-1118669034-1301502347-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"i"="C:\\WINDOWS\\dsr.dll"

[HKEY_USERS\S-1-5-21-2415692910-1118669034-1301502347-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\WINDOWS\\dsr.dll"
  • 0

#38
markswmsj

markswmsj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "dinst.exe" 07/28/2005 12:28:11 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dinst"="C:\\WINDOWS\\dinst.exe"

[HKEY_USERS\S-1-5-21-2415692910-1118669034-1301502347-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\dinst.exe"="dinst"
  • 0

#39
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Nice work Mark, You have got the place astir. Some people will be doing overtime for the next day or two. I'll get back to you as soon as they can digest all these additions.

Thanks again for your cooperation,


Trevuren
  • 0

#40
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We are nearly there already. We need you to do 1 more thing before the fix is completed.


1. Pleae click Start>>Run

2. Copy/Paste the following text into the Run box and click OK

regedit.exe /e C:\drsearch.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}"

3. If the key exists it will create the file C:\drsearch.txt
That file contains the export of the registry key.

4. Please copy the text into a Notepad text file and Paste it back into this thread.

5. If the text file in question is not there, please advise me of such.


Regards,

Trevuren

  • 0

Advertisements


#41
markswmsj

markswmsj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}]

Here you go!

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}\1.0]
@="wbho 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}\1.0\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}\1.0\0\win32]
@="C:\\WINDOWS\\dsr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}\1.0\FLAGS]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}\1.0\HELPDIR]
@="C:\\WINDOWS\\"
  • 0

#42
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Thanks for your reply. That was the missing part of the puzzle. I will be forwarding your reply to the registry expert and it will confirm his regfix. There have been quite a few more cases like yours turning up. Let's hope that this fix will help kill this bug.

Thanks again and I hope to get back to you soob with your fix. (That doesn't quite sound right) :tazz:


Trevuren
  • 0

#43
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop.

If a restore of the registry is required in case of emergency, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successfull.

2. Launch Notepad, and copy/paste the text in the codebox below into the new document. Save it to your desktop as drsearch.reg and as "AllFiles" as file type.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00F1D395-4744-40f0-A611-980F61AE2C59}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B51FC2F-C687-40a3-B54A-BB9EBF8D407F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CE27D4DF-714B-4427-95EB-923FE53ADF8E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D2FE40-5674-4b77-802B-EC86B6C2C41D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E311D3A5-4A3B-4e49-9E0A-B40FAE1F0B28}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dinst"=-


3. Locate drsearch.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

4. Reboot your computer into Safe Mode.

5. Using Windows Explorer, locate and DELETE the followig files:

C:\Windows\dsr.dll
C:\Windows\dinst.exe

6. Reboot into Normal Mode

7. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#44
markswmsj

markswmsj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Ok. I did the above and deleted those 2 files.
Here is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:21:31 PM, on 07/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\WINDOWS\system32\wtablet\TabUserW.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Documents and Settings\Mark\My Documents\My Downloads\Aurora Get rid of it\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [StartTabletService] tablet s
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: myPrintMileage.lnk = C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\WINDOWS\system32\wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\My Downloads\Aurora Get rid of it\CWShredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ImapiHelper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
  • 0

#45
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)



  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP