Jump to content

Is it OK to let Malwarebytes - "Remove" c:\windows\system32\userinit.exe ?


Mel_3
 Share

Recommended Posts

- I'm reposting this here as instructed. Thanks for ANY help !!!

- I'm running XP-Pro and latest Malwarebytes with latest updates

- I read the instructions at "I'm infected. What do I do now?"

- Malwarebytes reported...

===== Start Report =====

Multiple threat dection

Infection list:

1

File name: c:\windows\system32\userinit.ece

Threat name: Trojan horse Downloader.Agent.ATHF

Detected on open

2

File name: c:\windows\system32\userinit.ece

Threat name: Trojan horse Downloader.Agent.ATHF

Detected on open

Details:

1 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe

Process ID: 4476

2 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe

Process ID: 2304

===== End Report =====

- I chose "Ignore" (because I had read somewhere else that "removing" userinit.exe would prevent you from logging on later)

- Then Malwarebytes reported the scan was complete and showed two registery errors

- (BUT no file errors... which seems to confilct with the report above)

- Should I have chose "Remove threat as Power User" or was it correct to choose "Ignore"

Here is the log:

===== Log start =====

Malwarebytes' Anti-Malware 1.33

Database version: 1687

Windows 5.1.2600 Service Pack 3

1/26/2009 10:11:44 AM

mbam-log-2009-01-26 (10-11-36).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 167717

Time elapsed: 47 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

===== Log end =====

- Should I chose "Remove Selected" for the two registry keys shown above?

- How can I get this Trojan of this machine? I read fixing the file userinit.exe is difficult and risky. Some say run sfc.exe /scannow with original xp-pro cd in machine... but this Toshiba laptop only comes with an "image" and Toshiba told me it will only restore the entire system... so I lose data dna have to reinstall all app's.

- End of my original post

- Finally... Moderator Form Diety replyed to my original post (that was in the wrong forum... sorry)

"MBAM should not remove it, but don't tell it to just in case. We'll use Combofix to try and repair it."

- I don't know what Combofix is... so thanks again for any help !!!

Link to post
Share on other sites

Hi. :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Hi. :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

===== Start of reply to Tigger93 =====

Tigger93, Thanks for the help. I followed your instructions. The two logs follow. First the Combofix log... then the HijackThis Log.

- I see in the Combofix log that it replaced the flagged (infected) file c:\windows\system32\userinit.

- I do not see where the two associated register enteries flagged originally by Malwarebytes were fixed... if they really need fixing... (and it may have fixed them and I missed it.)

- I look forward to your follow-up advice. (Should I run Malwarebytes again? Should I do what?)

I can't thank you enough for your kind assistance. You guys really supply a service here !!! Thanks again.

===== Combofix Log Starts =====

ComboFix 09-01-21.04 - Will 2009-01-27 6:37:51.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1304 [GMT -5:00]

Running from: c:\documents and settings\Will\My Documents\Downloads\HiJack This\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

FW: ZoneAlarm Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\biologon.dll

c:\windows\system32\test.ttt

c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))

.

2009-01-26 18:36 . 2009-01-26 18:36 <DIR> d-------- c:\program files\Trend Micro

2009-01-26 11:28 . 2009-01-26 11:28 <DIR> d-------- c:\program files\Belarc

2009-01-26 11:28 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys

2009-01-23 09:34 . 2009-01-23 09:35 <DIR> d-------- c:\program files\Inspiration 7.5

2009-01-23 09:34 . 2009-01-23 09:34 <DIR> d-------- c:\documents and settings\Will\Application Data\Inspiration Software

2009-01-23 09:34 . 1999-12-17 11:13 86,016 --a------ c:\windows\unvise32.exe

2009-01-23 09:30 . 2009-01-23 09:30 <DIR> d-------- c:\windows\speech

2009-01-14 19:34 . 2009-01-14 19:34 <DIR> d-------- c:\documents and settings\Will\Application Data\Malwarebytes

2009-01-14 19:30 . 2009-01-14 19:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-14 19:30 . 2009-01-14 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-14 19:30 . 2009-01-14 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-14 19:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 19:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-09 08:38 . 2009-01-09 08:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Musicnotes

2009-01-08 07:45 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll

2009-01-07 19:51 . 2009-01-07 20:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-07 19:51 . 2009-01-07 19:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-02 22:38 . 2009-01-02 22:38 <DIR> d-------- c:\documents and settings\Will\Application Data\Apple Computer

2009-01-02 22:37 . 2009-01-02 22:38 <DIR> d-------- c:\program files\iTunes

2009-01-02 22:37 . 2009-01-02 22:37 <DIR> d-------- c:\program files\iPod

2009-01-02 22:37 . 2009-01-02 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-02 22:36 . 2009-01-02 22:36 <DIR> d-------- c:\program files\Apple Software Update

2009-01-02 22:36 . 2009-01-02 22:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-02 22:35 . 2009-01-02 22:37 <DIR> d-------- c:\program files\Common Files\Apple

2009-01-02 22:35 . 2009-01-02 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-11 15:48 --------- d-----w c:\program files\NoteTab Light

2009-01-05 04:34 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-01-03 03:37 --------- d-----w c:\program files\Bonjour

2009-01-03 03:36 --------- d-----w c:\program files\QuickTime

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-28 00:10 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-28 00:10 --------- d-----w c:\program files\Xara

2008-11-27 23:58 --------- d-----w c:\documents and settings\Will\Application Data\MAGIX

2008-11-27 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\MAGIX

2008-11-27 23:55 --------- d-----w c:\program files\WMV9_VCM

2008-11-27 23:55 --------- d-----w c:\program files\Magix

2008-11-27 23:54 --------- d-----w c:\program files\Common Files\xara

2008-11-27 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\Xara

2008-01-10 20:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

2008-08-27 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 15:14 258048]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-13 311296]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144]

"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]

"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 159744]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-25 136816]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 c:\windows\RTHDCPL.exe]

"TFNF5"="TFNF5.exe" [2006-04-10 c:\windows\system32\TFNF5.exe]

"000StTHK"="000StTHK.exe" [2001-06-23 07:28 24576 c:\windows\system32\000StTHK.exe]

"NDSTray.exe"="NDSTray.exe" [bU]

"TFncKy"="TFncKy.exe" [bU]

"TOSDCR"="TOSDCR.EXE" [2005-12-13 c:\windows\system32\TOSDCR.exe]

"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 c:\windows\system32\TPSODDCtl.exe]

"TPSMain"="TPSMain.exe" [2006-07-26 c:\windows\system32\TPSMain.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-10-20 171448]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2006-05-05 19:48 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-04-27 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-03-09 6528]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-11 97928]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-01-10 5888]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-01-10 36608]

R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-06-03 435072]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-11 231704]

R4 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 13568]

R4 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 33024]

R4 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2006-05-05 3456]

R4 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-03-26 105856]

R4 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2008-01-10 126976]

R4 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-02-19 134016]

.

Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.netpv.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: networksolutions.com\www

DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://www.brevardpropertyappraiser.com/picto/include/PictImageCtrl30.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-27 06:41:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1020)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\ZoneLabs\vsmon.exe

c:\windows\system32\scardsvr.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Toshiba\ConfigFree\CFSvcs.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\igfxext.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\ThpSrv.exe

c:\program files\Protector Suite QL\psqltray.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Toshiba\ConfigFree\NDSTray.exe

c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe

c:\windows\system32\ThpSrv.exe

c:\program files\Toshiba\TME3\TMEEJME.exe

c:\program files\Apoint2K\ApntEx.exe

c:\windows\system32\TPSBattM.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2009-01-27 6:44:46 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-27 11:44:43

Pre-Run: 131,859,759,104 bytes free

Post-Run: 132,176,936,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

231 --- E O F --- 2009-01-15 02:23:06

===== Combofix Log end =====

===== HijackThis Log start =====

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:47:24 AM, on 1/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\TFNF5.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\TOSHIBA\IVP\ISM\pinger.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\igfxext.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\Program Files\Protector Suite QL\psqltray.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\00THotkey.exe

C:\WINDOWS\system32\TODDSrv.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\thpsrv.exe

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netpv.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} (Pictometry Viewer Control) - http://www.brevardpropertyappraiser.com/pi...ImageCtrl30.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 11610 bytes

===== HijackThis Log End =====

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\unvise32.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.