rosebud Posted March 30, 2009 ID:68783 Share Posted March 30, 2009 A few weeks ago, I had to wipe and reload my OP because my computer filled up with viruses. Long story, and I will tell it if I need to.So I reloaded the xp, downloaded all of the updates, installed Avast AV and Advanced System Care 3.2, and have been fine until last week when my flash drive crashed, and a boot time scan revealed a Trojan in it and 2-3 Trojans or 2-3 files infected by 1 Trojan on my main computer. The files were deleted, but I had not turned off the system restore. I ran several scans that turned up nothing until I ran the mbam scan this morning. So I turned off the system restore and hit the remove option.I was then directed by someone on another forum that there have been some false positives with the same extentions as some of the files that my scan marked as infected, and this person suggested that I restore these files. Should I restore them or does the presence of other infected files mean that these are infected? Here is the scan log after the removal:Malwarebytes' Anti-Malware 1.35Database version: 1919Windows 5.1.2600 Service Pack 33/30/2009 1:56:16 PMmbam-log-2009-03-30 (13-56-16).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 145264Time elapsed: 30 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 4Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP13\A0005728.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP13\A0006134.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\wadv07nt.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.C:\WINDOWS\ServicePackFiles\i386\wadv07nt.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.Hijack this scan log after removal and rebootLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:12:55 PM, on 3/30/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Google\Update\GoogleUpdate.exec:\TOSHIBA\IVP\swupdate\swupdtmr.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\WINDOWS\system32\TDispVol.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ltmoh\Ltmoh.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Program Files\Toshiba\Tvs\TvsTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeC:\WINDOWS\system32\dla\DLACTRLW.exeC:\toshiba\ivp\ism\pinger.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeC:\Program Files\IObit\Advanced SystemCare 3\AWC.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstartR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstartR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstartO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [TFncKy] TFncKy.exeO4 - HKLM\..\Run: [TDispVol] TDispVol.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeO4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startupO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstartO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236611405656O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Update Service (gupdate1c9a04d23ccaf34) (gupdate1c9a04d23ccaf34) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exeO23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe--End of file - 10839 bytesThere are only two of the four files visible in the mbam quarantine folder. Here they are:C:\WINDOWS\system32\drivers\wadv07nt.sys C:\WINDOWS\ServicePackFiles\i386\wadv07nt.sys Should I do as suggested and restore these two files? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 31, 2009 Staff ID:68914 Share Posted March 31, 2009 Hi,Yes, please, restore these files again from quarantine.This issue has been fixed yesterday already.Then update your mbam database (mbam > update tab > check for updates) and rescan again.Let me know if this solved your issue.There's nothing suspicious in your log Link to post Share on other sites More sharing options...
rosebud Posted March 31, 2009 Author ID:68943 Share Posted March 31, 2009 I can restore the two Windows files, but the two system restore files were completely gone after I rebooted. Are they critical files? If so, what do I need to do? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 31, 2009 Staff ID:68950 Share Posted March 31, 2009 You have to restore them from quarantine, so open mbam > quarantine tab, select the files and choose restore below.But, normally the file should be restored already automatically from dllcache though, so don't worry. Link to post Share on other sites More sharing options...
rosebud Posted March 31, 2009 Author ID:68953 Share Posted March 31, 2009 Okay, thanks!Then I will update mbam ad run the scan as you suggested. ;-) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 31, 2009 Staff ID:68955 Share Posted March 31, 2009 OK! Link to post Share on other sites More sharing options...
rosebud Posted March 31, 2009 Author ID:69023 Share Posted March 31, 2009 This is a followup to my last post found herehttp://www.malwarebytes.org/forums/index.php?showtopic=13378Yesterday, as the MBAM and hijack this logs indicate, the following files were flagged:C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP13\A0005728.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP13\A0006134.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\wadv07nt.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.C:\WINDOWS\ServicePackFiles\i386\wadv07nt.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.As per a member on another forum, I selected remove, and rebooted the system. When the system came back up, only 2 of the 4 files were in the quarantine folder. The two files remaining were these:C:\WINDOWS\system32\drivers\wadv07nt.sys C:\WINDOWS\ServicePackFiles\i386\wadv07nt.sys As per a member on this forum, I restored these two files, and then did a boot time scan using Avast! The scan came up clean for the most part except for one corrupt file. Here is the fileC: WINDOWS\Software Distribution\downloada07814ceodafb6ed4a7ba54103b1f1f5\BIT77.tmp\wmsdmoe2.dll Error 42127 {cab archive is corruptedSo I updated MBAM and ran another MBAM scan, and it came up clean. Here is the logMalwarebytes' Anti-Malware 1.35Database version: 1924Windows 5.1.2600 Service Pack 33/31/2009 10:42:23 AMmbam-log-2009-03-31 (10-42-23).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 129761Time elapsed: 20 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here is the log for the Hijackthis scan that I just ran as wellLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:19:00 AM, on 3/31/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\WINDOWS\system32\TDispVol.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ltmoh\Ltmoh.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Program Files\Toshiba\Tvs\TvsTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeC:\WINDOWS\system32\dla\DLACTRLW.exeC:\toshiba\ivp\ism\pinger.exeC:\Program Files\Synaptics\SynTP\Toshiba.exec:\TOSHIBA\IVP\swupdate\swupdtmr.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeC:\Program Files\IObit\Advanced SystemCare 3\AWC.exeC:\WINDOWS\system32\RAMASST.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Alwil Software\Avast4\ashSimpl.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstartR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstartR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstartO2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO4 - HKLM\..\Run: [TFncKy] TFncKy.exeO4 - HKLM\..\Run: [TDispVol] TDispVol.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeO4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startupO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstartO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236611405656O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Update Service (gupdate1c9a04d23ccaf34) (gupdate1c9a04d23ccaf34) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exeO23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe--End of file - 11395 bytesSo, is that corrupt file critical? If so, what do I do??? Am I FINALLY clean? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 31, 2009 Staff ID:69095 Share Posted March 31, 2009 Threads merged.You weren't even infected in the first place. What mbam flagged previously was a false positive which was resolved within 2 hours. That's also why I asked to update malwarebytes As per a member on this forum, I restored these two files, and then did a boot time scan using Avast! The scan came up clean for the most part except for one corrupt file. Here is the fileC: WINDOWS\Software Distribution\downloada07814ceodafb6ed4a7ba54103b1f1f5\BIT77.tmp\wmsdmoe2.dll Error 42127 {cab archive is corruptedThats nothing to worry about. It doesn't mean because your Avast lists this file as corrupted that it is malicious. It's just a part of a previous Windows update.Your HijackThislog looks clean, however, I suggest you uninstall the Ask Toolbar since it's not recommended. Link to post Share on other sites More sharing options...
rosebud Posted March 31, 2009 Author ID:69139 Share Posted March 31, 2009 That is great news! I did have a Trojan last week that the Avast found and deleted, so I was afraid, between that scan and yesterday, I deleted a necessary file.I will remove the ask tool bar. I hate it anyway! I also bought MBAM, so I feel my pc is clean and protected for the first time in months! Thanks so much! ;-) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 31, 2009 Staff ID:69146 Share Posted March 31, 2009 Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
rosebud Posted April 1, 2009 Author ID:69164 Share Posted April 1, 2009 Thanks! I can't say how I got into the terrible trouble a few months ago that caused me to have to wipe and reload the hard drive, but I think I found the source for last week's Trojan! I teach paperless courses, so all my students have to submit their work electronically. I have a student who hasn't updated his AV program for a year! I made him and all of my students come here for the free scan before they send me another doc or power point! LOL!I will definitely check out those links, and I am working on all of my updates. After I reloaded my OS a few weeks ago, I downloaded all of the critical MS updates, and I have the Avast and MBAM on auto update. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69173 Share Posted April 1, 2009 Hi,It may be a good idea to share the prevention link in your class. Link to post Share on other sites More sharing options...
rosebud Posted April 1, 2009 Author ID:69179 Share Posted April 1, 2009 I will! I didn't have it yet this afternoon! I have already run a few of the programs in your blog. My computer was wiped and reloaded, and I couldn't believe how fast it got afterward, so I must have had A LOT of "baggage"! LOL! I will use these tips to try to keep it less bogged down from now on, and more secure. ;-) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69191 Share Posted April 1, 2009 Good to hear Link to post Share on other sites More sharing options...
rosebud Posted April 1, 2009 Author ID:69200 Share Posted April 1, 2009 I have one more question, if you don't mind. I was told by someone on the Avast forum that it would be best to uninstall the Windows Advanced System Care 3.2 as it has the automatic registry repair feature. I don't like the constant prompts to buy the upgrade anyway, so I uninstalled it, but components were left on and I got a message saying that I could remove those components manually. Is there a System care removal tool or some general removal tool that will remove it entirely? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69205 Share Posted April 1, 2009 Hi,It's most probably the related folder in C:\Program Files which is still present.Program Files\IObit\Advanced SystemCareYou can delete that Advanced SystemCare folder manually. But I wouldn't worry about it though. If you leave it or not, it won't change a thing Link to post Share on other sites More sharing options...
rosebud Posted April 1, 2009 Author ID:69207 Share Posted April 1, 2009 Dang, I have ONE more! I have the Avast running real time and I have the MBAM running real time. Is this wise? In your blog, you warn that running two security programs in the back ground like that might big down my computer. I don't notice a problem, but should I turn off the MBAM and just run on demand scans or are these two programs okay together? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69210 Share Posted April 1, 2009 The advantage of MBAM is, it is compatible with other Antivirus, so don't worry about that Link to post Share on other sites More sharing options...
rosebud Posted April 1, 2009 Author ID:69214 Share Posted April 1, 2009 Thank you so much for all of your help! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69229 Share Posted April 1, 2009 You're most welcome Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 6, 2009 Staff ID:70884 Share Posted April 6, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts