Jump to content

Help with FakeAV trojan


Recommended Posts

Hello,

I was wondering if someone could help me remove the FakeAV trojan that is on my system. It has hijacked my IE browser and changed settings in most of my antivirus programs. I previously had just Ad-Aware and Norton 360 loaded, but the trojan got on anyway. I now have Norton 360, AD-Aware, Avira, and Malwarebytes. I also have trouble getting websites to recognize my security certificates and I am unable to access windows updates.

I've run Malwarebytes and Avira several times and they say that they found the trojan and removed it but I am still getting IE redirects and lots of my settings are still messed up.

Thanks

Here are the required logs:

MalwareBytes Log

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 207527

Time elapsed: 53 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP201\A0024293.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP201\A0024294.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Me at 21:19:02.95 on Tue 08/17/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2141 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE

C:\TOSHIBA\IVP\ISM\pinger.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\WINDOWS\system32\thpsrv.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\00THotkey.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Protector Suite QL\psqltray.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:6522

mSearchAssistant = hxxp://www.google.com/ie

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - Windows Live Sign-in Helper

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Creative ZENcast v2.00.13)" -"https://erau.blackboard.com/courses/1/09_W2_WEAX_201_04D4/content/_5912088_1/dir_activity_micro_MX.zip/activity_micro_MX.html"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [NoteBurner] c:\program files\noteburner\VTBurnerGUI.exe /silence

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [masqform.exe] c:\program files\pureedge\viewer 6.5\masqform.exe -RunOnce

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R

mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [<NO NAME>]

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe

mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE

mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [CFSServ.exe] CFSServ.exe -NoClient

mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"

mRun: [TPSMain] TPSMain.exe

mRun: [TPSODDCtl] TPSODDCtl.exe

mRun: [TOSDCR] TOSDCR.EXE

mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon

mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service

mRun: [ThpSrv] c:\windows\system32\thpsrv /logon

mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

mRun: [TFncKy] TFncKy.exe

mRun: [NDSTray.exe] NDSTray.exe

mRun: [000StTHK] 000StTHK.exe

mRun: [00THotkey] c:\windows\system32\00THotkey.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run

mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe

mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup

mRun: [TFNF5] TFNF5.exe

mRun: [Alcmtr] ALCMTR.EXE

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267230894953

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

Notify: psfus - psqlpwd.dll

Notify: TosBtNP - TosBtNP.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-27 64288]

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2009-1-19 13440]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [2009-1-18 17408]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-17 11608]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-1-10 5888]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-11-27 185896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-17 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-17 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-17 60936]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]

R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-15 304464]

R2 OKI OPHD DCS Loader;OKI OPHD DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHDLDCS.EXE [2005-10-1 24576]

R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]

R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2008-1-10 126976]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-1-10 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-15 20952]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100817.008\NAVENG.SYS [2010-8-17 85424]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100817.008\NAVEX15.SYS [2010-8-17 1362608]

R3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys [2009-1-19 30464]

R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-8-24 435072]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2010-7-22 61840]

S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-1-10 1251720]

S3 WmaCAudio;WmaCAudio;c:\windows\system32\drivers\WmaCAudio.sys [2009-1-18 23096]

S3 WmaCVideo;WmaCVideo;c:\windows\system32\drivers\WmaCVideo.sys [2009-1-18 3768]

=============== Created Last 30 ================

2010-08-18 01:07:51 0 ----a-w- c:\documents and settings\me\defogger_reenable

2010-08-18 00:30:36 0 d-----w- c:\program files\ESET

2010-08-17 15:07:36 0 d-----w- c:\docume~1\me\applic~1\Avira

2010-08-17 14:59:54 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-17 14:59:50 0 d-----w- c:\program files\Avira

2010-08-17 14:59:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-08-16 02:30:18 0 d-----w- c:\docume~1\me\applic~1\Malwarebytes

2010-08-16 02:30:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 02:30:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 02:30:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 02:30:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-15 22:26:57 2838 ----a-w- c:\windows\ovefuwej.dll

2010-08-15 20:52:01 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-15 18:13:52 120 ----a-w- c:\windows\Dkuboza.dat

2010-08-15 18:13:52 0 ----a-w- c:\windows\Fwehamicu.bin

2010-07-23 18:32:42 0 d-----w- c:\docume~1\me\applic~1\DBsign

2010-07-22 05:03:31 0 d-----w- c:\program files\Gradkell Systems, Inc

2010-07-22 04:50:21 0 d-----w- c:\program files\common files\ActivIdentity

2010-07-22 04:50:21 0 d-----w- c:\program files\ActivIdentity

2010-07-22 04:47:08 41238 ----a-w- c:\windows\ac60AirForceImage.bmp

2010-07-22 04:43:30 61840 ----a-w- c:\windows\system32\drivers\GTwinUSB.sys

2010-07-22 04:43:29 0 d-----w- c:\program files\Gemplus

==================== Find3M ====================

2008-01-10 20:33:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-08-24 19:29:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 21:20:37.93 ===============

Attach.zip

Link to post
Share on other sites

Hi,

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

Thank you so much for your help. ;) I downloaded and ran both programs.

Here is the TDSS Rootkiller log:

2010/08/22 21:38:23.0109 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23

2010/08/22 21:38:23.0109 ================================================================================

2010/08/22 21:38:23.0109 SystemInfo:

2010/08/22 21:38:23.0109

2010/08/22 21:38:23.0109 OS Version: 5.1.2600 ServicePack: 2.0

2010/08/22 21:38:23.0109 Product type: Workstation

2010/08/22 21:38:23.0109 ComputerName: LAPTOP

2010/08/22 21:38:23.0109 UserName: Me

2010/08/22 21:38:23.0109 Windows directory: C:\WINDOWS

2010/08/22 21:38:23.0109 System windows directory: C:\WINDOWS

2010/08/22 21:38:23.0109 Processor architecture: Intel x86

2010/08/22 21:38:23.0109 Number of processors: 2

2010/08/22 21:38:23.0125 Page size: 0x1000

2010/08/22 21:38:23.0125 Boot type: Normal boot

2010/08/22 21:38:23.0125 ================================================================================

2010/08/22 21:38:23.0968 Initialize success

And here is the ComboFix log:

ComboFix 10-08-22.05 - Me 08/22/2010 21:53:15.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2114 [GMT -4:00]

Running from: c:\documents and settings\Me\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Me\Favorites\. AROWS-R - Login ..url

c:\documents and settings\Me\Local Settings\Application Data\{5C3D0B8F-70FE-460A-ACAA-404964CF7F22}

c:\documents and settings\Me\Local Settings\Application Data\{5C3D0B8F-70FE-460A-ACAA-404964CF7F22}\chrome.manifest

c:\documents and settings\Me\Local Settings\Application Data\{5C3D0B8F-70FE-460A-ACAA-404964CF7F22}\chrome\content\_cfg.js

c:\documents and settings\Me\Local Settings\Application Data\{5C3D0B8F-70FE-460A-ACAA-404964CF7F22}\chrome\content\overlay.xul

c:\documents and settings\Me\Local Settings\Application Data\{5C3D0B8F-70FE-460A-ACAA-404964CF7F22}\install.rdf

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\ovefuwej.dll

d:\\RegistryBackup_8152010.reg

.

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))

.

2010-08-20 00:52 . 2010-08-20 00:52 -------- d-----w- c:\program files\Common Files\Java

2010-08-20 00:52 . 2010-08-20 00:52 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-18 00:30 . 2010-08-18 00:30 -------- d-----w- c:\program files\ESET

2010-08-17 15:07 . 2010-08-17 15:07 -------- d-----w- c:\documents and settings\Me\Application Data\Avira

2010-08-17 14:59 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-17 14:59 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-17 14:59 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-17 14:59 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-17 14:59 . 2010-08-17 14:59 -------- d-----w- c:\program files\Avira

2010-08-17 14:59 . 2010-08-17 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-16 02:30 . 2010-08-16 02:30 -------- d-----w- c:\documents and settings\Me\Application Data\Malwarebytes

2010-08-16 02:30 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 02:30 . 2010-08-16 02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 02:30 . 2010-08-16 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 02:30 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-15 20:52 . 2010-08-19 18:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-15 18:13 . 2010-08-15 18:13 120 ----a-w- c:\windows\Dkuboza.dat

2010-08-15 18:13 . 2010-08-15 18:13 0 ----a-w- c:\windows\Fwehamicu.bin

2010-08-15 18:11 . 2010-08-16 02:54 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\awpvjbqbr

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-23 01:30 . 2004-08-03 23:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys

2010-08-20 00:52 . 2010-08-20 00:52 503808 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2ff84b7d-n\msvcp71.dll

2010-08-20 00:52 . 2010-08-20 00:52 12800 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-29fc8a76-n\decora-d3d.dll

2010-08-20 00:52 . 2010-08-20 00:52 61440 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-29fc8a76-n\decora-sse.dll

2010-08-20 00:52 . 2010-08-20 00:52 499712 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2ff84b7d-n\jmc.dll

2010-08-20 00:52 . 2010-08-20 00:52 348160 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2ff84b7d-n\msvcr71.dll

2010-08-20 00:52 . 2008-01-10 19:56 -------- d-----w- c:\program files\Java

2010-08-17 15:59 . 2009-01-19 21:38 -------- d-----w- c:\program files\NoteBurner

2010-08-17 15:37 . 2008-01-10 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-08-16 02:59 . 2008-01-10 20:35 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-28 03:16 . 2009-01-18 18:12 -------- d-----w- c:\program files\Microsoft Silverlight

2010-07-23 18:32 . 2010-07-23 18:32 -------- d-----w- c:\documents and settings\Me\Application Data\DBsign

2010-07-22 05:03 . 2010-07-22 05:03 -------- d-----w- c:\program files\Gradkell Systems, Inc

2010-07-22 04:51 . 2010-07-22 04:50 -------- d-----w- c:\program files\Common Files\ActivIdentity

2010-07-22 04:50 . 2010-07-22 04:50 -------- d-----w- c:\program files\ActivIdentity

2010-07-22 04:43 . 2010-07-22 04:43 -------- d-----w- c:\program files\Gemplus

2010-07-08 22:07 . 2010-07-08 22:07 -------- d-----w- c:\program files\SystemRequirementsLab

2010-06-06 02:32 . 2010-02-28 03:32 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-29 18:39 . 2010-05-29 17:34 21 ----a-w- c:\windows\popcinfot.dat

2010-05-29 17:34 . 2010-05-29 17:34 0 ----a-w- c:\windows\popcreg.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CFSServ.exe"="CFSServ.exe -NoClient" [X]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"NoteBurner"="c:\program files\NoteBurner\VTBurnerGUI.exe" [2008-12-02 5668864]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]

"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]

"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"TPSMain"="TPSMain.exe" [2006-07-27 315392]

"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]

"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]

"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]

"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]

"TFncKy"="TFncKy.exe" [bU]

"NDSTray.exe"="NDSTray.exe" [bU]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]

"TFNF5"="TFNF5.exe" [2006-04-11 622592]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-11-27 128552]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-11-27 22:11 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-11-27 22:11 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]

2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk

backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]

2001-06-23 08:28 24576 ----a-w- c:\windows\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]

2006-07-05 16:14 258048 ----a-w- c:\windows\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]

2007-11-06 15:08 397312 ------w- c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-03 21:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]

2007-07-17 15:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2008-10-07 20:25 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2008-01-10 20:12 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2003-12-22 13:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-01-14 00:20 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]

2005-07-04 14:50 643072 ----a-w- c:\program files\PureEdge\Viewer 6.5\masqform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-09 22:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/27/2010 11:32 PM 64288]

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [1/19/2009 5:38 PM 13440]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 2:19 PM 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 7:23 PM 6528]

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [1/18/2009 11:49 PM 17408]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/2008 4:16 PM 5888]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [11/27/2007 6:11 PM 185896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/17/2010 10:59 AM 135336]

R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 10:30 PM 304464]

R2 OKI OPHD DCS Loader;OKI OPHD DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHDLDCS.EXE [10/1/2005 12:35 AM 24576]

R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 4:22 PM 105856]

R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/2008 4:16 PM 126976]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 4:15 PM 134016]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 1:05 AM 102448]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/2008 6:11 PM 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 10:30 PM 20952]

R3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys [1/19/2009 5:47 PM 30464]

R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [8/24/2008 3:20 PM 435072]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [7/22/2010 12:43 AM 61840]

S3 WmaCAudio;WmaCAudio;c:\windows\system32\drivers\WmaCAudio.sys [1/18/2009 11:59 PM 23096]

S3 WmaCVideo;WmaCVideo;c:\windows\system32\drivers\WmaCVideo.sys [1/18/2009 11:59 PM 3768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:6522

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-Hammer Heads Deluxe 1.1 - c:\program files\PopCap Games\Hammer Heads Deluxe\PopUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-22 22:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\windows\system32\biologon.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\windows\system32\MSVCP71.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1016)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(5332)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\program files\TOSHIBA\TME3\TMEEJMD.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\infra.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\ThpSrv.exe

c:\windows\system32\TODDSrv.exe

c:\program files\TOSHIBA\TME3\TMEEJME.EXE

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\windows\system32\thpsrv.exe

c:\windows\system32\TPSBattM.exe

c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\windows\system32\TFNF5.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Apoint2K\Apntex.exe

c:\windows\RTHDCPL.EXE

c:\program files\Protector Suite QL\psqltray.exe

c:\windows\system32\igfxext.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2010-08-22 22:16:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-23 02:15

Pre-Run: 34,127,724,544 bytes free

Post-Run: 34,168,221,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5322F485D855FCCE3E5D5EE28147BC3E

Link to post
Share on other sites

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Dkuboza.dat
c:\windows\Fwehamicu.bin

Folder::
c:\documents and settings\Me\Local Settings\Application Data\awpvjbqbr

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You're using multipe anti-virus programs. Using multiple AV's REDUCES your security and can cause a lot of other problems as well, so please uninstall Avira or Norton.

Link to post
Share on other sites

Gammo,

Just ran ComboFix with your code, and I also took off Norton 360. I don't seem to be getting any IE redirects anymore but Avira pops up once and a while saying it found a virus file or is fixing a problem. I included the Avira logs as well.

Here is the new log.

ComboFix 10-08-22.07 - Me 08/23/2010 11:12:02.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2128 [GMT -4:00]

Running from: c:\documents and settings\Me\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\Dkuboza.dat"

"c:\windows\Fwehamicu.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Me\Local Settings\Application Data\awpvjbqbr

c:\windows\Dkuboza.dat

c:\windows\Fwehamicu.bin

.

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))

.

2010-08-20 00:52 . 2010-08-20 00:52 -------- d-----w- c:\program files\Common Files\Java

2010-08-20 00:52 . 2010-08-20 00:52 503808 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2ff84b7d-n\msvcp71.dll

2010-08-20 00:52 . 2010-08-20 00:52 12800 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-29fc8a76-n\decora-d3d.dll

2010-08-20 00:52 . 2010-08-20 00:52 61440 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-29fc8a76-n\decora-sse.dll

2010-08-20 00:52 . 2010-08-20 00:52 499712 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2ff84b7d-n\jmc.dll

2010-08-20 00:52 . 2010-08-20 00:52 348160 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2ff84b7d-n\msvcr71.dll

2010-08-20 00:52 . 2010-08-20 00:52 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-18 00:30 . 2010-08-18 00:30 -------- d-----w- c:\program files\ESET

2010-08-17 15:07 . 2010-08-17 15:07 -------- d-----w- c:\documents and settings\Me\Application Data\Avira

2010-08-17 14:59 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-17 14:59 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-17 14:59 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-17 14:59 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-17 14:59 . 2010-08-17 14:59 -------- d-----w- c:\program files\Avira

2010-08-17 14:59 . 2010-08-17 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-16 02:30 . 2010-08-16 02:30 -------- d-----w- c:\documents and settings\Me\Application Data\Malwarebytes

2010-08-16 02:30 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 02:30 . 2010-08-16 02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 02:30 . 2010-08-16 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 02:30 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-15 20:52 . 2010-08-19 18:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-23 15:01 . 2008-01-10 20:35 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-23 15:01 . 2008-01-10 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-08-23 14:59 . 2008-01-10 20:35 -------- d-----w- c:\program files\Norton 360

2010-08-23 14:59 . 2008-01-10 20:35 -------- d-----w- c:\program files\Symantec

2010-08-23 01:30 . 2004-08-03 23:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys

2010-08-20 00:52 . 2008-01-10 19:56 -------- d-----w- c:\program files\Java

2010-08-17 15:59 . 2009-01-19 21:38 -------- d-----w- c:\program files\NoteBurner

2010-07-28 03:16 . 2009-01-18 18:12 -------- d-----w- c:\program files\Microsoft Silverlight

2010-07-23 18:32 . 2010-07-23 18:32 -------- d-----w- c:\documents and settings\Me\Application Data\DBsign

2010-07-22 05:03 . 2010-07-22 05:03 -------- d-----w- c:\program files\Gradkell Systems, Inc

2010-07-22 04:51 . 2010-07-22 04:50 -------- d-----w- c:\program files\Common Files\ActivIdentity

2010-07-22 04:50 . 2010-07-22 04:50 -------- d-----w- c:\program files\ActivIdentity

2010-07-22 04:43 . 2010-07-22 04:43 -------- d-----w- c:\program files\Gemplus

2010-07-08 22:07 . 2010-07-08 22:07 -------- d-----w- c:\program files\SystemRequirementsLab

2010-06-06 02:32 . 2010-02-28 03:32 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-29 18:39 . 2010-05-29 17:34 21 ----a-w- c:\windows\popcinfot.dat

2010-05-29 17:34 . 2010-05-29 17:34 0 ----a-w- c:\windows\popcreg.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CFSServ.exe"="CFSServ.exe -NoClient" [X]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"NoteBurner"="c:\program files\NoteBurner\VTBurnerGUI.exe" [2008-12-02 5668864]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]

"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]

"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"TPSMain"="TPSMain.exe" [2006-07-27 315392]

"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]

"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]

"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]

"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]

"TFncKy"="TFncKy.exe" [bU]

"NDSTray.exe"="NDSTray.exe" [bU]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]

"TFNF5"="TFNF5.exe" [2006-04-11 622592]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-11-27 128552]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-11-27 22:11 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-11-27 22:11 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]

2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk

backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]

2001-06-23 08:28 24576 ----a-w- c:\windows\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]

2006-07-05 16:14 258048 ----a-w- c:\windows\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]

2007-11-06 15:08 397312 ------w- c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-03 21:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]

2007-07-17 15:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2008-10-07 20:25 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2008-01-10 20:12 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2003-12-22 13:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-01-14 00:20 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]

2005-07-04 14:50 643072 ----a-w- c:\program files\PureEdge\Viewer 6.5\masqform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-09 22:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/27/2010 11:32 PM 64288]

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [1/19/2009 5:38 PM 13440]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 2:19 PM 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 7:23 PM 6528]

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [1/18/2009 11:49 PM 17408]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/2008 4:16 PM 5888]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [11/27/2007 6:11 PM 185896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/17/2010 10:59 AM 135336]

R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 10:30 PM 304464]

R2 OKI OPHD DCS Loader;OKI OPHD DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHDLDCS.EXE [10/1/2005 12:35 AM 24576]

R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 4:22 PM 105856]

R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/2008 4:16 PM 126976]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 4:15 PM 134016]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/2008 6:11 PM 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 10:30 PM 20952]

R3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys [1/19/2009 5:47 PM 30464]

R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [8/24/2008 3:20 PM 435072]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [7/22/2010 12:43 AM 61840]

S3 WmaCAudio;WmaCAudio;c:\windows\system32\drivers\WmaCAudio.sys [1/18/2009 11:59 PM 23096]

S3 WmaCVideo;WmaCVideo;c:\windows\system32\drivers\WmaCVideo.sys [1/18/2009 11:59 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-23 11:17

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\windows\system32\biologon.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\windows\system32\MSVCP71.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1008)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

.

Completion time: 2010-08-23 11:19:33

ComboFix-quarantined-files.txt 2010-08-23 15:19

ComboFix2.txt 2010-08-23 02:16

Pre-Run: 34,804,850,688 bytes free

Post-Run: 34,799,214,592 bytes free

- - End Of File - - DD7AF411DA783D9A52044F7C101D59CF

Avira Logs:

Avira AntiVir Personal

Report file date: Monday, August 23, 2010 00:05

Scanning for 2735687 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : LAPTOP

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 15:02:40

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 15:02:50

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 15:03:32

VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 15:03:32

VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 15:03:32

VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 15:03:32

VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 15:03:33

VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 15:03:33

VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 15:03:35

VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 15:03:40

VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 15:03:41

VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 15:03:41

VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 15:03:44

VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 15:03:46

VBASE019.VDF : 7.10.10.130 132608 Bytes 8/10/2010 15:03:48

VBASE020.VDF : 7.10.10.158 131072 Bytes 8/12/2010 15:03:50

VBASE021.VDF : 7.10.10.190 136704 Bytes 8/16/2010 15:03:52

VBASE022.VDF : 7.10.10.217 118272 Bytes 8/19/2010 18:08:02

VBASE023.VDF : 7.10.10.218 2048 Bytes 8/19/2010 18:08:02

VBASE024.VDF : 7.10.10.219 2048 Bytes 8/19/2010 18:08:03

VBASE025.VDF : 7.10.10.220 2048 Bytes 8/19/2010 18:08:03

VBASE026.VDF : 7.10.10.221 2048 Bytes 8/19/2010 18:08:03

VBASE027.VDF : 7.10.10.222 2048 Bytes 8/19/2010 18:08:03

VBASE028.VDF : 7.10.10.223 2048 Bytes 8/19/2010 18:08:03

VBASE029.VDF : 7.10.10.224 2048 Bytes 8/19/2010 18:08:03

VBASE030.VDF : 7.10.10.225 2048 Bytes 8/19/2010 18:08:05

VBASE031.VDF : 7.10.10.241 99840 Bytes 8/22/2010 01:20:28

Engineversion : 8.2.4.38

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/17/2010 15:04:38

AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 8/17/2010 15:04:38

AESCN.DLL : 8.1.6.1 127347 Bytes 8/17/2010 15:04:36

AESBX.DLL : 8.1.3.1 254324 Bytes 8/17/2010 15:04:39

AERDL.DLL : 8.1.8.2 614772 Bytes 8/17/2010 15:04:35

AEPACK.DLL : 8.2.3.5 471412 Bytes 8/17/2010 15:04:33

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/17/2010 15:04:25

AEHEUR.DLL : 8.1.2.15 2859382 Bytes 8/19/2010 18:08:17

AEHELP.DLL : 8.1.13.2 242039 Bytes 8/17/2010 15:04:09

AEGEN.DLL : 8.1.3.19 393587 Bytes 8/17/2010 15:04:07

AEEMU.DLL : 8.1.2.0 393588 Bytes 8/17/2010 15:04:05

AECORE.DLL : 8.1.16.2 192887 Bytes 8/17/2010 15:04:04

AEBB.DLL : 8.1.1.0 53618 Bytes 8/17/2010 15:04:03

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:

Jobname.............................: avguard_async_scan

Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4caecf5e\guard_slideup.avp

Logging.............................: low

Primary action......................: repair

Secondary action....................: quarantine

Scan master boot sector.............: on

Scan boot sector....................: off

Process scan........................: on

Scan registry.......................: off

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Monday, August 23, 2010 00:05

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'mbam.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'AAWTray.exe' - '1' Module(s) have been scanned

Scan process 'TosBtHsp.exe' - '1' Module(s) have been scanned

Scan process 'TosBtHid.exe' - '1' Module(s) have been scanned

Scan process 'KHALMNPR.EXE' - '1' Module(s) have been scanned

Scan process 'TosA2dp.exe' - '1' Module(s) have been scanned

Scan process 'SetPoint.exe' - '1' Module(s) have been scanned

Scan process 'TosBtMng.exe' - '1' Module(s) have been scanned

Scan process 'toscdspd.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'mbamgui.exe' - '1' Module(s) have been scanned

Scan process 'igfxext.exe' - '1' Module(s) have been scanned

Scan process 'psqltray.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned

Scan process 'Apntex.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'TFNF5.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'Ltmoh.exe' - '1' Module(s) have been scanned

Scan process 'TAudEff.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'ifrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'Apoint.exe' - '1' Module(s) have been scanned

Scan process 'NDSTray.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'unsecapp.exe' - '1' Module(s) have been scanned

Scan process 'ddwmon.exe' - '1' Module(s) have been scanned

Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned

Scan process 'thpsrv.exe' - '1' Module(s) have been scanned

Scan process 'TMERzCtl.EXE' - '1' Module(s) have been scanned

Scan process 'TosHKCW.exe' - '1' Module(s) have been scanned

Scan process 'SmoothView.exe' - '1' Module(s) have been scanned

Scan process 'ccApp.exe' - '1' Module(s) have been scanned

Scan process 'acevents.exe' - '1' Module(s) have been scanned

Scan process 'LVCOMS.EXE' - '1' Module(s) have been scanned

Scan process 'TEDTray.exe' - '1' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'accrdsub.exe' - '1' Module(s) have been scanned

Scan process 'ADVWindowsClientService.exe' - '1' Module(s) have been scanned

Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned

Scan process 'TMEEJME.EXE' - '1' Module(s) have been scanned

Scan process 'TODDSrv.exe' - '1' Module(s) have been scanned

Scan process 'Tmesrv31.exe' - '1' Module(s) have been scanned

Scan process 'ThpSrv.exe' - '1' Module(s) have been scanned

Scan process 'swupdtmr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'pinger.exe' - '1' Module(s) have been scanned

Scan process 'OPHDLDCS.EXE' - '1' Module(s) have been scanned

Scan process 'mdm.exe' - '1' Module(s) have been scanned

Scan process 'mbamservice.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'CTsvcCDA.exe' - '1' Module(s) have been scanned

Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned

Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned

Scan process 'accoca.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'SCardSvr.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'AAWService.exe' - '1' Module(s) have been scanned

Scan process 'ccSvcHst.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'acevents.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'avshadow.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP202\A0024310.dll'

C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP202\A0024310.dll

[DETECTION] This file has been compressed using unusual runtime compression (PCK/Armadillo). Please verify the origin of this file.

[NOTE] The file was moved to the quarantine directory under the name '4edb52d2.qua'.

End of the scan: Monday, August 23, 2010 00:05

Used time: 00:15 Minute(s)

The scan has been done completely.

0 Scanned directories

86 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

85 Files not concerned

0 Archives were scanned

0 Warnings

1 Notes

The scan results will be transferred to the Guard.

Avira AntiVir Personal

Report file date: Monday, August 23, 2010 00:01

Scanning for 2735687 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : LAPTOP

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 15:02:40

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 15:02:50

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 15:03:32

VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 15:03:32

VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 15:03:32

VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 15:03:32

VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 15:03:33

VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 15:03:33

VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 15:03:35

VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 15:03:40

VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 15:03:41

VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 15:03:41

VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 15:03:44

VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 15:03:46

VBASE019.VDF : 7.10.10.130 132608 Bytes 8/10/2010 15:03:48

VBASE020.VDF : 7.10.10.158 131072 Bytes 8/12/2010 15:03:50

VBASE021.VDF : 7.10.10.190 136704 Bytes 8/16/2010 15:03:52

VBASE022.VDF : 7.10.10.217 118272 Bytes 8/19/2010 18:08:02

VBASE023.VDF : 7.10.10.218 2048 Bytes 8/19/2010 18:08:02

VBASE024.VDF : 7.10.10.219 2048 Bytes 8/19/2010 18:08:03

VBASE025.VDF : 7.10.10.220 2048 Bytes 8/19/2010 18:08:03

VBASE026.VDF : 7.10.10.221 2048 Bytes 8/19/2010 18:08:03

VBASE027.VDF : 7.10.10.222 2048 Bytes 8/19/2010 18:08:03

VBASE028.VDF : 7.10.10.223 2048 Bytes 8/19/2010 18:08:03

VBASE029.VDF : 7.10.10.224 2048 Bytes 8/19/2010 18:08:03

VBASE030.VDF : 7.10.10.225 2048 Bytes 8/19/2010 18:08:05

VBASE031.VDF : 7.10.10.241 99840 Bytes 8/22/2010 01:20:28

Engineversion : 8.2.4.38

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/17/2010 15:04:38

AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 8/17/2010 15:04:38

AESCN.DLL : 8.1.6.1 127347 Bytes 8/17/2010 15:04:36

AESBX.DLL : 8.1.3.1 254324 Bytes 8/17/2010 15:04:39

AERDL.DLL : 8.1.8.2 614772 Bytes 8/17/2010 15:04:35

AEPACK.DLL : 8.2.3.5 471412 Bytes 8/17/2010 15:04:33

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/17/2010 15:04:25

AEHEUR.DLL : 8.1.2.15 2859382 Bytes 8/19/2010 18:08:17

AEHELP.DLL : 8.1.13.2 242039 Bytes 8/17/2010 15:04:09

AEGEN.DLL : 8.1.3.19 393587 Bytes 8/17/2010 15:04:07

AEEMU.DLL : 8.1.2.0 393588 Bytes 8/17/2010 15:04:05

AECORE.DLL : 8.1.16.2 192887 Bytes 8/17/2010 15:04:04

AEBB.DLL : 8.1.1.0 53618 Bytes 8/17/2010 15:04:03

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:

Jobname.............................: avguard_async_scan

Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4caecf5e\guard_slideup.avp

Logging.............................: low

Primary action......................: repair

Secondary action....................: quarantine

Scan master boot sector.............: on

Scan boot sector....................: off

Process scan........................: on

Scan registry.......................: off

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Monday, August 23, 2010 00:01

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'mbam.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'AAWTray.exe' - '1' Module(s) have been scanned

Scan process 'TosBtHsp.exe' - '1' Module(s) have been scanned

Scan process 'TosBtHid.exe' - '1' Module(s) have been scanned

Scan process 'KHALMNPR.EXE' - '1' Module(s) have been scanned

Scan process 'TosA2dp.exe' - '1' Module(s) have been scanned

Scan process 'SetPoint.exe' - '1' Module(s) have been scanned

Scan process 'TosBtMng.exe' - '1' Module(s) have been scanned

Scan process 'toscdspd.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'mbamgui.exe' - '1' Module(s) have been scanned

Scan process 'igfxext.exe' - '1' Module(s) have been scanned

Scan process 'psqltray.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned

Scan process 'Apntex.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'TFNF5.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'Ltmoh.exe' - '1' Module(s) have been scanned

Scan process 'TAudEff.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'ifrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'Apoint.exe' - '1' Module(s) have been scanned

Scan process 'NDSTray.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'unsecapp.exe' - '1' Module(s) have been scanned

Scan process 'ddwmon.exe' - '1' Module(s) have been scanned

Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned

Scan process 'thpsrv.exe' - '1' Module(s) have been scanned

Scan process 'TMERzCtl.EXE' - '1' Module(s) have been scanned

Scan process 'TosHKCW.exe' - '1' Module(s) have been scanned

Scan process 'SmoothView.exe' - '1' Module(s) have been scanned

Scan process 'ccApp.exe' - '1' Module(s) have been scanned

Scan process 'acevents.exe' - '1' Module(s) have been scanned

Scan process 'LVCOMS.EXE' - '1' Module(s) have been scanned

Scan process 'TEDTray.exe' - '1' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'accrdsub.exe' - '1' Module(s) have been scanned

Scan process 'ADVWindowsClientService.exe' - '1' Module(s) have been scanned

Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned

Scan process 'TMEEJME.EXE' - '1' Module(s) have been scanned

Scan process 'TODDSrv.exe' - '1' Module(s) have been scanned

Scan process 'Tmesrv31.exe' - '1' Module(s) have been scanned

Scan process 'ThpSrv.exe' - '1' Module(s) have been scanned

Scan process 'swupdtmr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'pinger.exe' - '1' Module(s) have been scanned

Scan process 'OPHDLDCS.EXE' - '1' Module(s) have been scanned

Scan process 'mdm.exe' - '1' Module(s) have been scanned

Scan process 'mbamservice.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'CTsvcCDA.exe' - '1' Module(s) have been scanned

Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned

Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned

Scan process 'accoca.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'SCardSvr.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'AAWService.exe' - '1' Module(s) have been scanned

Scan process 'ccSvcHst.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'acevents.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'avshadow.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP201\A0024295.exe'

C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP201\A0024295.exe

[DETECTION] Is the TR/Fake.SecSuite.X Trojan

[NOTE] The file was moved to the quarantine directory under the name '4edb53b6.qua'.

End of the scan: Monday, August 23, 2010 00:01

Used time: 00:16 Minute(s)

The scan has been done completely.

0 Scanned directories

86 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

85 Files not concerned

0 Archives were scanned

0 Warnings

1 Notes

The scan results will be transferred to the Guard.

Link to post
Share on other sites

Hi,

The infections that Avira found are located in a system restore point. They're harmless as long as you don't use system restore. We'll deal with them later.

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hi Gammo,

Sorry for the delay in responding. For some reason I was unable to run the TFC program. I tried half a dozen times and it never got past the first step.

Here is the MBAM log. I'm working on the ESET scan right now and I will post it as soon as it is finished. Do you have another program that will do what the TFC program does? Or another version that I might have better luck with?

Thanks

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4468

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

8/23/2010 9:21:17 PM

mbam-log-2010-08-23 (21-21-17).txt

Scan type: Quick scan

Objects scanned: 145548

Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi,

TFC = Temp File Cleaner. It removes unneeded temporary files from your system, make automated scans that follow run faster, and save you time. Many infections also load from a temporary file location. Running TFC wasn't essential, so don't worry.

Your logs appears to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. :)

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files

Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall

You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated

It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?

If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Gammo B)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.