Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser HiJack = gtracktool.com


  • This topic is locked This topic is locked
10 replies to this topic

#1 plethora330

plethora330

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 03 April 2009 - 04:08 PM

Please help!!!!

I have acquired some sort of a browser hijack that is only affecting my search engine. When I search a link in either firefox or IE, then click on the link (say searching for bleepingcomputer.com), it tries to load:


gtracktool.com

then on some websites

findo.com


This either results in sending me to the wrong webpage or "connection timed out".


THANK YOU!!!! :thumbup2:

Here is my Hijackthis log:

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{0642EFCB-8E53-40C6-82BB-3788A1190ACD}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD858D1-829A-41BE-8BE7-4A36EE94CC1F}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{0642EFCB-8E53-40C6-82BB-3788A1190ACD}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.165,85.255.112.216
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

BC AdBot (Login to Remove)

 


#2 plethora330

plethora330
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 08 April 2009 - 12:39 PM

I also want to add that after reading some other posts, I TRIED downloading and running spydoctor, and malwarebytes anti-malware. The install is fine, but when I try to run both programs, they freeze up, and don't open.


It's getting worse, HELP!!! :thumbup2:

#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:31 AM

Posted 08 April 2009 - 12:52 PM

Hello, plethora330

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Let's try a more aggressive tool.

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:31 AM

Posted 12 April 2009 - 05:31 AM

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:31 AM

Posted 13 April 2009 - 11:02 AM

Reopened at user request.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 plethora330

plethora330
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 13 April 2009 - 12:17 PM

Here is my combofix log file:

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\drivers\gaopdxlpxvqbvvtxatgqifsqnrdvykcxsebjey.sys
c:\windows\system32\gaopdxxedcigtqidreercswqpobstpitwdtcnc.dll
d:\recycler\S-8-4-61-100021364-100004264-100003590-3449.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-08 17:07 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 17:07 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 17:07 . 2009-04-08 17:07 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-08 17:07 . 2009-04-08 17:07 -------- d-----w c:\programdata\Malwarebytes
2009-04-06 21:53 . 2009-04-06 21:53 2560 ----a-w c:\windows\system32\drivers\mchInjDrv.sys
2009-04-04 17:18 . 2009-04-10 16:51 -------- d---a-w c:\users\All Users\TEMP
2009-04-04 17:18 . 2009-04-10 16:51 -------- d---a-w c:\programdata\TEMP
2009-04-04 17:18 . 2004-08-04 12:00 506368 ----a-w c:\windows\system32\msxml.dll
2009-03-14 17:30 . 2009-03-14 17:30 -------- d-----w c:\users\Pete\AppData\Local\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 15:15 . 2009-04-13 15:15 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2009-04-13 15:15 . 2009-04-13 15:15 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-04-13 15:06 . 2008-12-06 06:49 49152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-04-13 15:06 . 2008-12-06 06:49 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-04-13 15:06 . 2008-12-06 06:49 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-04-10 23:07 . 2009-02-21 22:03 -------- d-----w c:\users\Pete\AppData\Roaming\Digidesign
2009-04-10 15:44 . 2008-12-06 16:41 -------- d-----w c:\program files\Norton 360
2009-04-08 17:08 . 2009-04-08 17:07 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:32 . 2009-04-03 20:32 -------- d-----w c:\program files\Trend Micro
2009-04-03 20:23 . 2009-04-03 20:22 -------- d-----w c:\program files\Autorun Eater
2009-03-22 01:32 . 2008-12-22 23:17 680 ----a-w c:\users\Pete\AppData\Local\d3d9caps.dat
2009-03-11 07:07 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-03 19:34 . 2009-03-03 19:34 -------- d-----w c:\program files\MSECache
2009-03-03 19:32 . 2008-12-10 19:18 -------- d-----w c:\program files\Common Files\AVSMedia
2009-03-03 05:47 . 2009-03-03 05:47 -------- d-----w c:\users\Pete\AppData\Roaming\ImTOO Software Studio
2009-03-01 23:59 . 2008-12-12 20:13 182 ----a-w c:\users\Pete\AppData\Roaming\wklnhst.dat
2009-03-01 23:58 . 2008-12-06 06:53 90176 ----a-w c:\users\Pete\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-01 19:51 . 2008-12-06 08:23 -------- d-----w c:\programdata\Microsoft Help
2009-03-01 18:35 . 2009-03-01 18:35 -------- d-----w c:\program files\Microsoft ActiveSync
2009-02-27 23:11 . 2009-02-27 23:11 -------- d-----w c:\users\Pete\AppData\Roaming\Template
2009-02-27 03:57 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-02-27 03:57 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-02-27 03:57 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-02-27 03:57 . 2008-12-06 16:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-22 18:10 . 2009-02-22 18:10 -------- d-----w c:\users\Pete\AppData\Roaming\Trillium Lane
2009-02-22 18:09 . 2009-02-22 18:09 -------- d-----w c:\users\Pete\AppData\Roaming\M-Audio
2009-02-22 18:04 . 2009-02-21 22:02 -------- d-----w c:\users\Pete\AppData\Roaming\PACE Anti-Piracy
2009-02-22 18:04 . 2009-02-21 22:02 -------- d-----w c:\programdata\PACE Anti-Piracy
2009-02-22 17:51 . 2009-02-22 17:51 -------- d-----w c:\users\Pete\AppData\Roaming\Structure
2009-02-22 17:51 . 2009-02-21 21:13 -------- d-----w c:\program files\Common Files\Digidesign
2009-02-22 17:44 . 2009-02-22 17:35 -------- d-----w c:\program files\Digidesign
2009-02-22 17:43 . 2007-08-22 19:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-22 04:56 . 2009-02-22 04:56 -------- d-----w c:\program files\M-Audio
2009-02-22 00:18 . 2009-02-22 00:18 -------- d-----w c:\users\Pete\AppData\Roaming\TOSHIBA
2009-02-21 22:02 . 2009-02-21 22:02 -------- d-----w c:\program files\Common Files\PACE Anti-Piracy
2009-02-21 21:52 . 2009-02-21 21:52 -------- d-----w c:\program files\Ableton
2009-02-21 21:12 . 2009-02-21 21:12 -------- d-----w c:\users\Pete\AppData\Roaming\InstallShield
2009-02-19 16:31 . 2009-02-19 16:31 9844 ----a-w c:\windows\system32\drivers\SymRedir.cat
2009-02-19 16:31 . 2009-02-19 16:31 24112 ----a-w c:\windows\system32\drivers\SymIMV.sys
2009-02-19 16:31 . 2009-02-19 16:31 1611 ----a-w c:\windows\system32\drivers\SymRedir.inf
2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
2009-02-15 15:34 . 2008-12-19 23:36 -------- d-----w c:\program files\Guitar Pro 5
2009-02-15 04:06 . 2009-02-15 04:05 -------- d-----w c:\program files\jZip
2009-02-15 04:04 . 2008-12-13 04:25 -------- d-----w c:\programdata\WinZip
2009-02-09 03:10 . 2009-03-10 23:55 2033152 ----a-w c:\windows\System32\win32k.sys
2009-01-15 06:11 . 2009-02-11 00:17 827392 ----a-w c:\windows\System32\wininet.dll
2008-12-20 18:05 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-04-01 02:2009-04-03 18:47 47:26 . c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"Pando"="c:\program files\Pando Networks\Pando\Pando.exe" [2009-01-13 3699016]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2008-12-04 77824]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" [2007-08-03 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"wave2"= Digi32.dll
"MIDI2"= diomidi.dll
"midi1"= mbx2midu.dll
"midi3"= mbx2midu.dll
"midi4"= mbx2midu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{69D7D2CC-B14B-4A37-A155-BF617BD3B368}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D9C4B492-0F91-47C3-A78A-5EE4A6D62895}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1923AEDA-0439-4C48-990C-4D395E8F7149}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E3AAEBAA-5897-4340-BA3B-4F72D7AC43B8}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AB830DD5-12E6-4AB8-9AB8-E3AD73FF1322}"= UDP:c:\program files\Pando Networks\Pando\pando.exe:Pando Application
"{85758FA4-997B-4384-8CFC-99535BC3193A}"= TCP:c:\program files\Pando Networks\Pando\pando.exe:Pando Application
"{CF424753-9750-4D26-937A-98471D22B956}"= UDP:56801:Pando P2P TCP Listening Port
"{D30C5792-1FB0-42D9-85E2-DDEE3FA82472}"= TCP:56801:Pando P2P UDP Listening Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-12-04 97808]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2008-12-04 21648]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2008-12-04 21904]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090406.001\IDSvix86.sys [2009-02-09 272432]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2008-12-04 16400]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aee15e4-c650-11dd-bcb1-00a0d189c996}]
\shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\gvypuvtu.default\
FF - prefs.js: browser.startup.homepage - www.firefox.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 11:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????w?<? h??? [???[?@?[?X?[?p?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-04-13 11:25
ComboFix-quarantined-files.txt 2009-04-13 15:24

Pre-Run: 125,170,733,056 bytes free
Post-Run: 128,912,801,792 bytes free

191 --- E O F --- 2009-03-30 20:12


Thanks!!!

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:31 AM

Posted 13 April 2009 - 01:07 PM

Hello, how is your pc now?

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 plethora330

plethora330
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 13 April 2009 - 04:43 PM

Incredible!!! It runs so much faster now, everything works great. I wanted to add that Combofix located and deleted 3 majors files which seemed to be the virus:


c:\windows\system32\drivers\gaopdxlpxvqbvvtxatgqifsqnrdvykcxsebjey.sys
c:\windows\system32\gaopdxxedcigtqidreercswqpobstpitwdtcnc.dll
d:\recycler\S-8-4-61-100021364-100004264-100003590-3449.com


I was running norton 360, but after reading several reviews on this site and others, I changed my security software to Avast and am using the windows firewall. (seems to work perfect!)

I will scan my computer with Eset online, and post it in the next reply, but it seems to be fixed now.

Edited by plethora330, 13 April 2009 - 05:05 PM.


#9 plethora330

plethora330
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 13 April 2009 - 08:14 PM

It seems Eset has found something. I noticed that the corrupted file is located in the quarantine section of combofix. Here is my log:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4004 (20090413)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5668fdf8c182744e817314611d09eddb
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-13 10:52:17
# local_time=2009-04-13 06:52:17 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=269275
# found=1
# scan_time=2793
C:\Qoobox\Quarantine\D\RECYCLER\S-8-4-61-100021364-100004264-100003590-3449.com.vir Win32/AutoRun.Agent.MH worm 66D0859FD0B5549F6DC9E93DA35E553C

Edited by plethora330, 13 April 2009 - 08:18 PM.


#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:31 AM

Posted 14 April 2009 - 03:17 AM

Hello,

The file was quarantined by ComboFix.

Congratulations you are now clean! :thumbup2:

We should tidy up our mess though.

Uninstall ComboFix
  • Go to Start, then click Run
  • In the box, type: Combofix /u
  • Press Enter or click ok, and ComboFix will uninstall. Refer to the picture below if unsure.
Posted Image

Other Deletions

Locate where you saved DDS.exe, right click the file and select Delete.



Take a read of this excellent tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet


Disable and Enable System Restore.

You should disable and re-enable system restore to make sure there are no infected files found in a restore point. You should now create a new restore point, since your system is clean.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

Visit Microsoft's Windows Update Site Frequently
  • It is important that you visit http://www.windowsupdate.com regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
System still slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Use a Firewall

Next, I would recommend the download and installation of some (I would say two is enough) of the following programs:

Spybot© - Search and Destroy
  • This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with program on a regular basis just as you would an anti virus software.
SUPERAntiSpyware
  • You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
  • Each antispyware product has different detection rates for different infections, using different products therefore increases your chances of finding and killing most malware.
MalwareBytes' Anti-Malware
  • Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect.
  • Ability to perform full scans for all drives.
  • The "Quick Scan" option lets the user scan the computer quickly checking for the most damaging threats and completing in usually under 10 minutes.
Javacools© SpywareBlaster
  • SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Glad I could Help :)
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:31 AM

Posted 15 April 2009 - 05:08 AM

Since the problem appears to be resolved, this topic is now Closed. Glad I could help.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users