Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects


  • This topic is locked This topic is locked
17 replies to this topic

#1 auriel

auriel

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 01 July 2010 - 07:58 PM

I have a problem with Internet Explorer which redirects my search choices to unwanted sites, for example to other search engines. Also Internet Explorer has become unstable and often shuts down after about 15 minutes. This trouble seemed to start after Animalware Doctor installed itself on my computer. I managed to uninstall it but when Internet Explorer is in use my computer becomes unstable. I get the Microsoft message box: D30dyL37.exe has stopped working.
I get the box: Host process for Windows Services stopped working and was closed.
Sometimes the computer shuts itself down. Anyway when Internet Explorer 8 stops working the only way I can get it to restart is to restart my computer.

I installed Malwarebytes anti-malware and did a scan which identified over 300 items which it dealt with, notably a load of stuff from My Web Search.
I scanned the registry with Auslogics Registry cleaner which found a lot of items to change.
I installed Ad Aware in the belief that it might spot something that Malwarebytes did not and did a scan but it only picked up one malware.
I have just installed Hijack This and done a scan which I produce below. Can anyone show me which items I need to get Hijack This to remove please as I don’t fully understand the results of the scan?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:29:28, on 01-Jul-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\FileBX\FileBX.exe
C:\Program Files\Quicknote\Quicknote.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ClipMagic\clipmagic.exe
C:\Program Files\Quicknote\Quicknote .exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent .exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi .exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\tinySpell\tinyspell .exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\System32\mobsync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb0.dll
R3 - URLSearchHook: Free TV Bar c3 Toolbar - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files\Free_TV_Bar_c3\tbFree.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Free TV Bar c3 Toolbar - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files\Free_TV_Bar_c3\tbFree.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb0.dll
O3 - Toolbar: Free TV Bar c3 Toolbar - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files\Free_TV_Bar_c3\tbFree.dll
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKCU\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [tinySpell] C:\Program Files\tinySpell\tinyspell .exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\Quicknote.exe
O4 - HKCU\..\Run: [{74810991-7B09-927C-2089-C748ED1C1E62}] C:\Users\Andrew\AppData\Roaming\Icvate\zypai.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Andrew 2')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Rebecca')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Original')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1010\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Test 6')
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'Default user')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1001 Startup: wooci.exe (User 'Andrew 2')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1001 User Startup: wooci.exe (User 'Andrew 2')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1002 Startup: ryus.exe (User 'Rebecca')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1002 User Startup: ryus.exe (User 'Rebecca')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1003 Startup: eveza.exe (User 'Original')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1003 User Startup: eveza.exe (User 'Original')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1010 Startup: vozie.exe (User 'Test 6')
O4 - S-1-5-21-4079556211-3401006346-1508829032-1010 User Startup: vozie.exe (User 'Test 6')
O4 - .DEFAULT User Startup: ifzaf.exe (User 'Default user')
O4 - Startup: BatteryMonitoring.exe
O4 - Startup: ClipMagic.lnk = C:\Program Files\ClipMagic\clipmagic.exe
O4 - Startup: PCChrono.exe
O4 - Global Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - (no file)
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{656828F2-BBB1-4E85-863C-CE657405882C}: NameServer = 212.139.132.27 212.139.132.26
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12808 bytes

Edited by Budapest, 01 July 2010 - 08:02 PM.
Moved from Web Browsing/Email and Other Internet Applications ~BP


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 05 July 2010 - 11:30 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 07 July 2010 - 05:27 PM

DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 18:56:18.40 on 07-Jul-2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.955 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Thomson\ST330\service\st330service.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\CISVC.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\Explorer.EXE
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\FileBX\FileBX.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ClipMagic\clipmagic.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Quicknote\quicknote .exe
C:\Program Files\tinySpell\tinyspell .exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\mshta.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\mshta.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Andrew\Downloads\dds_Link 2.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
mStart Page = hxxp://uk.yahoo.com
mDefault_Page_URL = hxxp://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIOb0.dll
uURLSearchHooks: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - c:\program files\free_tv_bar_c3\tbFree.dll
mURLSearchHooks: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIOb0.dll
mURLSearchHooks: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - c:\program files\free_tv_bar_c3\tbFree.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIOb0.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - c:\program files\free_tv_bar_c3\tbFree.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: CAB Class: {c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} - c:\windows\system32\uKVlJHuy.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIOb0.dll
TB: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - c:\program files\free_tv_bar_c3\tbFree.dll
uRun: [TOSHIBA Online Product Information] c:\program files\toshiba\toshiba online product information\topi.exe
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [tinySpell] c:\program files\tinyspell\tinyspell .exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [{74810991-7B09-927C-2089-C748ED1C1E62}] c:\users\andrew\appdata\roaming\icvate\zypai.exe
uRun: [EWABQAF7KL] c:\users\andrew\appdata\local\temp\Sjl .exe
uRun: [Xrowezorijego] rundll32.exe "c:\users\andrew\appdata\local\icpneri.dll",Startup
uRun: [Quicknote] c:\program files\quicknote\quicknote.exe
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [Ejuvuzuhovehula] rundll32.exe "c:\users\andrew\appdata\local\ofepupiyecif.dll",Startup
dRun: [TOSHIBA Online Product Information] c:\program files\toshiba\toshiba online product information\topi.exe
StartupFolder: c:\users\andrew\appdata\roaming\microsoft\windows\start menu\programs\startup\BatteryMonitoring.exe
StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\clipma~1.lnk - c:\program files\clipmagic\clipmagic.exe
StartupFolder: c:\users\andrew\appdata\roaming\microsoft\windows\start menu\programs\startup\PCChrono.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\filebo~1.lnk - c:\program files\filebx\FileBX.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
TCP: NameServer = 93.188.162.229,93.188.166.209
TCP: {5291AF49-A5C9-4154-90AC-597BAF10F533} = 93.188.162.229,93.188.166.209
TCP: {82DAD503-6470-4629-871F-027915755E67} = 93.188.162.229,93.188.166.209
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-1 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-8 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-8 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-8 297752]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-3-24 233472]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-3-24 36608]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2006-12-15 7168]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2007-5-14 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2007-5-14 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2007-5-14 35328]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-26 21504]
S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [2010-6-16 15896]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-07-07 11:27:08 0 ----a-w- c:\users\andrew\defogger_reenable
2010-07-05 21:37:37 0 ----a-w- c:\windows\system32\.exe
2010-07-04 20:22:01 7 ----a-w- c:\windows\Winset.drv
2010-07-04 20:22:01 0 ----a-w- c:\windows\winkey.drv
2010-07-04 19:43:12 45568 ----a-w- c:\windows\system32\ernel32.dll
2010-07-04 19:43:08 45568 ----a-w- c:\users\andrew\appdata\roaming\25563820.exe
2010-07-04 19:42:49 174080 ----a-w- c:\windows\Sbamia.exe
2010-07-04 12:28:48 122880 ----a-w- c:\windows\system32\uKVlJHuy.dll
2010-07-01 18:16:16 0 d-----w- c:\program files\Trend Micro
2010-07-01 16:05:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-01 13:09:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-01 13:09:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-01 12:58:13 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-07-01 12:57:28 0 d-----w- c:\programdata\Lavasoft
2010-07-01 12:57:28 0 d-----w- c:\program files\Lavasoft
2010-07-01 12:27:52 36360 ----a-w- c:\users\andrew\5TAHs.com
2010-07-01 12:22:48 36360 ----a-w- c:\programdata\5TAHs.exe
2010-07-01 11:25:36 36360 ----a-w- c:\windows\system32\5TAHs.com
2010-06-29 23:44:46 71682 ----a-w- c:\programdata\D30dyL37.exe
2010-06-29 23:44:46 112 ----a-w- c:\programdata\6kxU56nA.dat
2010-06-29 22:30:13 0 d-----w- c:\users\andrew\appdata\roaming\Malwarebytes
2010-06-29 22:29:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 22:29:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 22:29:58 0 d-----w- c:\programdata\Malwarebytes
2010-06-29 22:29:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 15:28:54 0 d-----w- c:\programdata\AntiSpyInfo
2010-06-27 18:30:42 0 d-----w- c:\users\andrew\appdata\roaming\23FBEA850BA169526657E207FB64A461
2010-06-25 14:18:40 0 d-----w- c:\programdata\TOSHIBA Tempro
2010-06-16 12:13:00 15896 ----a-w- c:\windows\system32\drivers\inidvd.sys
2010-06-16 12:12:59 0 d-----w- c:\program files\LG USB Booster
2010-06-16 12:12:53 336 ----a-w- c:\windows\lgfwup.ini
2010-06-16 12:12:43 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2010-06-16 12:12:43 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2010-06-16 12:12:43 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-06-16 12:12:43 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2010-06-16 12:12:42 0 d-----w- c:\program files\lg_fwupdate
2010-06-16 12:02:30 0 d-----w- c:\program files\common files\CyberLink
2010-06-16 12:01:38 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-16 11:30:56 0 d-----w- c:\programdata\CyberLink
2010-06-14 21:04:31 0 d-----w- c:\program files\Free_TV_Bar_c3
2010-06-13 15:16:13 124688 ----a-w- c:\windows\system32\MSWINSCK.OCX
2010-06-13 15:16:13 0 d-----w- c:\program files\Quicknote

==================== Find3M ====================

2010-06-30 07:13:53 36360 ----a-w- c:\windows\fonts\5TAHs.com
2010-06-23 21:47:14 134480 ----a-w- c:\users\andrew\appdata\roaming\GDIPFONTCACHEV1.DAT
2010-05-21 13:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-17 20:22:54 153 ----a-w- C:\cats.dat
2010-05-06 23:45:24 86016 ----a-w- c:\windows\inf\infpub.dat
2010-05-06 23:45:24 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-06 23:45:23 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 23:45:23 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2009-03-29 19:18:38 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-07-22 20:46:49 2048 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat
2008-07-22 20:46:49 2048 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat
2009-11-23 22:12:48 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
2009-11-23 22:12:48 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\index.dat
2009-11-23 22:12:48 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat

============= FINISH: 18:59:30.78 ===============


Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.
    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt
"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 auriel

auriel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 09 July 2010 - 06:02 AM

Hi Gringo,

I have run ComboFix ok (it detected some rootkit activity and had to restart the computer; also I got a box saying C:\Windows\System32\exe is not a valid Win 32 application). Outlook Express is running well now, the computer even starts more quickly now. ComboFix removed Tinyspell, a word checker, and Quicknote, a desktop notemaking prog. I have not considered these to be in any way malicious. Is it best not to reinstall these progs do you think?

At computer startup I get boxes- Error loading C:\...\Local\icpneri.dll, and also Error loading C:\...|Local\ofepupiyecif.dll.
I presume this is because DeFogger now needs to be reset to its normal setting.

What software do you recommend to stop such attacks as I have received in the future?

Many thanks.

Attached Files



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 09 July 2010 - 07:19 AM

Greetings

The combofix log will not open please resend me the log but this time just post it here please

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\ComboFix.txt
  • click ok
  • copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 auriel

auriel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 July 2010 - 06:32 AM

I notice now that Tinyspell and Quicknote are still on the computer- ComboFix just seems to have removed some files associated with them. Are they ok to keep on my computer?
File as requested-

ComboFix 10-07-07.02 - Andrew 8-Jul-2010 15:45:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1251 [GMT 1:00]
Running from: c:\users\Andrew\Documents\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.txt
c:\program files\Quicknote\quicknote.exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\program files\tinySpell\tinyspell .exe
c:\programdata\5TAHs.exe
c:\programdata\D30dyL37.exe
c:\users\Andrew\5TAHs.com
c:\users\Andrew\AppData\Local\5TAHs.exe
c:\users\Andrew\AppData\Local\icpneri.dll
c:\users\Andrew\AppData\Local\ofepupiyecif.dll
c:\users\Andrew\AppData\Roaming\23FBEA850BA169526657E207FB64A461
c:\users\Andrew\AppData\Roaming\23FBEA850BA169526657E207FB64A461\enemies-names.txt
c:\users\Andrew\AppData\Roaming\25563820.exe
c:\users\Andrew\AppData\Roaming\Icvate\zypai.exe
c:\windows\Fonts\5TAHs.com
c:\windows\Sbamia.exe
c:\windows\system32\.exe
c:\windows\system32\config\systemprofile\5TAHs.com
c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\17u3mY.dll
c:\windows\system32\spool\prtprocs\w32x86\17uOC7.dll
c:\windows\system32\spool\prtprocs\w32x86\1s931u.dll
c:\windows\system32\spool\prtprocs\w32x86\3179o17m.dll
c:\windows\system32\spool\prtprocs\w32x86\317o31m9.dll
c:\windows\system32\spool\prtprocs\w32x86\5555y.dll
c:\windows\system32\spool\prtprocs\w32x86\79o179i.dll
c:\windows\system32\spool\prtprocs\w32x86\79q17c3.dll
c:\windows\system32\spool\prtprocs\w32x86\79sK79g.dll
c:\windows\system32\spool\prtprocs\w32x86\7aA17e3.dll
c:\windows\system32\spool\prtprocs\w32x86\7q31c9s.dll
c:\windows\system32\spool\prtprocs\w32x86\93uO93m79.dll
c:\windows\system32\spool\prtprocs\w32x86\9y1cE3aA9.dll
c:\windows\system32\spool\prtprocs\w32x86\C317yWSKU.dll
c:\windows\system32\spool\prtprocs\w32x86\c55u5.dll
c:\windows\system32\spool\prtprocs\w32x86\cE7aA179.dll
c:\windows\system32\spool\prtprocs\w32x86\CEI9qGM9.dll
c:\windows\system32\spool\prtprocs\w32x86\eI17qG1i9.dll
c:\windows\system32\spool\prtprocs\w32x86\i17q3w7u.dll
c:\windows\system32\spool\prtprocs\w32x86\iQ7w3uOC.dll
c:\windows\system32\spool\prtprocs\w32x86\M5g5i.dll
c:\windows\system32\spool\prtprocs\w32x86\O3179a17e.dll
c:\windows\system32\spool\prtprocs\w32x86\oC9sK7.dll
c:\windows\system32\spool\prtprocs\w32x86\s9e17k3.dll
c:\windows\system32\spool\prtprocs\w32x86\uOCE5.dll
c:\windows\system32\spool\prtprocs\w32x86\W17yWS79.dll
c:\windows\system32\spool\prtprocs\w32x86\wS317uO.dll
c:\windows\system32\spool\prtprocs\w32x86\y7cEIQ.dll
c:\windows\system32\spool\prtprocs\w32x86\Y9cE7aA.dll
c:\windows\system32\spool\prtprocs\w32x86\yW3uOCE.dll
c:\windows\system32\uKVLjhuy.dll
c:\windows\system32\VB6KO.DLL
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\At1.job

CODE
<pre>
c:\program files\Quicknote\Quicknote  .exe --->c:\program files\Quicknote\Quicknote.exe
c:\program files\Quicknote\quicknote .exe --->c:\program files\Quicknote\quicknote.exe
c:\program files\tinySpell\tinyspell                                                    .exe --->c:\program files\tinySpell\tinyspell.exe
</pre>

.
Infected copy of c:\windows\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 15:00 . 2010-07-08 15:01 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-07-08 15:00 . 2010-07-08 15:00 -------- d-----w- c:\users\Test 6\AppData\Local\temp
2010-07-08 15:00 . 2010-07-08 15:00 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-07-08 15:00 . 2010-07-08 15:00 -------- d-----w- c:\users\Rebecca\AppData\Local\temp
2010-07-08 15:00 . 2010-07-08 15:00 -------- d-----w- c:\users\Original\AppData\Local\temp
2010-07-08 15:00 . 2010-07-08 15:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-08 15:00 . 2010-07-08 15:00 -------- d-----w- c:\users\Andrew 2\AppData\Local\temp
2010-07-07 11:37 . 2009-09-02 10:58 1107200 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2010-07-04 20:22 . 2010-07-04 20:22 7 ----a-w- c:\windows\Winset.drv
2010-07-04 20:22 . 2010-07-04 20:22 0 ----a-w- c:\windows\winkey.drv
2010-07-04 19:45 . 2010-07-08 09:54 0 ----a-w- c:\users\Andrew\AppData\Local\Aromigipamepo.bin
2010-07-04 19:45 . 2010-07-07 18:38 120 ----a-w- c:\users\Andrew\AppData\Local\Rjazijokilomini.dat
2010-07-04 19:45 . 2010-07-04 19:45 -------- d-----w- c:\users\Andrew\AppData\Local\{B43B4B15-DD46-4F5E-8CD4-3D2D3E0B96EA}
2010-07-01 18:16 . 2010-07-01 18:16 388096 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-01 18:16 . 2010-07-01 18:16 -------- d-----w- c:\program files\Trend Micro
2010-07-01 13:09 . 2010-07-01 13:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-01 12:57 . 2010-07-08 12:51 -------- d-----w- c:\programdata\Lavasoft
2010-07-01 11:25 . 2010-06-30 07:13 36360 ----a-w- c:\windows\system32\5TAHs.com
2010-06-29 22:30 . 2010-06-29 22:30 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-06-29 22:29 . 2010-07-08 13:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 22:29 . 2010-06-29 22:29 -------- d-----w- c:\programdata\Malwarebytes
2010-06-29 15:28 . 2010-06-30 10:25 -------- d-----w- c:\programdata\AntiSpyInfo
2010-06-29 15:12 . 2010-06-29 15:12 156209 ----a-w- c:\users\Test 6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vozie.exe
2010-06-29 15:12 . 2010-06-29 15:12 156209 ----a-w- c:\users\Rebecca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryus.exe
2010-06-29 15:12 . 2010-06-29 15:12 156209 ----a-w- c:\users\Original\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eveza.exe
2010-06-29 15:12 . 2010-06-29 15:12 156209 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifzaf.exe
2010-06-29 15:12 . 2010-06-29 15:12 156209 ----a-w- c:\users\Andrew 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wooci.exe
2010-06-25 14:18 . 2010-06-25 14:18 -------- d-----w- c:\programdata\TOSHIBA Tempro
2010-06-16 13:06 . 2010-06-16 13:06 -------- d-----w- c:\users\Public\CyberLink
2010-06-16 12:27 . 2010-06-16 12:27 -------- d-----w- c:\users\Documents
2010-06-16 12:26 . 2010-06-16 12:26 -------- d-----w- c:\users\Andrew\AppData\Local\Power2Go
2010-06-16 12:13 . 2010-06-16 12:13 53319 ----a-w- c:\programdata\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
2010-06-16 12:13 . 2009-08-05 09:25 15896 ----a-w- c:\windows\system32\drivers\inidvd.sys
2010-06-16 12:12 . 2010-06-16 12:13 -------- d-----w- c:\program files\LG USB Booster
2010-06-16 12:12 . 2010-06-16 12:14 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2010-06-16 12:12 . 1998-07-21 23:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-06-16 12:12 . 2010-06-30 07:15 -------- d-----w- c:\program files\lg_fwupdate
2010-06-16 12:03 . 2010-06-16 12:03 36864 ----a-w- c:\programdata\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
2010-06-16 12:02 . 2010-06-16 12:02 -------- d-----w- c:\program files\Common Files\CyberLink
2010-06-16 12:01 . 2010-06-16 12:01 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-16 12:01 . 2010-06-16 12:01 53319 ----a-w- c:\programdata\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
2010-06-16 12:01 . 2010-06-16 13:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\CyberLink
2010-06-16 12:00 . 2009-01-08 10:20 34088 ----a-w- c:\programdata\CyberLink\Power2Go\P2GoGadget.dll
2010-06-16 11:58 . 2010-06-16 11:58 36864 ----a-w- c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
2010-06-16 11:58 . 2010-06-16 12:14 -------- d-----w- c:\program files\CyberLink
2010-06-16 11:30 . 2010-06-16 13:45 -------- d-----w- c:\programdata\CyberLink
2010-06-16 11:23 . 2010-06-16 11:22 53319 ----a-w- c:\programdata\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
2010-06-14 21:04 . 2010-06-14 21:04 -------- d-----w- c:\program files\Free_TV_Bar_c3
2010-06-13 15:16 . 2010-07-08 15:01 -------- d-----w- c:\program files\Quicknote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 15:01 . 2009-09-20 21:44 -------- d-----w- c:\program files\tinySpell
2010-07-08 14:33 . 2010-01-16 17:40 -------- d-----w- c:\users\Andrew\AppData\Roaming\ClipMagic
2010-07-08 14:07 . 2008-04-30 20:56 -------- d-----w- c:\programdata\WholeSecurity
2010-07-07 18:48 . 2010-06-29 23:44 112 ----a-w- c:\programdata\6kxU56nA.dat
2010-07-07 11:37 . 2009-10-08 13:40 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-07-03 19:20 . 2009-08-21 19:48 -------- d-----w- c:\users\Andrew\AppData\Roaming\WebStripper
2010-06-30 10:25 . 2008-05-23 02:36 -------- d-----w- c:\users\Andrew\AppData\Roaming\Ykuf
2010-06-30 07:15 . 2009-02-05 21:23 -------- d-----w- c:\program files\Toshiba TEMPRO
2010-06-30 07:13 . 2009-05-10 20:22 -------- d-----w- c:\users\Andrew\AppData\Roaming\Icvate
2010-06-29 16:04 . 2009-03-22 13:48 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 14:18 . 2009-02-05 21:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-24 11:29 . 2009-05-24 14:37 -------- d-----w- c:\users\Andrew\AppData\Roaming\ZoomBrowser EX
2010-06-24 11:23 . 2009-09-13 19:04 -------- d-----w- c:\users\Andrew\AppData\Roaming\CameraWindowDC
2010-06-16 12:28 . 2007-04-23 21:42 134416 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-16 12:14 . 2006-12-15 11:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-14 22:52 . 2006-12-15 10:35 -------- d-----w- c:\program files\TOSHIBA
2010-06-07 11:46 . 2010-06-07 11:46 -------- d-----w- c:\program files\Intel Corporation
2010-05-26 11:35 . 2007-10-15 21:00 -------- d-----w- c:\program files\MSECache
2010-05-26 11:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-23 10:48 . 2010-05-23 10:48 -------- d-----w- c:\programdata\Apple Computer
2010-05-23 10:48 . 2008-09-14 22:31 -------- d-----w- c:\program files\QuickTime
2010-05-23 10:48 . 2010-05-23 10:48 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 13:14 . 2009-10-05 10:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-17 20:22 . 2010-03-20 23:17 153 ----a-w- C:\cats.dat
2010-05-13 21:39 . 2009-06-20 21:42 -------- d-----w- c:\users\Andrew\AppData\Roaming\Spotify
2010-05-13 19:24 . 2010-05-13 19:24 282624 ----a-w- c:\users\Andrew\AppData\Roaming\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-05-13 19:24 . 2010-05-13 19:24 655360 ----a-w- c:\users\Andrew\AppData\Roaming\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-05-13 19:24 . 2010-05-13 19:24 208896 ----a-w- c:\users\Andrew\AppData\Roaming\Spotify\Gracenote\gnsdk_dsp.dll
2010-05-06 23:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-23 14:13 . 2010-05-26 10:46 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-22 20:46 . 2008-07-22 19:41 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-07-22 20:46 . 2008-07-22 19:41 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.
CODE
<pre>
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu .exe
c:\program files\CyberLink\Power2Go\CLMLSvc .exe
c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu .exe
c:\program files\CyberLink\PowerDVD8\PDVD8Serv .exe
c:\program files\CyberLink\PowerDVD8\Language\Language .exe
c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu .exe
c:\program files\lg_fwupdate\fwupdate .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\Samsung\Samsung New PC Studio\NPSAgent .exe
c:\program files\TOSHIBA\Toshiba Online Product Information\topi .exe
c:\program files\Toshiba TEMPRO\TemproTray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIOb0.dll" [2009-10-01 2166296]
"{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}"= "c:\program files\Free_TV_Bar_c3\tbFree.dll" [2010-06-03 2736736]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2009-10-01 17:29 2166296 ----a-w- c:\program files\IObitCom\tbIOb0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]
2010-06-03 17:24 2736736 ----a-w- c:\program files\Free_TV_Bar_c3\tbFree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIOb0.dll" [2009-10-01 2166296]
"{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}"= "c:\program files\Free_TV_Bar_c3\tbFree.dll" [2010-06-03 2736736]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIOb0.dll" [2009-10-01 2166296]
"{3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3}"= "c:\program files\Free_TV_Bar_c3\tbFree.dll" [2010-06-03 2736736]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [N/A]
"TOSCDSPD"="TOSCDSPD.EXE" [N/A]
"tinySpell"="c:\program files\tinySpell\tinyspell .exe" [N/A]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [N/A]
"{74810991-7B09-927C-2089-C748ED1C1E62}"="c:\users\Andrew\AppData\Roaming\Icvate\zypai.exe" [N/A]
"Xrowezorijego"="c:\users\Andrew\AppData\Local\icpneri.dll" [N/A]
"Quicknote"="c:\program files\Quicknote\quicknote.exe" [2010-02-23 1253376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [N/A]
"Ejuvuzuhovehula"="c:\users\Andrew\AppData\Local\ofepupiyecif.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [N/A]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BatteryMonitoring.exe [2006-1-3 301056]
ClipMagic.lnk - c:\program files\ClipMagic\clipmagic.exe [2005-12-13 925592]
PCChrono.exe [2006-5-6 1289728]

c:\users\Andrew 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wooci.exe [2010-6-29 156209]

c:\users\Rebecca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ryus.exe [2010-6-29 156209]

c:\users\Original\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eveza.exe [2010-6-29 156209]

c:\users\Test 6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
vozie.exe [2010-6-29 156209]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FileBox eXtender.lnk - c:\program files\FileBX\FileBX.exe [2009-5-27 432640]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-1 51984]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-7-1 44384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:69,15,63,6c,14,48,ca,01

R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\DRIVERS\inidvd.sys [2009-08-05 15896]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [2009-09-28 120232]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-10-08 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-10-08 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-10-08 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-03-13 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-04-07 233472]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2010-05-12 124368]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-04-07 36608]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-19 7168]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2007-05-14 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2007-05-14 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2007-05-14 35328]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\At121.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-02 c:\windows\Tasks\At122.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At123.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At124.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At125.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At126.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At127.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At128.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At129.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-02 c:\windows\Tasks\At130.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-02 c:\windows\Tasks\At131.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At132.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At133.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At134.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At135.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At136.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-03 c:\windows\Tasks\At137.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At138.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At139.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At140.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At141.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At142.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At143.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-06 c:\windows\Tasks\At144.job
- c:\windows\system32\5TAHs.com [2010-07-01 07:13]

2010-07-03 c:\windows\Tasks\At169.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-02 c:\windows\Tasks\At170.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At171.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At172.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At173.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At174.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At175.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At176.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-01 c:\windows\Tasks\At177.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-02 c:\windows\Tasks\At178.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-02 c:\windows\Tasks\At179.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At180.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At181.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At182.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\At183.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At184.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-03 c:\windows\Tasks\At185.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At186.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At187.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At188.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At189.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At190.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-07 c:\windows\Tasks\At191.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-06 c:\windows\Tasks\At192.job
- c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe [2010-07-01 07:13]

2010-07-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2010-06-13 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-10-19 13:48]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://uk.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017}
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 16:01
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,ae,82,30,04,0a,d3,4a,b3,d8,b1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,ae,82,30,04,0a,d3,4a,b3,d8,b1,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
Completion time: 2010-07-08 16:11:48
ComboFix-quarantined-files.txt 2010-07-08 15:11

Pre-Run: 15,543,832,576 bytes free
Post-Run: 16,239,546,368 bytes free

- - End Of File - - 6D6C213EEF19B583F8CD283B7D711C93


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 10 July 2010 - 06:54 AM

Greetings

I notice now that Tinyspell and Quicknote are still on the computer- ComboFix just seems to have removed some files associated with them. Are they ok to keep on my computer?
Yes they are OK to keep on the computer, the infection had infected some files but we are cleaning them up

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\users\Andrew\AppData\Local\Aromigipamepo.bin
c:\users\Andrew\AppData\Local\Rjazijokilomini.dat
c:\users\Test 6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vozie.exe
c:\users\Rebecca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryus.exe
c:\users\Original\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eveza.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifzaf.exe
c:\users\Andrew 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wooci.exe
c:\users\Andrew\AppData\Local\icpneri.dll
c:\users\Andrew\AppData\Local\ofepupiyecif.dll
c:\windows\system32\5TAHs.com
c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe

Folder::
c:\users\Andrew\AppData\Roaming\Icvate

RenV::
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu .exe
c:\program files\CyberLink\Power2Go\CLMLSvc .exe
c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu .exe
c:\program files\CyberLink\PowerDVD8\PDVD8Serv .exe
c:\program files\CyberLink\PowerDVD8\Language\Language .exe
c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu .exe
c:\program files\lg_fwupdate\fwupdate .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\Samsung\Samsung New PC Studio\NPSAgent .exe
c:\program files\TOSHIBA\Toshiba Online Product Information\topi .exe
c:\program files\Toshiba TEMPRO\TemproTray .exe

AtJob::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 auriel

auriel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 July 2010 - 09:37 AM

ComboFix seem ed to run ok as per your instructions, but it wanted to update and was unable to because I was unable to connect to the internet.

Computer seems to be running well. Log as requested-

ComboFix 10-07-07.02 - Andrew 0-Jul-2010 14:43:00.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1272 [GMT 1:00]
Running from: c:\users\Andrew\Documents\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Documents\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\Andrew 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wooci.exe"
"c:\users\Andrew\AppData\Local\Aromigipamepo.bin"
"c:\users\Andrew\AppData\Local\icpneri.dll"
"c:\users\Andrew\AppData\Local\ofepupiyecif.dll"
"c:\users\Andrew\AppData\Local\Rjazijokilomini.dat"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifzaf.exe"
"c:\users\Original\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eveza.exe"
"c:\users\Rebecca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryus.exe"
"c:\users\Test 6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vozie.exe"
"c:\windows\system32\5TAHs.com"
"c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\CyberLink\PowerDVD8\Language\Language.exe
c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe
c:\users\Andrew 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wooci.exe
c:\users\Andrew\AppData\Local\{B43B4B15-DD46-4F5E-8CD4-3D2D3E0B96EA}
c:\users\Andrew\AppData\Local\{B43B4B15-DD46-4F5E-8CD4-3D2D3E0B96EA}\chrome.manifest
c:\users\Andrew\AppData\Local\{B43B4B15-DD46-4F5E-8CD4-3D2D3E0B96EA}\chrome\content\_cfg.js
c:\users\Andrew\AppData\Local\{B43B4B15-DD46-4F5E-8CD4-3D2D3E0B96EA}\chrome\content\overlay.xul
c:\users\Andrew\AppData\Local\{B43B4B15-DD46-4F5E-8CD4-3D2D3E0B96EA}\install.rdf
c:\users\Andrew\AppData\Local\Aromigipamepo.bin
c:\users\Andrew\AppData\Local\Rjazijokilomini.dat
c:\users\Andrew\AppData\Roaming\Icvate
c:\users\Andrew\AppData\Roaming\Icvate\zypai .exe
c:\users\Andrew\AppData\Roaming\Icvate\zypai.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ifzaf.exe
c:\users\Original\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eveza.exe
c:\users\Rebecca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryus.exe
c:\users\Test 6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vozie.exe
c:\windows\Fonts\5TAHs.com
c:\windows\system32\5TAHs.com
c:\windows\system32\config\systemprofile\AppData\Local\5TAHs.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At121.job
c:\windows\Tasks\At122.job
c:\windows\Tasks\At123.job
c:\windows\Tasks\At124.job
c:\windows\Tasks\At125.job
c:\windows\Tasks\At126.job
c:\windows\Tasks\At127.job
c:\windows\Tasks\At128.job
c:\windows\Tasks\At129.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At130.job
c:\windows\Tasks\At131.job
c:\windows\Tasks\At132.job
c:\windows\Tasks\At133.job
c:\windows\Tasks\At134.job
c:\windows\Tasks\At135.job
c:\windows\Tasks\At136.job
c:\windows\Tasks\At137.job
c:\windows\Tasks\At138.job
c:\windows\Tasks\At139.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At140.job
c:\windows\Tasks\At141.job
c:\windows\Tasks\At142.job
c:\windows\Tasks\At143.job
c:\windows\Tasks\At144.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At169.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At170.job
c:\windows\Tasks\At171.job
c:\windows\Tasks\At172.job
c:\windows\Tasks\At173.job
c:\windows\Tasks\At174.job
c:\windows\Tasks\At175.job
c:\windows\Tasks\At176.job
c:\windows\Tasks\At177.job
c:\windows\Tasks\At178.job
c:\windows\Tasks\At179.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At180.job
c:\windows\Tasks\At181.job
c:\windows\Tasks\At182.job
c:\windows\Tasks\At183.job
c:\windows\Tasks\At184.job
c:\windows\Tasks\At185.job
c:\windows\Tasks\At186.job
c:\windows\Tasks\At187.job
c:\windows\Tasks\At188.job
c:\windows\Tasks\At189.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At190.job
c:\windows\Tasks\At191.job
c:\windows\Tasks\At192.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

CODE
<pre>
c:\program files\CyberLink\PowerDVD8\Language\Language .exe --->c:\program files\CyberLink\PowerDVD8\Language\Language.exe
c:\program files\TOSHIBA\Toshiba Online Product Information\topi .exe --->c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Test 6\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Rebecca\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Original\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Documents\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-10 13:52 . 2010-07-10 13:52 -------- d-----w- c:\users\Andrew 2\AppData\Local\temp
2010-07-08 15:11 . 2010-07-10 13:52 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-07-07 11:37 . 2009-09-02 10:58 1107200 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2010-07-04 20:22 . 2010-07-04 20:22 7 ----a-w- c:\windows\Winset.drv
2010-07-04 20:22 . 2010-07-04 20:22 0 ----a-w- c:\windows\winkey.drv
2010-07-01 18:16 . 2010-07-01 18:16 388096 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-01 18:16 . 2010-07-01 18:16 -------- d-----w- c:\program files\Trend Micro
2010-07-01 13:09 . 2010-07-01 13:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-01 12:57 . 2010-07-08 12:51 -------- d-----w- c:\programdata\Lavasoft
2010-06-29 22:30 . 2010-06-29 22:30 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-06-29 22:29 . 2010-07-10 13:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 22:29 . 2010-06-29 22:29 -------- d-----w- c:\programdata\Malwarebytes
2010-06-29 15:28 . 2010-06-30 10:25 -------- d-----w- c:\programdata\AntiSpyInfo
2010-06-25 14:18 . 2010-06-25 14:18 -------- d-----w- c:\programdata\TOSHIBA Tempro
2010-06-16 13:06 . 2010-06-16 13:06 -------- d-----w- c:\users\Public\CyberLink
2010-06-16 12:27 . 2010-07-08 15:11 -------- d-----w- c:\users\Documents
2010-06-16 12:26 . 2010-06-16 12:26 -------- d-----w- c:\users\Andrew\AppData\Local\Power2Go
2010-06-16 12:13 . 2010-06-16 12:13 53319 ----a-w- c:\programdata\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
2010-06-16 12:13 . 2009-08-05 09:25 15896 ----a-w- c:\windows\system32\drivers\inidvd.sys
2010-06-16 12:12 . 2010-06-16 12:13 -------- d-----w- c:\program files\LG USB Booster
2010-06-16 12:12 . 2010-06-16 12:14 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2010-06-16 12:12 . 1998-07-21 23:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-06-16 12:12 . 2010-07-10 13:42 -------- d-----w- c:\program files\lg_fwupdate
2010-06-16 12:03 . 2010-06-16 12:03 36864 ----a-w- c:\programdata\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
2010-06-16 12:02 . 2010-06-16 12:02 -------- d-----w- c:\program files\Common Files\CyberLink
2010-06-16 12:01 . 2010-06-16 12:01 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-16 12:01 . 2010-06-16 12:01 53319 ----a-w- c:\programdata\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
2010-06-16 12:01 . 2010-06-16 13:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\CyberLink
2010-06-16 12:00 . 2009-01-08 10:20 34088 ----a-w- c:\programdata\CyberLink\Power2Go\P2GoGadget.dll
2010-06-16 11:58 . 2010-06-16 11:58 36864 ----a-w- c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
2010-06-16 11:58 . 2010-06-16 12:14 -------- d-----w- c:\program files\CyberLink
2010-06-16 11:30 . 2010-06-16 13:45 -------- d-----w- c:\programdata\CyberLink
2010-06-16 11:23 . 2010-06-16 11:22 53319 ----a-w- c:\programdata\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
2010-06-14 21:04 . 2010-06-14 21:04 -------- d-----w- c:\program files\Free_TV_Bar_c3
2010-06-13 15:16 . 2010-07-08 15:01 -------- d-----w- c:\program files\Quicknote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 13:42 . 2009-02-05 21:23 -------- d-----w- c:\program files\Toshiba TEMPRO
2010-07-10 10:53 . 2010-01-16 17:40 -------- d-----w- c:\users\Andrew\AppData\Roaming\ClipMagic
2010-07-08 22:17 . 2009-06-20 21:42 -------- d-----w- c:\users\Andrew\AppData\Roaming\Spotify
2010-07-08 15:01 . 2009-09-20 21:44 -------- d-----w- c:\program files\tinySpell
2010-07-08 14:07 . 2008-04-30 20:56 -------- d-----w- c:\programdata\WholeSecurity
2010-07-07 18:48 . 2010-06-29 23:44 112 ----a-w- c:\programdata\6kxU56nA.dat
2010-07-07 11:37 . 2009-10-08 13:40 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-07-03 19:20 . 2009-08-21 19:48 -------- d-----w- c:\users\Andrew\AppData\Roaming\WebStripper
2010-06-30 10:25 . 2008-05-23 02:36 -------- d-----w- c:\users\Andrew\AppData\Roaming\Ykuf
2010-06-29 16:04 . 2009-03-22 13:48 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 14:18 . 2009-02-05 21:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-24 11:29 . 2009-05-24 14:37 -------- d-----w- c:\users\Andrew\AppData\Roaming\ZoomBrowser EX
2010-06-24 11:23 . 2009-09-13 19:04 -------- d-----w- c:\users\Andrew\AppData\Roaming\CameraWindowDC
2010-06-16 12:28 . 2007-04-23 21:42 134416 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-16 12:14 . 2006-12-15 11:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-14 22:52 . 2006-12-15 10:35 -------- d-----w- c:\program files\TOSHIBA
2010-06-07 11:46 . 2010-06-07 11:46 -------- d-----w- c:\program files\Intel Corporation
2010-05-26 11:35 . 2007-10-15 21:00 -------- d-----w- c:\program files\MSECache
2010-05-26 11:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-23 10:48 . 2010-05-23 10:48 -------- d-----w- c:\programdata\Apple Computer
2010-05-23 10:48 . 2008-09-14 22:31 -------- d-----w- c:\program files\QuickTime
2010-05-23 10:48 . 2010-05-23 10:48 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 13:14 . 2009-10-05 10:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-17 20:22 . 2010-03-20 23:17 153 ----a-w- C:\cats.dat
2010-05-13 19:24 . 2010-05-13 19:24 282624 ----a-w- c:\users\Andrew\AppData\Roaming\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-05-13 19:24 . 2010-05-13 19:24 655360 ----a-w- c:\users\Andrew\AppData\Roaming\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-05-13 19:24 . 2010-05-13 19:24 208896 ----a-w- c:\users\Andrew\AppData\Roaming\Spotify\Gracenote\gnsdk_dsp.dll
2010-05-06 23:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-23 14:13 . 2010-05-26 10:46 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-22 20:46 . 2008-07-22 19:41 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-07-22 20:46 . 2008-07-22 19:41 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIOb0.dll" [2009-10-01 2166296]
"{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}"= "c:\program files\Free_TV_Bar_c3\tbFree.dll" [2010-06-03 2736736]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2009-10-01 17:29 2166296 ----a-w- c:\program files\IObitCom\tbIOb0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]
2010-06-03 17:24 2736736 ----a-w- c:\program files\Free_TV_Bar_c3\tbFree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIOb0.dll" [2009-10-01 2166296]
"{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}"= "c:\program files\Free_TV_Bar_c3\tbFree.dll" [2010-06-03 2736736]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIOb0.dll" [2009-10-01 2166296]
"{3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3}"= "c:\program files\Free_TV_Bar_c3\tbFree.dll" [2010-06-03 2736736]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{3ee8d0be-f450-4ef2-97b9-ac2222d14db3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-03-16 6158240]
"tinySpell"="c:\program files\tinySpell\tinyspell.exe" [2009-09-12 217088]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-03-24 102400]
"Quicknote"="c:\program files\Quicknote\quicknote.exe" [2010-02-23 1253376]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-18 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-03-16 6158240]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BatteryMonitoring.exe [2006-1-3 301056]
ClipMagic.lnk - c:\program files\ClipMagic\clipmagic.exe [2005-12-13 925592]
PCChrono.exe [2006-5-6 1289728]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FileBox eXtender.lnk - c:\program files\FileBX\FileBX.exe [2009-5-27 432640]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-1 51984]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-7-1 44384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:69,15,63,6c,14,48,ca,01

R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\DRIVERS\inidvd.sys [2009-08-05 15896]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [2009-09-28 120232]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-10-08 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-10-08 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-10-08 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-03-13 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-04-07 233472]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2010-05-12 124368]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-04-07 36608]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-19 7168]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2007-05-14 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2007-05-14 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2007-05-14 35328]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2010-07-10 c:\windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://uk.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017}
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-Run-{74810991-7B09-927C-2089-C748ED1C1E62} - c:\users\Andrew\AppData\Roaming\Icvate\zypai.exe
HKCU-Run-Xrowezorijego - c:\users\Andrew\AppData\Local\icpneri.dll
HKLM-Run-Ejuvuzuhovehula - c:\users\Andrew\AppData\Local\ofepupiyecif.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 14:52
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,ae,82,30,04,0a,d3,4a,b3,d8,b1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,ae,82,30,04,0a,d3,4a,b3,d8,b1,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
Completion time: 2010-07-10 14:55:57
ComboFix-quarantined-files.txt 2010-07-10 13:55
ComboFix2.txt 2010-07-08 15:11

Pre-Run: 17,309,941,760 bytes free
Post-Run: 17,379,475,456 bytes free

- - End Of File - - A6726BBE5F0A9A0C39521058504E3737


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 10 July 2010 - 10:33 AM

Greetings

Can you connect to the internet now.

I would like to get an extra report from combofix.

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\Add-Remove Programs.txt
  • click ok
  • copy and paste the report into this topic for me to review

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


"information and logs"
    In your next post I need the following
    1. extra report from combofix
    2. report From MBAM
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 auriel

auriel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 July 2010 - 12:14 PM

The computer seems to be running ok now.

1Time ver 2.2
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Apple Software Update
Atheros Driver Installation Program
Auslogics Registry Cleaner
AVG Free 8.5
Bejeweled Twist
Belarc Advisor 7.2
BiblePro
Bluetooth Stack for Windows by Toshiba
Booster 1.05A02
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 1.0
Canon MP520 series
Canon MP520 series User Registration
Canon My Printer
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CD/DVD Drive Acoustic Silencer
CDDRV_Installer
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
ClipMagic 3.2.5
Compatibility Pack for the 2007 Office system
Duplicate Cleaner 1.4.3
DVD MovieFactory for TOSHIBA
DWG TrueView 2008
eBay Toolbar
FileBox eXtender
Fractal Snowflake Generator 1.4
Free PDF to Word Doc Converter v1.1
Free TV Bar c3 Toolbar
FxVisor
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IncrediMail Xe
Intel® Graphics Media Accelerator Driver
Intel® Processor ID Utility
IObitCom Toolbar
Java™ SE Runtime Environment 6
KhalInstallWrapper
Lernout & Hauspie TruVoice American English TTS Engine
LG CyberLink Power2Go
LG CyberLink PowerBackup
LG CyberLink PowerDVD
LG CyberLink PowerProducer
LG ODD Auto Firmware Update
LG Power Tools
Logitech SetPoint
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft AutoRoute 2002
Microsoft Easy Assist v2
Microsoft Encarta Encyclopedia Standard - WE 2002
Microsoft Office 97, Professional Edition
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser
MouseSwitcher 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
OneTouch Software
PageNest
PC Chrono 1.0
PC Connectivity Solution
PCLoupe 1.0.3
Quicknote 5.5
QuickTime
Rainbow Folders
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
Recuva (remove only)
SAMSUNG Mobile Composite Device Software
Samsung Mobile Modem Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
SAMSUNG USB Mobile Device Software
SamsungConnectivityCableDriver
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Encoder (KB954156)
Shockwave
Smart Defrag
Smart Menus (Windows Live Toolbar)
SpeedTouch 330
Spotify
StuffIt 11
StumbleUpon IE Toolbar
Suite
Synaptics Pointing Device Driver
System Requirements Lab
Texas Instruments PCIxx21/x515/xx12 drivers.
TimeLeft
tinySpell 1.9.01
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Supervisor Password
Toshiba TEMPRO
TOSHIBA Value Added Package
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Encoder 9 Series
WinDVD for TOSHIBA
WordWeb
Works Suite OS Pack
Works Synchronization
WOW
WOW Love
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4300

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

10-Jul-2010 18:06:24
mbam-log-2010-07-10 (18-06-24).txt

Scan type: Quick scan
Objects scanned: 186647
Time elapsed: 13 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 10 July 2010 - 01:51 PM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 8.1.2
    Java™ SE Runtime Environment 6


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From ESET Online Scanner
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 auriel

auriel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 12 July 2010 - 02:27 PM

I'll deal with things in chronological order-

I had just been working with some files and spending time on the internet, and I noticed that my computer was back to what I call starting slow again- that is taking about 48 scrolls of the status bar before producing the logon screen.

I uninstalled Adobe Reader 8.1.2 ok.

I uninstalled Java Runtime Environment 6, and installed Version 6, update 20 ok.

I cleared the Java cache ok.

I downloaded Foxit 4.0.0.0619 to my desktop, but when I tried to run it I got the box: C:\Users\Andrew\Documents\Desktop\FoxitReader40_enu_Setup is not a valid Win 32 application.

I downloaded TFC to my desktop, but when I tried to run it I got the box: C:\Users\...\TFC.exe is not a valid Win 32 application.

I ran Eset online scanner ok and include the results.

(I am running AVG Free 8.5 with Windows Firewall, and of course Malwarebytes is installed also. I have Windows Defender turned off. What do you think of this setup?)

C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\[4]-Submit_2010-07-10_14.42.24.zip multiple threats
C:\Qoobox\Quarantine\C\Program Files\CyberLink\PowerDVD8\Language\Language.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Quicknote\quicknote.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\tinySpell\tinyspell .exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\ProgramData\5TAHs.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Users\Andrew\5TAHs.com.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Local\5TAHs.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Local\icpneri.dll.vir a variant of Win32/Cimag.CU trojan
C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Local\ofepupiyecif.dll.vir a variant of Win32/Cimag.CK trojan
C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\25563820.exe.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\Icvate\zypai .exe.vir a variant of Win32/Kryptik.FFN trojan
C:\Qoobox\Quarantine\C\Windows\Sbamia.exe.vir Win32/TrojanDownloader.FakeAlert.AQI trojan
C:\Qoobox\Quarantine\C\Windows\Fonts\5TAHs.com.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Windows\system32\ernel32.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\config\systemprofile\5TAHs.com.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\pcmcia.sys.vir Win32/Olmarik.ZC trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\17u3mY.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\17uOC7.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\1s931u.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\3179o17m.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\317o31m9.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\5555y.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\79o179i.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\79q17c3.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\79sK79g.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\7aA17e3.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\7q31c9s.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\93uO93m79.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\9y1cE3aA9.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\C317yWSKU.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\c55u5.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\cE7aA179.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\CEI9qGM9.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\eI17qG1i9.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\i17q3w7u.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\iQ7w3uOC.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\M5g5i.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\O3179a17e.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\oC9sK7.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\s9e17k3.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\uOCE5.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\W17yWS79.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\wS317uO.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\y7cEIQ.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\Y9cE7aA.dll.vir Win32/Olmarik.YR trojan
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\yW3uOCE.dll.vir Win32/Olmarik.YR trojan





#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 12 July 2010 - 03:52 PM

Greetings

let me see if I can help with this any.




Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 auriel

auriel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 13 July 2010 - 05:49 AM

Hi Gringo,

I have managed to install Foxit Reader by clicking Run instead of saving it to my desktop.

I have managed to run TFC ok by saving it to a folder on my desktop, rather than directly to the desktop. So it seems the problem is that new programs can not be run directly from my desktop.

The other problems are that the computer is starting slowly (55 scrolls of the status bar last time I rebooted) and when I did a scan with the ESET online scanner 95 items showed up.

I include the HijackThis scan as requested.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:38:52, on 13-Jul-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
C:\Program Files\tinySpell\tinyspell.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\FileBX\FileBX.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ClipMagic\clipmagic.exe
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PCChrono.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb0.dll
R3 - URLSearchHook: Free TV Bar c3 Toolbar - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files\Free_TV_Bar_c3\tbFree.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Free TV Bar c3 Toolbar - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files\Free_TV_Bar_c3\tbFree.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb0.dll
O3 - Toolbar: Free TV Bar c3 Toolbar - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files\Free_TV_Bar_c3\tbFree.dll
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
O4 - HKCU\..\Run: [tinySpell] C:\Program Files\tinySpell\tinyspell.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Andrew 2')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Andrew 2')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (User 'Andrew 2')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Rebecca')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Original')
O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1010\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Test 6')
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'Default user')
O4 - Startup: BatteryMonitoring.exe
O4 - Startup: ClipMagic.lnk = C:\Program Files\ClipMagic\clipmagic.exe
O4 - Startup: PCChrono.exe
O4 - Global Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - (no file)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{656828F2-BBB1-4E85-863C-CE657405882C}: NameServer = 212.139.132.27 212.139.132.26
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11041 bytes


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:38 PM

Posted 13 July 2010 - 06:09 AM

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
      O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
      O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
      O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Andrew 2')
      O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Andrew 2')
      O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1001\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (User 'Andrew 2')
      O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Rebecca')
      O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Original')
      O4 - HKUS\S-1-5-21-4079556211-3401006346-1508829032-1010\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Test 6')
      O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'Default user')
      O4 - Startup: ClipMagic.lnk = C:\Program Files\ClipMagic\clipmagic.exe
      O4 - Startup: PCChrono.exe
      O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
      O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space

    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"


reboot the computer and let me have a new hijackthis scan


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users