Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

Its Got Problems (trojans)

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Reply
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 5th February 2008   #1
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
Its Got Problems (trojans)
My sons computer is not working properly. In fact its pretty bad. He is blaming the 2 gig of RAM I installed in December.

I know better

Here is the HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:30 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 6841 bytes

Can you help?
Ranger SVO is offline   Reply With Quote
Didn't find the information you thought to find?
Check out these Similar Threads
Old 5th February 2008   #2
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
Here is a DSS Log

Deckard's System Scanner v20071014.68
Run by Mark ****** on 2008-02-04 18:50:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
130: 2008-02-05 00:51:50 UTC - RP379 - Deckard's System Scanner Restore Point
129: 2008-02-03 21:04:42 UTC - RP378 - System Checkpoint
128: 2008-02-02 20:58:28 UTC - RP377 - System Checkpoint
127: 2008-02-01 20:47:39 UTC - RP376 - Install AnyDVD
126: 2008-02-01 04:21:02 UTC - RP375 - System Checkpoint


-- First Restore Point --
1: 2007-12-29 14:11:34 UTC - RP250 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mark Farrar.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:54 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\TEMP\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark Farrar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AC9130BC-4104-4C2E-8B69-4A9C2D359DE5} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\gebbaaa.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: gebbaaa - gebbaaa.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 8657 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.7.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.7.0>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 tdudf (TOSHIBA UDF File System Driver) - c:\windows\system32\drivers\tdudf.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Direct Disc Writer>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>
R3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver>
R3 tdcmdpst (TOSHIBA Writing Engine Filter Driver) - c:\windows\system32\drivers\tdcmdpst.sys <Not Verified; TOSHIBA Corporation.; >

S3 APLMp50 (APLMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\aplmp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-01-04 and 2008-02-04 -----------------------------

2008-02-04 17:56:51 0 dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:56:11 0 d-------- C:\Documents and Settings\TEMP\Application Data\Google
2008-02-04 17:55:08 0 d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41:04 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-02-04 14:41:04 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2008-02-04 14:41:04 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\Help
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\AOL
2008-02-04 14:41:03 0 d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-02-04 14:41:03 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-02-04 14:41:03 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-02-04 14:41:03 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-02-04 14:41:03 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-02-04 14:41:01 1310720 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-01-25 15:53:59 0 d-------- C:\Program Files\Orbitdownloader


-- Find3M Report ---------------------------------------------------------------

2008-02-04 18:52:33 291079 --ahs---- C:\WINDOWS\system32\tttss.ini2
2008-02-04 18:46:15 0 d-------- C:\Program Files\QuickTime
2008-02-04 07:27:45 0 d-------- C:\Program Files\QdrPack
2008-02-04 07:27:44 0 d-------- C:\Program Files\QdrModule
2008-02-01 14:44:58 0 d-------- C:\Program Files\SlySoft
2008-01-24 19:49:30 0 d-------- C:\Program Files\Lx_cats
2008-01-01 17:15:59 0 d-------- C:\Program Files\Trend Micro
2007-12-30 16:39:23 3584 --a------ C:\WINDOWS\system32\ssttt.exe
2007-12-30 16:31:47 0 d-------- C:\Program Files\Yahoo!
2007-12-30 16:23:31 0 d-------- C:\Program Files\ltmoh
2007-12-30 16:23:19 0 d-------- C:\Program Files\Lexmark Fax Solutions
2007-12-30 16:23:18 0 d-------- C:\Program Files\Lexmark 2500 Series
2007-12-30 16:23:10 0 d-------- C:\Program Files\ISM
2007-12-30 15:15:05 0 d-------- C:\Program Files\Messenger
2007-12-30 15:01:05 90112 --a------ C:\WINDOWS\system32\service .exe <Not Verified; M i r a r; M i r a r ErrorDnsTest>
2007-12-30 15:00:55 155648 --a------ C:\WINDOWS\system32\NeroCheck .exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-12-30 14:37:32 0 d-------- C:\Program Files\Common Files\Real
2007-12-30 14:37:05 0 d-------- C:\Program Files\Common Files
2007-12-29 08:11:20 336384 --a------ C:\WINDOWS\system32\ssttt.dll
2007-12-29 08:06:10 0 d-------- C:\Program Files\QdrDrive
2007-12-25 11:34:48 0 d-------- C:\Program Files\Lexmark Toolbar
2007-12-25 11:24:25 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-25 07:53:23 0 d-------- C:\Program Files\SpywareBlaster
2007-12-02 21:52:09 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
08/31/2007 11:09 AM 196608 --a------ C:\Program Files\ISM\BndDrive3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
10/01/2007 03:12 AM 663552 --a------ C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F9E2BE3-766D-4831-BB0E-766D5B819995}]
12/14/2007 08:26 PM 192512 --a------ C:\Program Files\QdrDrive\QdrDrive9.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
07/11/2007 02:02 PM 192512 --a------ C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC9130BC-4104-4C2E-8B69-4A9C2D359DE5}]
12/29/2007 08:11 AM 336384 --a------ C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
C:\WINDOWS\system32\gebbaaa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [05/31/2005 10:00 PM C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL"="RTHDCPL.EXE" [09/06/2006 12:44 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 07:04 PM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 07:43 PM C:\WINDOWS\Alcmtr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [03/18/2006 09:22 AM C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [02/04/2008 06:46 PM]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/04/2008 06:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 03:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [9/4/1999 4:23:00 PM]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [1/25/2008 3:54:00 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [8/21/2006 12:23:30 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\gebbaaa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]
gebbaaa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssttt




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga.info #[Spamdexing]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com

16424 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-04 18:53:43 ------------
Ranger SVO is offline   Reply With Quote
Old 5th February 2008   #3
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
Will using the recovery CD fix everything?

http://www.windowsbbs.com/showthread...532#post383532
Last edited by Ranger SVO; 5th February 2008 at 16:45.
Ranger SVO is offline   Reply With Quote
Old 6th February 2008   #4
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,547
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi Ranger SVO
There's no need to do that. Things are kind of busy, sorry for the wait.
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Orbit or Orbitdownloader
ISM
Hyperlinks Rotator
ISMonitor
QdrDrive

Please note any other programs that you dont recognize in that list and post them in your next response


Download ComboFix from Here to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the CF log.

Thanks
Geri
Geri is offline   Reply With Quote
Old 7th February 2008   #5
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
No need to apologize to me at all, your spending your free time helping me.

I only saw Orbit in the add and remove programs. And I removed it. I also removed something called Desktop Dialer and something called Internet Speed Monitor.

Here is the combo fix Log

ComboFix 08-02.05.3 - Mark Farrar 2008-02-06 19:12:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1475 [GMT -6:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ssttt.dll
C:\7.tmp
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\MySpace
2008-02-04 18:49 . 2008-02-04 18:49 <DIR> d-------- C:\Deckard
2008-02-04 17:56 . 2008-02-04 17:56 <DIR> dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:55 . 2008-02-06 18:54 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41 . 2006-08-21 12:57 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41 . 2006-08-21 13:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41 . 2006-08-21 12:48 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41 . 2006-09-09 14:05 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41 . 2006-12-27 21:33 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 01:12 --------- d-----w C:\Program Files\QuickTime
2008-02-07 01:01 --------- d-----w C:\Program Files\Google
2008-02-07 00:57 --------- d-----w C:\Program Files\Toshiba Games
2008-02-07 00:56 --------- d-----w C:\Program Files\WildTangent
2008-02-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-07 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 20:44 --------- d-----w C:\Program Files\SlySoft
2008-01-25 01:49 --------- d-----w C:\Program Files\Lx_cats
2008-01-01 23:15 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-01-01 23:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 22:31 --------- d-----w C:\Program Files\Yahoo!
2007-12-30 22:23 --------- d-----w C:\Program Files\ltmoh
2007-12-30 22:23 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-30 22:23 --------- d-----w C:\Program Files\Lexmark 2500 Series
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 20:37 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-25 17:34 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-25 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-25 17:24 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-25 13:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-22 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-03 03:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
Code:
<pre>
----a-w           344,064 2007-12-30 21:00:35  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2007-12-30 20:28:39  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            68,856 2007-12-30 21:01:26  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            83,608 2007-12-30 21:00:59  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w            20,480 2007-12-30 21:01:13  C:\Program Files\Lexmark 2500 Series\lxddamon .exe
----a-w           291,760 2007-12-30 21:01:05  C:\Program Files\Lexmark 2500 Series\lxddmon .exe
----a-w           312,240 2007-12-30 21:01:13  C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
----a-w           188,416 2007-12-30 21:00:52  C:\Program Files\ltmoh\Ltmoh .exe
----a-w         1,121,280 2007-12-30 21:01:04  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w         1,694,208 2007-12-30 21:01:42  C:\Program Files\Messenger\msmsgs .exe
----a-w         8,720,384 2007-12-30 21:01:53  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w           448,512 2008-02-07 01:12:39  C:\Program Files\QuickTime\qttask   .exe
----a-w         1,649,600 2007-12-30 21:01:29  C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w           761,946 2007-12-30 21:00:37  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w            65,536 2007-12-30 21:01:15  C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
----a-w           122,880 2007-12-30 21:00:46  C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
----a-w         1,077,322 2007-12-30 21:00:45  C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
----a-w         1,773,568 2007-12-30 21:00:44  C:\Program Files\TOSHIBA\Windows Utilities\Hotkey .exe
----a-w           151,552 2007-12-30 21:00:52  C:\TOSHIBA\IVP\ISM\pinger .exe
----a-w            15,360 2007-12-30 21:01:17  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-30 21:00:55  C:\WINDOWS\system32\NeroCheck .exe
----a-w            90,112 2007-12-30 21:01:05  C:\WINDOWS\system32\service .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
C:\Program Files\ISM\BndDrive3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
C:\Program Files\ISM\BndDrive.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-06 19:12 5037056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 12:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 09:22 89541 C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-02-06 19:12 448512]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-06 19:12 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 15:10 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 16:23:00 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-08-21 12:23:30 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]
gebbaaa.dll

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25 23:21]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\s pool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-25 23:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 12:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 02:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 19:20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2008-02-06 19:22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 01:21:57
.
2008-01-24 04:59:45 --- E O F ---

HiJack This log coming Soon
Ranger SVO is offline   Reply With Quote
Old 7th February 2008   #6
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
I just wanna say, take your time, my son fixed the virus problem by buying a new computer. So for now this is just an extra computer. Again, Thank you for takng the time to help

Here is the HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:31 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: gebbaaa - gebbaaa.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 7110 bytes
Ranger SVO is offline   Reply With Quote
Old 7th February 2008   #7
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,547
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi Ranger SVO

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]

RenV::
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe 
C:\Program Files\Common Files\Real\Update_OB\realsched .exe 
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe 
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe 
C:\Program Files\Lexmark 2500 Series\lxddamon .exe 
C:\Program Files\Lexmark 2500 Series\lxddmon .exe 
C:\Program Files\Lexmark Fax Solutions\fm3032 .exe 
C:\Program Files\ltmoh\Ltmoh .exe 
C:\Program Files\McAfee\SpamKiller\MSKDetct .exe 
C:\Program Files\Messenger\msmsgs .exe 
C:\Program Files\MySpace\IM\MySpaceIM .exe 
C:\Program Files\QuickTime\qttask .exe 
C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe 
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe 
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe 
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe 
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe 
C:\Program Files\TOSHIBA\Windows Utilities\Hotkey .exe 
C:\TOSHIBA\IVP\ISM\pinger .exe
C:\WINDOWS\system32\ctfmon .exe 
C:\WINDOWS\system32\NeroCheck .exe 
C:\WINDOWS\system32\service .exe
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please post the new CF log.

Thanks
Geri
Geri is offline   Reply With Quote
Old 8th February 2008   #8
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
Here is the ComboFix Log

I will download AFT Cleaner in a moment.

This thing is already running much better

ComboFix 08-02.05.3 - Mark ***** 2008-02-07 18:59:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1492 [GMT -6:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TEMP\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\service.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-06 21:13 . 2008-02-06 21:13 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\ArcSoft
2008-02-06 19:51 . 2008-02-06 19:51 <DIR> d---s---- C:\Documents and Settings\TEMP\UserData
2008-02-06 19:33 . 2008-02-06 19:33 <DIR> d-------- C:\Trend Micro
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\MySpace
2008-02-04 18:49 . 2008-02-04 18:49 <DIR> d-------- C:\Deckard
2008-02-04 17:56 . 2008-02-06 20:49 <DIR> dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:55 . 2008-02-06 18:54 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41 . 2006-08-21 12:57 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41 . 2006-08-21 13:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41 . 2006-08-21 12:48 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41 . 2006-09-09 14:05 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41 . 2006-12-27 21:33 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 00:59 --------- d-----w C:\Program Files\ltmoh
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark 2500 Series
2008-02-07 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-07 02:39 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-02-07 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 01:12 --------- d-----w C:\Program Files\QuickTime
2008-02-07 01:01 --------- d-----w C:\Program Files\Google
2008-02-07 00:57 --------- d-----w C:\Program Files\Toshiba Games
2008-02-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-07 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 20:44 --------- d-----w C:\Program Files\SlySoft
2008-01-25 01:49 --------- d-----w C:\Program Files\Lx_cats
2008-01-01 23:15 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-01-01 23:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 22:31 --------- d-----w C:\Program Files\Yahoo!
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 20:37 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-25 17:34 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-25 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-25 17:24 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-25 13:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-22 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-03 03:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
Code:
<pre>
----a-w           448,512 2008-02-07 01:12:39  C:\Program Files\QuickTime\qttask   .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-30 15:01 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 12:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 09:22 89541 C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-02-06 19:12 448512]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-06 19:12 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 16:23:00 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-08-21 12:23:30 155648]

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25 23:21]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\s pool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-25 23:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 12:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 02:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 19:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2008-02-07 19:03:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 01:03:33
ComboFix2.txt 2008-02-07 01:22:00
.
2008-01-24 04:59:45 --- E O F ---
Ranger SVO is offline   Reply With Quote
Old 8th February 2008   #9
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
I just noticed something new on the desktop, it a folder named %SystemDrive%

Any Idea as to what it is?
Ranger SVO is offline   Reply With Quote
Old 8th February 2008   #10
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,547
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi Ranger
Quote:
Any Idea as to what it is?
%SystemDrive% is the C drive for the machine, I have no idea why that would show up on your desktop?
I'll have to ask Dave about this one, please do nothing with it for now.

Please run ATF cleaner I want to see if it will clean those temp files that are showing in the combofix log.
then we need to run a CFScript again.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:
RenV::
C:\Program Files\QuickTime\qttask   .exe
Please post the new Combofix log and I'll see what Dave says about that folder.

Thanks
Geri
Geri is offline   Reply With Quote
Old 8th February 2008   #11
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
I'll be more than happy to drag and drop it where it belongs. I dont know when It appeared on the desktop. It could have been there awhile.

Here is the latest log, I ran ATF Cleaner Before the ComboFix

ComboFix 08-02.05.3 - Mark ***** 2008-02-07 20:26:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1491 [GMT -6:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TEMP\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 20:24 . 2008-02-07 20:28 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-02-07 19:25 . 2008-02-07 19:25 <DIR> d-------- C:\Program Files\7-Zip
2008-02-07 18:56 . 2004-08-03 15:00 388,608 --a------ C:\kmd.exe
2008-02-06 21:13 . 2008-02-06 21:13 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\ArcSoft
2008-02-06 19:51 . 2008-02-06 19:51 <DIR> d---s---- C:\Documents and Settings\TEMP\UserData
2008-02-06 19:33 . 2008-02-06 19:33 <DIR> d-------- C:\Trend Micro
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\MySpace
2008-02-04 18:49 . 2008-02-04 18:49 <DIR> d-------- C:\Deckard
2008-02-04 17:56 . 2008-02-06 20:49 <DIR> dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:55 . 2008-02-06 18:54 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41 . 2006-08-21 12:57 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41 . 2006-08-21 13:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41 . 2006-08-21 12:48 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41 . 2006-09-09 14:05 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41 . 2006-12-27 21:33 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 02:26 --------- d-----w C:\Program Files\QuickTime
2008-02-08 01:43 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-08 00:59 --------- d-----w C:\Program Files\ltmoh
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark 2500 Series
2008-02-07 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-07 02:39 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-02-07 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 01:01 --------- d-----w C:\Program Files\Google
2008-02-07 00:57 --------- d-----w C:\Program Files\Toshiba Games
2008-02-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-07 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 20:44 --------- d-----w C:\Program Files\SlySoft
2008-01-25 01:49 --------- d-----w C:\Program Files\Lx_cats
2008-01-01 23:15 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-01-01 23:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 22:39 3,584 ----a-w C:\WINDOWS\system32\ssttt.exe
2007-12-30 22:31 --------- d-----w C:\Program Files\Yahoo!
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 21:00 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2007-12-30 20:37 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-25 17:34 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-25 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-25 17:24 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-22 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-03 03:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-30 15:01 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 12:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 09:22 89541 C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-06 19:12 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 16:23:00 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-08-21 12:23:30 155648]

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25 23:21]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\s pool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-25 23:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 12:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 02:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 20:28:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 20:28:33
ComboFix-quarantined-files.txt 2008-02-08 02:28:25
ComboFix2.txt 2008-02-08 01:03:41
ComboFix3.txt 2008-02-07 01:22:00
.
2008-01-24 04:59:45 --- E O F ---
Ranger SVO is offline   Reply With Quote
Old 8th February 2008   #12
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,547
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi Ranger
OK, Dave said to make sure it's not a shortcut, If it is it should have a small arrow in the corner of the icon, he said if it's a folder to open it and see whats in it.
Let me know.
You can also right click it and click properties and see what it says in there.

OK Lets scan a couple files

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time.
    • C:\WINDOWS\PSEXESVC.EXE
      C:\WINDOWS\iun6002.exe
      C:\WINDOWS\system32\AVSredirect.dll
  • Click on the submit button
  • Please post the results in your next reply.

Thanks
Geri
Geri is offline   Reply With Quote
Old 9th February 2008   #13
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
No its not a short cut. Can I send you a .zip copy of the folder?

This is a copy for the address bar
C:\Documents and Settings\TEMP\Desktop\%SystemDrive%\Documents and Settings\TEMP\Application Data\Microsoft

Now there are two folders, SystemCertificates, it contains a number of folders that are all empty.

The other folder CrptnetUrlCache contains two folders, Content and MetaData which contain two system files each.
60E31627FDA0A46932B0E5948949F2A5
A8FABA189DB7D25FBA7CAC806625FD30

60E31627FDA0A46932B0E5948949F2A5
A8FABA189DB7D25FBA7CAC806625FD30

Hope this is helpful

Here are the jotti checks

File: PSEXESVC.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 34567437e1881533d582028e95456fbc
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 09 Feb 2008 01:17:33 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Application/Psexec.A
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



File: iun6002.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 456462905091db042141487fe030e3c9
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 09 Feb 2008 01:24:16 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


I could not find
C:\WINDOWS\system32\AVSredirect.dll

I will do a search for AVSredirect.dll here in a few minutes.
Ranger SVO is offline   Reply With Quote
Old 9th February 2008   #14
Senior Member
 
Profile:
Join Date: May 2006
Location: Abilene Texas
Posts: 268
Computer Experience:
intermediate
Ranger SVO Reputation LevelRanger SVO Reputation LevelRanger SVO Reputation Level
I just completed a system search for AVSredirect and found nothing. I included all of C: and also included hidden system files and folders.
Ranger SVO is offline   Reply With Quote
Old 9th February 2008   #15
Staff
 
Geri's Avatar
 
Profile:
Join Date: Mar 2003
Location: Washington State
Posts: 4,547
Computer Experience:
Somedays it's like Taz
Geri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation LevelGeri Reputation Level

My System

Hi Ranger

Quote:
Can I send you a .zip copy of the folder?
No, I don't have a Vertual Machine so I can't do as Dave does.

But he PM'ed me and said you could delete that, said it's a copy of another directory.

Let's see if you can see that file if you have hidden files/folders enabled.

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now see if you can see this.
C:\WINDOWS\system32\AVSredirect.dll

If not we'll try a different way.

All these ones, "2008-02-06 21:13 . 2008-02-06 21:13 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\ArcSoft in the files created from 2008-01-08 to 2008-02-08" in the combofix log are OK.
The TEMP is a user name, Like mine says C:\Documents and Settings\OWNER.
Temp is not a good name to name these, some programs look for the word temp and deletes it, It could be a way to lose important files and folders.

Let me know if you can find that file and we'll go from there.

Thanks
Geri
Geri is offline   Reply With Quote
Reply
Page 1 of 2 1 2

« Pop-ups with internet explorer even when not using it. | I've got SPYWARE & I need help removing it! »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hijackthislog - Problems with Trojans Kelsin Malware and Virus Removal 9 5th June 2007 22:13
A seperate section for SP2 problems ? alboy Windows XP 9 21st August 2004 16:19
two Mozilla problems Rose Queen Firefox, Thunderbird & SeaMonkey 5 26th July 2004 21:31
Network speed problems after a corupt registry. LittleLexx Networking 0 11th July 2004 18:15
video adapter and monitor problems with screen refresh rate bradley Hardware 0 9th August 2002 19:23


All times are GMT +1. The time now is 08:40.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32