Solved Very slow start up/shutdown

[Resolved] Very slow start up/shutdown

Hello to all.

I had some great help here from Petec when i had problems, so here i am again

This is my son's girlfreinds hjt log from her laptop,she has said it takes ages to load/shutdown.I think she has some sort of hijacker:

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

Also a trojan:

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

I am 100% NO expert on these matters and thats why i need your help on her log, i dont want to ***** her laptop up.

MANY THANKS,

Sean.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:39, on 12/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11553 bytes

 

Just found out that norton has run out(3months trial) and the she has NO Av on the laptop! The laptop is only one year old, could you please let me have the norton removal tool link so i can put avg free on in its place.

MANY THANKS.

Sean.

 

Hi sean
[Sidebar] C:\Program Files\Windows Sidebar is part of Vista and is OK.

Please do this first before removing Norton.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now
Here is the norton removal site.

Go here and run the Norton Removal Tool for the product version you have.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Thanks
Geri

 

Thanks Geri.

It's six am here and i'm off to work soon . Please stick with me as my son's girlfriend should be over this evening, i will ask her to bring the laptop with her so i get on with your instructions.

I did try to uninstall norton through add / remove but it asked for the disc,it came with the new laptop and she has no disc, thanks for the tool to get shut of this resource hog

MANY THANKS Geri,

Cheer's,

sean.

 

Good evening Geri.

I have downloaded the SDfix to her desktop

I have tried to get into safe mode 5 times pressing the f8 key before the windows logo appeared, and all i seem to get is a bleep every time i press the f8 key? I also tried the f12 key and got the same bleeps?

MANY THANKS to you for your time,
Sean.

 

Hi sean

OK we'll run this.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the Combofix log.

Thanks
Geri

 

Thanks Geri,Here you go:

ComboFix 08-02-15.1 - Ruth 2008-02-15 5:02:18.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.383 [GMT 0:00]
Running from: C:\Users\Ruth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 18:33 . 2008-02-14 18:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-14 15:16 . 2008-02-13 13:22 <DIR> d-------- C:\SDFix
2008-02-13 15:08 . 2008-02-13 15:08 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 15:08 . 2008-02-13 15:08 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 15:05 . 2008-02-13 15:05 595,456 --a------ C:\Windows\System32\schedsvc.dll
2008-02-13 15:05 . 2008-02-13 15:05 115,200 --a------ C:\Windows\System32\loadperf.dll
2008-02-13 15:05 . 2008-02-13 15:05 39,424 --a------ C:\Windows\System32\lodctr.exe
2008-02-13 15:05 . 2008-02-13 15:05 32,256 --a------ C:\Windows\System32\unlodctr.exe
2008-02-13 15:05 . 2008-02-13 15:05 23,552 --a------ C:\Windows\System32\nshhttp.dll
2008-02-13 15:05 . 2008-02-13 15:05 17,408 --a------ C:\Windows\System32\prflbmsg.dll
2008-02-13 15:01 . 2008-02-13 15:01 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 15:01 . 2008-02-13 15:01 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 15:01 . 2008-02-13 15:01 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 15:01 . 2008-02-13 15:01 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 15:01 . 2008-02-13 15:01 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 14:53 . 2008-02-13 14:53 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-12 18:30 . 2008-02-12 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 21:24 . 2008-02-06 21:24 <DIR> d-------- C:\Users\Ruth\AppData\Roaming\Apple Computer
2008-02-06 21:23 . 2008-02-06 21:23 <DIR> d-------- C:\Program Files\iTunes
2008-02-06 21:23 . 2008-02-06 21:23 <DIR> d-------- C:\Program Files\iPod
2008-02-06 21:21 . 2008-02-06 21:21 <DIR> d-------- C:\Program Files\Bonjour
2008-02-06 21:19 . 2008-02-06 21:23 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-02-06 21:19 . 2008-02-06 21:23 <DIR> d-------- C:\ProgramData\Apple Computer
2008-02-06 21:19 . 2008-02-06 21:20 <DIR> d-------- C:\Program Files\QuickTime
2008-02-06 21:16 . 2008-02-06 21:16 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-06 21:14 . 2008-02-06 21:14 <DIR> d-------- C:\Users\All Users\Apple
2008-02-06 21:14 . 2008-02-06 21:14 <DIR> d-------- C:\ProgramData\Apple
2008-02-06 21:14 . 2008-02-06 21:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-15 02:39 . 2008-01-15 02:39 30,464 --a------ C:\Windows\System32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 16:59 886 ----a-w C:\Users\Ruth\AppData\Roaming\wklnhst.dat
2008-02-13 16:21 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-13 16:08 --------- d-----w C:\ProgramData\Symantec
2008-02-13 16:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-13 15:06 943,800 ----a-w C:\Windows\System32\winload.exe
2008-02-13 15:06 905,400 ----a-w C:\Windows\System32\winresume.exe
2008-02-13 15:06 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-13 15:06 613,888 ----a-w C:\Windows\System32\wpd_ci.dll
2008-02-13 15:06 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-13 15:06 558,080 ----a-w C:\Windows\System32\oleaut32.dll
2008-02-13 15:06 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 15:06 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 15:06 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 15:06 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 15:06 35,328 ----a-w C:\Windows\System32\dispci.dll
2008-02-13 15:06 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 15:06 260,096 ----a-w C:\Windows\System32\dpx.dll
2008-02-13 15:06 224,824 ----a-w C:\Windows\System32\clfs.sys
2008-02-13 15:06 221,696 ----a-w C:\Windows\System32\umpnpmgr.dll
2008-02-13 15:06 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 15:06 19,456 ----a-w C:\Windows\System32\cfgmgr32.dll
2008-02-13 15:06 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 15:06 12,800 ----a-w C:\Windows\System32\batt.dll
2008-02-13 15:06 101,888 ----a-w C:\Windows\System32\drvinst.exe
2008-02-13 15:06 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-02-13 14:52 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 14:52 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 14:52 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 14:52 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-09 21:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 21:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-12-28 15:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-12-15 14:32 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-15 14:32 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-15 14:32 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-15 14:29 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-15 14:29 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-15 14:29 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-15 14:29 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-15 14:26 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-15 14:26 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
2007-09-03 11:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-03 11:29 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-03 11:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 21:06 1232896]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 09:06 413696]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36 201728]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 12:34 1004136]
"TPwrMain "= "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-14 19:07 411768]
"HSON "= "C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView "= "C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2006-12-14 19:09 493688]
"00TCrdMain "= "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 17:27 530552]
"NvSvc "= "C:\Windows\system32\nvsvc.dll" [2006-12-07 19:25 90191]
"NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [2006-12-07 19:25 7766016]
"NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [2006-12-07 19:25 81920]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 12:50 815104]
"RtHDVCpl "= "RtHDVCpl.exe" [2006-11-07 13:50 3772416 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe "= "NDSTray.exe" []
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-26 23:18 22696]
"topi "= "C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2006-12-15 16:11 577536]
"IgfxTray "= "C:\Windows\system32\igfxtray.exe" [2006-11-06 08:02 98304]
"HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [2006-11-06 08:05 106496]
"Persistence "= "C:\Windows\system32\igfxpers.exe" [2006-11-06 08:02 81920]
"Toshiba Registration "= "C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe" [2006-12-13 14:42 554640]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070507.001\IDSvix86.sys [2007-01-16 11:01]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-10-31 22:40]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-19 22:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-06 09:29]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 13:12]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2006-10-24 12:40]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-10-30 08:42]
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 17:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2006-02-14 17:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2f5156-24aa-11dc-822f-00a0d165729c}]
\shell\AutoRun\command - G:\LaunchU3.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 15:57:56 C:\Windows\Tasks\Norton Security Scan.job "
- C:\Program Files\Norton Security Scan\Nss.exe)/scan-full /scheduleignorenav /scheduled&C:\Program Files\Norton Security Scan
"2008-02-15 05:00:08 C:\Windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job "
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 05:04:17
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????9?l?L?????? ???X?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-15 5:04:55
.
2008-02-14 11:10:16 --- E O F ---


Off to work now Geri (6.30AM), I hope that my son's girlfriend doesent take the lapi home when she wakes up(they went out on the town last night)so i can crack on later with any new instructions you send me.

MANY THANKS..Sean

Ps can i uninstall sdfix & whats the best way to go about it?

 

Hi

Not quite yet, we may still need to run it later.

Please run Combofix again making sure you do this.

Vista users right click Combofix.exe and select Run As Administrator.

Thanks
Geri

 

Hello to you Geri.

Here's the combofix log as requested. When we have got rid of this trojan could you please tell me whats safe to stop loading at startup (04's).

I have also posted a new hjt log as i can see some changes.

MANY THANKS,

Sean.


ComboFix 08-02-15.1 - Ruth 2008-02-16 11:51:21.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.387 [GMT 0:00]
Running from: C:\Users\Ruth\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-14 18:33 . 2008-02-14 18:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-14 15:16 . 2008-02-13 13:22 <DIR> d-------- C:\SDFix
2008-02-13 15:08 . 2008-02-13 15:08 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 15:08 . 2008-02-13 15:08 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 15:05 . 2008-02-13 15:05 595,456 --a------ C:\Windows\System32\schedsvc.dll
2008-02-13 15:05 . 2008-02-13 15:05 115,200 --a------ C:\Windows\System32\loadperf.dll
2008-02-13 15:05 . 2008-02-13 15:05 39,424 --a------ C:\Windows\System32\lodctr.exe
2008-02-13 15:05 . 2008-02-13 15:05 32,256 --a------ C:\Windows\System32\unlodctr.exe
2008-02-13 15:05 . 2008-02-13 15:05 23,552 --a------ C:\Windows\System32\nshhttp.dll
2008-02-13 15:05 . 2008-02-13 15:05 17,408 --a------ C:\Windows\System32\prflbmsg.dll
2008-02-13 15:01 . 2008-02-13 15:01 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 15:01 . 2008-02-13 15:01 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 15:01 . 2008-02-13 15:01 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 15:01 . 2008-02-13 15:01 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 15:01 . 2008-02-13 15:01 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 14:53 . 2008-02-13 14:53 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-12 18:30 . 2008-02-12 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 21:24 . 2008-02-06 21:24 <DIR> d-------- C:\Users\Ruth\AppData\Roaming\Apple Computer
2008-02-06 21:23 . 2008-02-06 21:23 <DIR> d-------- C:\Program Files\iTunes
2008-02-06 21:23 . 2008-02-06 21:23 <DIR> d-------- C:\Program Files\iPod
2008-02-06 21:21 . 2008-02-06 21:21 <DIR> d-------- C:\Program Files\Bonjour
2008-02-06 21:19 . 2008-02-06 21:23 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-02-06 21:19 . 2008-02-06 21:23 <DIR> d-------- C:\ProgramData\Apple Computer
2008-02-06 21:19 . 2008-02-06 21:20 <DIR> d-------- C:\Program Files\QuickTime
2008-02-06 21:16 . 2008-02-06 21:16 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-06 21:14 . 2008-02-06 21:14 <DIR> d-------- C:\Users\All Users\Apple
2008-02-06 21:14 . 2008-02-06 21:14 <DIR> d-------- C:\ProgramData\Apple
2008-02-06 21:14 . 2008-02-06 21:14 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 18:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-15 15:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-15 13:51 886 ----a-w C:\Users\Ruth\AppData\Roaming\wklnhst.dat
2008-02-13 16:21 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-13 16:08 --------- d-----w C:\ProgramData\Symantec
2008-02-13 15:06 943,800 ----a-w C:\Windows\System32\winload.exe
2008-02-13 15:06 905,400 ----a-w C:\Windows\System32\winresume.exe
2008-02-13 15:06 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-13 15:06 613,888 ----a-w C:\Windows\System32\wpd_ci.dll
2008-02-13 15:06 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-13 15:06 558,080 ----a-w C:\Windows\System32\oleaut32.dll
2008-02-13 15:06 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 15:06 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 15:06 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 15:06 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 15:06 35,328 ----a-w C:\Windows\System32\dispci.dll
2008-02-13 15:06 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 15:06 260,096 ----a-w C:\Windows\System32\dpx.dll
2008-02-13 15:06 224,824 ----a-w C:\Windows\System32\clfs.sys
2008-02-13 15:06 221,696 ----a-w C:\Windows\System32\umpnpmgr.dll
2008-02-13 15:06 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 15:06 19,456 ----a-w C:\Windows\System32\cfgmgr32.dll
2008-02-13 15:06 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 15:06 12,800 ----a-w C:\Windows\System32\batt.dll
2008-02-13 15:06 101,888 ----a-w C:\Windows\System32\drvinst.exe
2008-02-13 15:06 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-02-13 14:52 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 14:52 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 14:52 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 14:52 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-15 02:39 30,464 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-01-09 21:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 21:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-12-15 14:32 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-15 14:32 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-15 14:32 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-15 14:26 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-15 14:26 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
2007-09-03 11:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-03 11:29 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-03 11:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 21:06 1232896]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 09:06 413696]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36 201728]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 12:34 1004136]
"TPwrMain "= "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-14 19:07 411768]
"HSON "= "C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView "= "C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2006-12-14 19:09 493688]
"00TCrdMain "= "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 17:27 530552]
"NvSvc "= "C:\Windows\system32\nvsvc.dll" [2006-12-07 19:25 90191]
"NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [2006-12-07 19:25 7766016]
"NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [2006-12-07 19:25 81920]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 12:50 815104]
"RtHDVCpl "= "RtHDVCpl.exe" [2006-11-07 13:50 3772416 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe "= "NDSTray.exe" []
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-26 23:18 22696]
"topi "= "C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2006-12-15 16:11 577536]
"IgfxTray "= "C:\Windows\system32\igfxtray.exe" [2006-11-06 08:02 98304]
"HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [2006-11-06 08:05 106496]
"Persistence "= "C:\Windows\system32\igfxpers.exe" [2006-11-06 08:02 81920]
"Toshiba Registration "= "C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe" [2006-12-13 14:42 554640]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070507.001\IDSvix86.sys [2007-01-16 11:01]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-10-31 22:40]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-19 22:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-06 09:29]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 13:12]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2006-10-24 12:40]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-10-30 08:42]
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 17:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2006-02-14 17:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2f5156-24aa-11dc-822f-00a0d165729c}]
\shell\AutoRun\command - G:\LaunchU3.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 15:24:31 C:\Windows\Tasks\Norton Security Scan.job "
- C:\Program Files\Norton Security Scan\Nss.exe)/scan-full /scheduleignorenav /scheduled&C:\Program Files\Norton Security Scan
"2008-02-15 15:17:32 C:\Windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job "
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 11:52:36
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????9?l?L?????? ???X?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 11:53:09
ComboFix2.txt 2008-02-15 05:04:56
.
2008-02-15 13:08:31 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:26, on 16/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7891 bytes

 

Hi
OK Combofix still didn't show the deletions? But the file I was looking for is gone from your HJT log.

Lets see if SDFix will run now, follow the instructions above for it.
Let me know and we'll go from there.

Thanks
Geri

 

Hi Geri.

Do i run sdfix in normal mode as i cannot get in to safe mode?

Cheers,

Sean.

 

Hi sean

No thats not a good idea.
Lets see if dss will show any restrictions on the system.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the "main.txt" log only for now.

Thanks
Geri

 

Good morning Geri (8am)

The girlfriend has taken the laptop home but will be here today so i will get on with your instructions later if thats ok.

After i ran combofix i got a blank screen with only the cursor showing and no desktop icons, I had to press ctrl/alt/del keys to bring them up is this normal.......i started to panic,thought id bust her laptop.

Cheers,

sean.

 

Hi sean
OK, when ever you get it back.

Well no not really, did you make sure it finished all the way through?

Combofix is a very powerful tool and should never be used lightly, that was why I wanted you to use SDFix at first, it also targeted the infection.

I'll be waiting for the dss log.

Geri

 

Hi Geri.

Yes,it was a couple of hours after i ran it, i had turned the laptop off and then tried to turn it back on after i had something to eat.

Sorry about the delay....Boyfriend / girlfriend stuff i couldent get the lapi off them.

Here's the dss main txt log:-

Deckard's System Scanner v20071014.68
Run by Ruth on 2008-02-18 05:36:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 2 Restore Point(s) --
2: 2008-02-17 19:56:19 UTC - RP129 - Scheduled Checkpoint
1: 2008-02-16 11:54:28 UTC - RP128 - Windows Update


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Ruth.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:37:31, on 18/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Users\Ruth\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ruth.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7873 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080214-174002-636 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>
R2 TOSHIBA Bluetooth Service - c:\program files\toshiba\bluetooth toshiba stack\tosbtsrv.exe <Not Verified; TOSHIBA CORPORATION; Bluetooth Stack for Windows by TOSHIBA>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-17 20:06:28 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
2008-02-15 15:24:31 444 --a------ C:\Windows\Tasks\Norton Security Scan.job


-- Files created between 2008-01-18 and 2008-02-18 -----------------------------

2008-02-15 05:01:34 68096 --a------ C:\Windows\system32\zip.exe
2008-02-15 05:01:34 98816 --a------ C:\Windows\system32\sed.exe
2008-02-15 05:01:34 80412 --a------ C:\Windows\system32\grep.exe
2008-02-15 05:01:34 73728 --a------ C:\Windows\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-14 18:33:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-12 18:30:04 0 d-------- C:\Program Files\Trend Micro
2008-02-06 21:23:14 0 d-------- C:\Program Files\iPod
2008-02-06 21:23:01 0 d-------- C:\Program Files\iTunes
2008-02-06 21:21:15 0 d-------- C:\Program Files\Bonjour
2008-02-06 21:19:24 0 d-------- C:\Program Files\QuickTime
2008-02-06 21:19:21 0 d-------- C:\Users\All Users\Apple Computer
2008-02-06 21:16:47 0 d-------- C:\Program Files\Apple Software Update
2008-02-06 21:14:39 0 d-------- C:\Program Files\Common Files\Apple
2008-02-06 21:14:36 0 d-------- C:\Users\All Users\Apple


-- Find3M Report ---------------------------------------------------------------

2008-02-16 13:01:17 988 --a------ C:\Users\Ruth\AppData\Roaming\wklnhst.dat
2008-02-15 18:19:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-15 15:00:01 0 d-------- C:\Program Files\Norton Security Scan
2008-02-14 18:33:31 0 d-------- C:\Program Files\Common Files
2008-02-13 16:21:39 0 d-------- C:\Program Files\Norton Internet Security
2008-02-06 21:24:21 0 d-------- C:\Users\Ruth\AppData\Roaming\Apple Computer
2008-01-09 21:14:12 0 d-------- C:\Program Files\Windows Sidebar


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [02/11/2006 12:34]
"TPwrMain "= "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [14/12/2006 19:07]
"HSON "= "C:\Program Files\TOSHIBA\TBS\HSON.exe" [07/12/2006 16:49]
"SmoothView "= "C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [14/12/2006 19:09]
"00TCrdMain "= "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [11/12/2006 17:27]
"NvSvc "= "C:\Windows\system32\nvsvc.dll" [07/12/2006 19:25]
"NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [07/12/2006 19:25]
"NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [07/12/2006 19:25]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [27/10/2006 12:50]
"RtHDVCpl "= "RtHDVCpl.exe" [07/11/2006 13:50 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe "= "NDSTray.exe" []
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/01/2007 21:59]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [26/10/2006 23:18]
"topi "= "C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [15/12/2006 16:11]
"IgfxTray "= "C:\Windows\system32\igfxtray.exe" [06/11/2006 08:02]
"HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [06/11/2006 08:05]
"Persistence "= "C:\Windows\system32\igfxpers.exe" [06/11/2006 08:02]
"Toshiba Registration "= "C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe" [13/12/2006 14:42]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 03:22]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [09/01/2008 21:06]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [13/11/2006 09:06]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 12:36]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [02/11/2006 12:35]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@= "IEEE 1394 Bus host controllers "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@= "SBP2 IEEE 1394 Devices "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@= "SecurityDevices "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2f5156-24aa-11dc-822f-00a0d165729c}]
AutoRun\command- G:\LaunchU3.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-02-18 05:39:51 ------------


MANY THANKS,

Sean.

 

Hi sean
I see you downloaded System Repair Engineer (SREng).
Did it help?

Please do the following and we'll see if it helps.

I see is a broken file association. The following will fix it.

** dss.exe must be on the desktop for the following command to work. **

Highlight and copy the bolded command below.

"%userprofile%\desktop\dss.exe" /daft

• Click Start>Run and paste the command in, then hit enter.
• An interface of Deckards file association fix will open.
• Click Scan.
• .cpl should come up in the list.
• Check the box next to it, then click Fix.
• Exit when complete.

Then see if you can get into Safe mode.

Let me know, Let me know how things are running.

Thanks
Geri

 

Hi geri.

Sorry i know nothing about it,and when i asked the girlfriend same answer. The only thing i can think of is that someone in her family has downloaded it a while ago.

Just nipped home for some lunch, so ill crack on later with your latest insructions.

MANY THANKS,

Sean.

 

Hi

OK, this was added on the 15th, Feb. was it something else from Smallfrogs Studio?

2008-02-15 05:01:34 68096 --a------ C:\Windows\system32\zip.exe
2008-02-15 05:01:34 98816 --a------ C:\Windows\system32\sed.exe
2008-02-15 05:01:34 80412 --a------ C:\Windows\system32\grep.exe
2008-02-15 05:01:34 73728 --a------ C:\Windows\system32\fdsv.exe <Not Verified; Smallfrogs Studio;

I kind of need to know, Don't want some malware downloading things with out your knowledge

Thanks
Geri

 

Hello Geri.

I have asked them both if they downloaded anything at all on friday 15th Feb and they told me no?

I have not tried your instructions from post number 16 untill you give me the all clear to do so.

MANY THANKS

Sean.

 

Hi sean

Yes go ahead with the instructions.

Geri