Its Got Problems (trojans)

Ranger SVO · 2008/02/04

My sons computer is not working properly. In fact its pretty bad. He is blaming the 2 gig of RAM I installed in December.

I know better

Here is the HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:30 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 6841 bytes

Can you help?

Ranger SVO · 2008/02/04

Here is a DSS Log

Deckard's System Scanner v20071014.68
Run by Mark ****** on 2008-02-04 18:50:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
130: 2008-02-05 00:51:50 UTC - RP379 - Deckard's System Scanner Restore Point
129: 2008-02-03 21:04:42 UTC - RP378 - System Checkpoint
128: 2008-02-02 20:58:28 UTC - RP377 - System Checkpoint
127: 2008-02-01 20:47:39 UTC - RP376 - Install AnyDVD
126: 2008-02-01 04:21:02 UTC - RP375 - System Checkpoint

-- First Restore Point --
1: 2007-12-29 14:11:34 UTC - RP250 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Mark Farrar.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:54 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\TEMP\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark Farrar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AC9130BC-4104-4C2E-8B69-4A9C2D359DE5} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\gebbaaa.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: gebbaaa - gebbaaa.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 8657 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.7.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.7.0>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 tdudf (TOSHIBA UDF File System Driver) - c:\windows\system32\drivers\tdudf.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Direct Disc Writer>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>
R3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver>
R3 tdcmdpst (TOSHIBA Writing Engine Filter Driver) - c:\windows\system32\drivers\tdcmdpst.sys <Not Verified; TOSHIBA Corporation.; >

S3 APLMp50 (APLMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\aplmp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-01-04 and 2008-02-04 -----------------------------

2008-02-04 17:56:51 0 dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:56:11 0 d-------- C:\Documents and Settings\TEMP\Application Data\Google
2008-02-04 17:55:08 0 d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41:04 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-02-04 14:41:04 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2008-02-04 14:41:04 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\Help
2008-02-04 14:41:04 0 d-------- C:\Documents and Settings\TEMP\Application Data\AOL
2008-02-04 14:41:03 0 d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-02-04 14:41:03 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-02-04 14:41:03 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-02-04 14:41:03 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-02-04 14:41:03 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-02-04 14:41:03 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-02-04 14:41:01 1310720 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-01-25 15:53:59 0 d-------- C:\Program Files\Orbitdownloader

-- Find3M Report ---------------------------------------------------------------

2008-02-04 18:52:33 291079 --ahs---- C:\WINDOWS\system32\tttss.ini2
2008-02-04 18:46:15 0 d-------- C:\Program Files\QuickTime
2008-02-04 07:27:45 0 d-------- C:\Program Files\QdrPack
2008-02-04 07:27:44 0 d-------- C:\Program Files\QdrModule
2008-02-01 14:44:58 0 d-------- C:\Program Files\SlySoft
2008-01-24 19:49:30 0 d-------- C:\Program Files\Lx_cats
2008-01-01 17:15:59 0 d-------- C:\Program Files\Trend Micro
2007-12-30 16:39:23 3584 --a------ C:\WINDOWS\system32\ssttt.exe
2007-12-30 16:31:47 0 d-------- C:\Program Files\Yahoo!
2007-12-30 16:23:31 0 d-------- C:\Program Files\ltmoh
2007-12-30 16:23:19 0 d-------- C:\Program Files\Lexmark Fax Solutions
2007-12-30 16:23:18 0 d-------- C:\Program Files\Lexmark 2500 Series
2007-12-30 16:23:10 0 d-------- C:\Program Files\ISM
2007-12-30 15:15:05 0 d-------- C:\Program Files\Messenger
2007-12-30 15:01:05 90112 --a------ C:\WINDOWS\system32\service .exe <Not Verified; M i r a r; M i r a r ErrorDnsTest>
2007-12-30 15:00:55 155648 --a------ C:\WINDOWS\system32\NeroCheck .exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-12-30 14:37:32 0 d-------- C:\Program Files\Common Files\Real
2007-12-30 14:37:05 0 d-------- C:\Program Files\Common Files
2007-12-29 08:11:20 336384 --a------ C:\WINDOWS\system32\ssttt.dll
2007-12-29 08:06:10 0 d-------- C:\Program Files\QdrDrive
2007-12-25 11:34:48 0 d-------- C:\Program Files\Lexmark Toolbar
2007-12-25 11:24:25 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-25 07:53:23 0 d-------- C:\Program Files\SpywareBlaster
2007-12-02 21:52:09 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
08/31/2007 11:09 AM 196608 --a------ C:\Program Files\ISM\BndDrive3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
10/01/2007 03:12 AM 663552 --a------ C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F9E2BE3-766D-4831-BB0E-766D5B819995}]
12/14/2007 08:26 PM 192512 --a------ C:\Program Files\QdrDrive\QdrDrive9.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
07/11/2007 02:02 PM 192512 --a------ C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC9130BC-4104-4C2E-8B69-4A9C2D359DE5}]
12/29/2007 08:11 AM 336384 --a------ C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
C:\WINDOWS\system32\gebbaaa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe "= "NDSTray.exe" []
"TPSMain "= "TPSMain.exe" [05/31/2005 10:00 PM C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL "= "RTHDCPL.EXE" [09/06/2006 12:44 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [05/16/2006 07:04 PM C:\WINDOWS\SkyTel.exe]
"Alcmtr "= "ALCMTR.EXE" [05/03/2005 07:43 PM C:\WINDOWS\Alcmtr.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [03/18/2006 09:22 AM C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask .exe" [02/04/2008 06:46 PM]
"CFSServ.exe "= "CFSServ.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/04/2008 06:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" []
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 03:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [9/4/1999 4:23:00 PM]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [1/25/2008 3:54:00 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [8/21/2006 12:23:30 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} "= C:\WINDOWS\system32\gebbaaa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]
gebbaaa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\ssttt

-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga.info #[Spamdexing]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com

16424 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-02-04 18:53:43 ------------

Ranger SVO · 2008/02/05

Will using the recovery CD fix everything?

http://www.windowsbbs.com/showthread.php?p=383532#post383532

Geri · 2008/02/05

Hi Ranger SVO
There's no need to do that. Things are kind of busy, sorry for the wait.
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Orbit or Orbitdownloader
ISM
Hyperlinks Rotator
ISMonitor
QdrDrive

Please note any other programs that you dont recognize in that list and post them in your next response

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

Vista users right click Combofix.exe and select Run As Administrator.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the CF log.

Thanks
Geri

Ranger SVO · 2008/02/06

No need to apologize to me at all, your spending your free time helping me.

I only saw Orbit in the add and remove programs. And I removed it. I also removed something called Desktop Dialer and something called Internet Speed Monitor.

Here is the combo fix Log

ComboFix 08-02.05.3 - Mark Farrar 2008-02-06 19:12:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1475 [GMT -6:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ssttt.dll
C:\7.tmp
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\MySpace
2008-02-04 18:49 . 2008-02-04 18:49 <DIR> d-------- C:\Deckard
2008-02-04 17:56 . 2008-02-04 17:56 <DIR> dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:55 . 2008-02-06 18:54 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41 . 2006-08-21 12:57 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41 . 2006-08-21 13:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41 . 2006-08-21 12:48 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41 . 2006-09-09 14:05 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41 . 2006-12-27 21:33 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 01:12 --------- d-----w C:\Program Files\QuickTime
2008-02-07 01:01 --------- d-----w C:\Program Files\Google
2008-02-07 00:57 --------- d-----w C:\Program Files\Toshiba Games
2008-02-07 00:56 --------- d-----w C:\Program Files\WildTangent
2008-02-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-07 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 20:44 --------- d-----w C:\Program Files\SlySoft
2008-01-25 01:49 --------- d-----w C:\Program Files\Lx_cats
2008-01-01 23:15 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-01-01 23:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 22:31 --------- d-----w C:\Program Files\Yahoo!
2007-12-30 22:23 --------- d-----w C:\Program Files\ltmoh
2007-12-30 22:23 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-30 22:23 --------- d-----w C:\Program Files\Lexmark 2500 Series
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 20:37 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-25 17:34 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-25 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-25 17:24 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-25 13:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-22 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-03 03:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
Code:
<pre>
----a-w           344,064 2007-12-30 21:00:35  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2007-12-30 20:28:39  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            68,856 2007-12-30 21:01:26  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            83,608 2007-12-30 21:00:59  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w            20,480 2007-12-30 21:01:13  C:\Program Files\Lexmark 2500 Series\lxddamon .exe
----a-w           291,760 2007-12-30 21:01:05  C:\Program Files\Lexmark 2500 Series\lxddmon .exe
----a-w           312,240 2007-12-30 21:01:13  C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
----a-w           188,416 2007-12-30 21:00:52  C:\Program Files\ltmoh\Ltmoh .exe
----a-w         1,121,280 2007-12-30 21:01:04  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w         1,694,208 2007-12-30 21:01:42  C:\Program Files\Messenger\msmsgs .exe
----a-w         8,720,384 2007-12-30 21:01:53  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w           448,512 2008-02-07 01:12:39  C:\Program Files\QuickTime\qttask   .exe
----a-w         1,649,600 2007-12-30 21:01:29  C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w           761,946 2007-12-30 21:00:37  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w            65,536 2007-12-30 21:01:15  C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
----a-w           122,880 2007-12-30 21:00:46  C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
----a-w         1,077,322 2007-12-30 21:00:45  C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
----a-w         1,773,568 2007-12-30 21:00:44  C:\Program Files\TOSHIBA\Windows Utilities\Hotkey .exe
----a-w           151,552 2007-12-30 21:00:52  C:\TOSHIBA\IVP\ISM\pinger .exe
----a-w            15,360 2007-12-30 21:01:17  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-30 21:00:55  C:\WINDOWS\system32\NeroCheck .exe
----a-w            90,112 2007-12-30 21:01:05  C:\WINDOWS\system32\service .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
C:\Program Files\ISM\BndDrive3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
C:\Program Files\ISM\BndDrive.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:00 15360]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-06 19:12 5037056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe "= "NDSTray.exe" []
"TPSMain "= "TPSMain.exe" [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-09-06 12:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-03-18 09:22 89541 C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask .exe" [2008-02-06 19:12 448512]
"CFSServ.exe "= "CFSServ.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-06 19:12 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 15:10 219136]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 16:23:00 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-08-21 12:23:30 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]
gebbaaa.dll

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25 23:21]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-25 23:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 12:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 02:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 19:20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2008-02-06 19:22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 01:21:57
.
2008-01-24 04:59:45 --- E O F ---

HiJack This log coming Soon

Ranger SVO · 2008/02/06

I just wanna say, take your time, my son fixed the virus problem by buying a new computer. So for now this is just an extra computer. Again, Thank you for takng the time to help

Here is the HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:31 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: gebbaaa - gebbaaa.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 7110 bytes

Geri · 2008/02/06

Hi Ranger SVO

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
Code:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]

RenV::
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe 
C:\Program Files\Common Files\Real\Update_OB\realsched .exe 
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe 
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe 
C:\Program Files\Lexmark 2500 Series\lxddamon .exe 
C:\Program Files\Lexmark 2500 Series\lxddmon .exe 
C:\Program Files\Lexmark Fax Solutions\fm3032 .exe 
C:\Program Files\ltmoh\Ltmoh .exe 
C:\Program Files\McAfee\SpamKiller\MSKDetct .exe 
C:\Program Files\Messenger\msmsgs .exe 
C:\Program Files\MySpace\IM\MySpaceIM .exe 
C:\Program Files\QuickTime\qttask .exe 
C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe 
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe 
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe 
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe 
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe 
C:\Program Files\TOSHIBA\Windows Utilities\Hotkey .exe 
C:\TOSHIBA\IVP\ISM\pinger .exe
C:\WINDOWS\system32\ctfmon .exe 
C:\WINDOWS\system32\NeroCheck .exe 
C:\WINDOWS\system32\service .exe 
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please post the new CF log.

Thanks
Geri

Ranger SVO · 2008/02/07

Here is the ComboFix Log

I will download AFT Cleaner in a moment.

This thing is already running much better

ComboFix 08-02.05.3 - Mark ***** 2008-02-07 18:59:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1492 [GMT -6:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TEMP\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\service.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-06 21:13 . 2008-02-06 21:13 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\ArcSoft
2008-02-06 19:51 . 2008-02-06 19:51 <DIR> d---s---- C:\Documents and Settings\TEMP\UserData
2008-02-06 19:33 . 2008-02-06 19:33 <DIR> d-------- C:\Trend Micro
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\MySpace
2008-02-04 18:49 . 2008-02-04 18:49 <DIR> d-------- C:\Deckard
2008-02-04 17:56 . 2008-02-06 20:49 <DIR> dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:55 . 2008-02-06 18:54 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41 . 2006-08-21 12:57 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41 . 2006-08-21 13:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41 . 2006-08-21 12:48 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41 . 2006-09-09 14:05 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41 . 2006-12-27 21:33 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 00:59 --------- d-----w C:\Program Files\ltmoh
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark 2500 Series
2008-02-07 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-07 02:39 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-02-07 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 01:12 --------- d-----w C:\Program Files\QuickTime
2008-02-07 01:01 --------- d-----w C:\Program Files\Google
2008-02-07 00:57 --------- d-----w C:\Program Files\Toshiba Games
2008-02-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-07 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 20:44 --------- d-----w C:\Program Files\SlySoft
2008-01-25 01:49 --------- d-----w C:\Program Files\Lx_cats
2008-01-01 23:15 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-01-01 23:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 22:31 --------- d-----w C:\Program Files\Yahoo!
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 20:37 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-25 17:34 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-25 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-25 17:24 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-25 13:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-22 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-03 03:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
Code:
<pre>
----a-w           448,512 2008-02-07 01:12:39  C:\Program Files\QuickTime\qttask   .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-30 15:01 65536]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe "= "NDSTray.exe" []
"TPSMain "= "TPSMain.exe" [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-09-06 12:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-03-18 09:22 89541 C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask .exe" [2008-02-06 19:12 448512]
"CFSServ.exe "= "CFSServ.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-06 19:12 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 16:23:00 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-08-21 12:23:30 155648]

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25 23:21]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-25 23:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 12:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 02:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 19:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2008-02-07 19:03:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 01:03:33
ComboFix2.txt 2008-02-07 01:22:00
.
2008-01-24 04:59:45 --- E O F ---

Ranger SVO · 2008/02/07

I just noticed something new on the desktop, it a folder named %SystemDrive%

Any Idea as to what it is?

Geri · 2008/02/07

Hi Ranger

Any Idea as to what it is?
Click to expand...

%SystemDrive% is the C drive for the machine, I have no idea why that would show up on your desktop?
I'll have to ask Dave about this one, please do nothing with it for now.

Please run ATF cleaner I want to see if it will clean those temp files that are showing in the combofix log.
then we need to run a CFScript again.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
Code:
RenV::
C:\Program Files\QuickTime\qttask   .exe
Please post the new Combofix log and I'll see what Dave says about that folder.

Thanks
Geri

Ranger SVO · 2008/02/07

I'll be more than happy to drag and drop it where it belongs. I dont know when It appeared on the desktop. It could have been there awhile.

Here is the latest log, I ran ATF Cleaner Before the ComboFix

ComboFix 08-02.05.3 - Mark ***** 2008-02-07 20:26:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1491 [GMT -6:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TEMP\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 20:24 . 2008-02-07 20:28 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-02-07 19:25 . 2008-02-07 19:25 <DIR> d-------- C:\Program Files\7-Zip
2008-02-07 18:56 . 2004-08-03 15:00 388,608 --a------ C:\kmd.exe
2008-02-06 21:13 . 2008-02-06 21:13 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\ArcSoft
2008-02-06 19:51 . 2008-02-06 19:51 <DIR> d---s---- C:\Documents and Settings\TEMP\UserData
2008-02-06 19:33 . 2008-02-06 19:33 <DIR> d-------- C:\Trend Micro
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\MySpace
2008-02-04 18:49 . 2008-02-04 18:49 <DIR> d-------- C:\Deckard
2008-02-04 17:56 . 2008-02-06 20:49 <DIR> dr-h----- C:\Documents and Settings\TEMP\Application Data\yahoo!
2008-02-04 17:55 . 2008-02-06 18:54 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Orbit
2008-02-04 14:41 . 2006-08-21 12:57 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-02-04 14:41 . 2006-08-21 13:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\You've Got Pictures Screensaver
2008-02-04 14:41 . 2006-08-21 12:48 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\toshiba
2008-02-04 14:41 . 2006-09-09 14:05 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterVideo
2008-02-04 14:41 . 2006-12-27 21:33 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 02:26 --------- d-----w C:\Program Files\QuickTime
2008-02-08 01:43 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-08 00:59 --------- d-----w C:\Program Files\ltmoh
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-02-08 00:59 --------- d-----w C:\Program Files\Lexmark 2500 Series
2008-02-07 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-07 02:39 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-02-07 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 01:01 --------- d-----w C:\Program Files\Google
2008-02-07 00:57 --------- d-----w C:\Program Files\Toshiba Games
2008-02-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-07 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 20:44 --------- d-----w C:\Program Files\SlySoft
2008-01-25 01:49 --------- d-----w C:\Program Files\Lx_cats
2008-01-01 23:15 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-01-01 23:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 22:39 3,584 ----a-w C:\WINDOWS\system32\ssttt.exe
2007-12-30 22:31 --------- d-----w C:\Program Files\Yahoo!
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 21:00 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2007-12-30 20:37 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-25 17:34 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-25 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-25 17:24 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-22 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-03 03:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-30 15:01 65536]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe "= "NDSTray.exe" []
"TPSMain "= "TPSMain.exe" [2005-05-31 22:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-09-06 12:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-03-18 09:22 89541 C:\WINDOWS\agrsmmsg.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask .exe" [ ]
"CFSServ.exe "= "CFSServ.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-06 19:12 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 16:23:00 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-08-21 12:23:30 155648]

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 11:05]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25 23:21]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-25 23:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 12:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 02:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 20:28:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 20:28:33
ComboFix-quarantined-files.txt 2008-02-08 02:28:25
ComboFix2.txt 2008-02-08 01:03:41
ComboFix3.txt 2008-02-07 01:22:00
.
2008-01-24 04:59:45 --- E O F ---

Geri · 2008/02/07

Hi Ranger
OK, Dave said to make sure it's not a shortcut, If it is it should have a small arrow in the corner of the icon, he said if it's a folder to open it and see whats in it.
Let me know.
You can also right click it and click properties and see what it says in there.

OK Lets scan a couple files

Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time.

C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\AVSredirect.dll

Click on the submit button

Please post the results in your next reply.

Thanks
Geri

Ranger SVO · 2008/02/08

No its not a short cut. Can I send you a .zip copy of the folder?

This is a copy for the address bar
C:\Documents and Settings\TEMP\Desktop\%SystemDrive%\Documents and Settings\TEMP\Application Data\Microsoft

Now there are two folders, SystemCertificates, it contains a number of folders that are all empty.

The other folder CrptnetUrlCache contains two folders, Content and MetaData which contain two system files each.
60E31627FDA0A46932B0E5948949F2A5
A8FABA189DB7D25FBA7CAC806625FD30

60E31627FDA0A46932B0E5948949F2A5
A8FABA189DB7D25FBA7CAC806625FD30

Hope this is helpful

Here are the jotti checks

File: PSEXESVC.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 34567437e1881533d582028e95456fbc
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 09 Feb 2008 01:17:33 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Application/Psexec.A
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: iun6002.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 456462905091db042141487fe030e3c9
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 09 Feb 2008 01:24:16 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

I could not find
C:\WINDOWS\system32\AVSredirect.dll

I will do a search for AVSredirect.dll here in a few minutes.

Ranger SVO · 2008/02/08

I just completed a system search for AVSredirect and found nothing. I included all of C: and also included hidden system files and folders.

Geri · 2008/02/08

Hi Ranger

Can I send you a .zip copy of the folder?
Click to expand...

No, I don't have a Vertual Machine so I can't do as Dave does.

But he PM'ed me and said you could delete that, said it's a copy of another directory.

Let's see if you can see that file if you have hidden files/folders enabled.

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now see if you can see this.
C:\WINDOWS\system32\AVSredirect.dll

If not we'll try a different way.

All these ones, "2008-02-06 21:13 . 2008-02-06 21:13 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\ArcSoft in the files created from 2008-01-08 to 2008-02-08" in the combofix log are OK.
The TEMP is a user name, Like mine says C:\Documents and Settings\OWNER.
Temp is not a good name to name these, some programs look for the word temp and deletes it, It could be a way to lose important files and folders.

Let me know if you can find that file and we'll go from there.

Thanks
Geri

Ranger SVO · 2008/02/09

Found it

File: AVSredirect.dll
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 39854962ade636403358ab8a2edeab6b
Packers detected: PE_PATCH, TELOCK
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 09 Feb 2008 14:50:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found PUA.Packed.TeLock
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

It should have no affect on what we are doing, just wanna let you know I did reinstall a Toshiba PowerSaver Utility downloaded from Toshibas website.

Again I that you for taking the time to help, it is appreciated.

Would it be OK to reinstall AVG now? My son deleted it because it kept finding problems.

Geri · 2008/02/09

Hi Ranger

Would it be OK to reinstall AVG now?
Click to expand...

Umm, Yeah, are you sure it's uninstalled, I see it in the HJT logs?

In any case make sure it's installed and updated.

Geri

Geri · 2008/02/09

Hi Ranger
Please go to these files, Right click on them and click properties.
Under the version tab, please note the company name and product name and let me know who it is.

C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\system32\AVSredirect.dll

Also lets get a uninstall list.

To get an Uninstall List from HijackThis:

Open HijackThis, click Config, click Misc Tools

Click "Open Uninstall Manager "

Click "Save List" (generates uninstall_list.txt)

Click Save, copy and paste the results in your next post.

Thanks
Geri

Ranger SVO · 2008/02/09

Hi Geri

Here is the log you wanted

7-Zip 4.57
ABBYY FineReader 6.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 7.0
ArcSoft PhotoImpression 4
Atheros Client Utility
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI Control Panel
ATI Display Driver
CD/DVD Drive Acoustic Silencer
CloneDVD2
CloneDVDmobile
Dell Digital Jukebox Driver
Dell DJ Explorer
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD-RAM Driver
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB935448)
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 2500 Series
Lexmark Fax Solutions
LimeWire 4.14.10
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Basic Edition 2003
Microsoft Works
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero
Office 2003 Trial Assistant
QuickTime
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SpywareBlaster v3.5.1
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Touchpad Utility
Toshiba Utility
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888622
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Word in Works Suite add-in

Also C:\WINDOWS\PSEXESVC.EXE
Lists a company PsExec Service

C:\WINDOWS\system32\AVSredirect.dll has nothing in it properies indicating its purpose

One other thing AVG will not install, it freezes every time. Everything on the computer quits working. The harddrive light is on solid. The only way to get everything working again is to push and hold the power button and restart. Ctrl-alt-delete doesnt work. I have tried to install it a number of tmes.

Ranger SVO · 2008/02/09

Hi Geri

Again thanks for all your help, I just put the restore disk in. I can have this thing up and running in just a few hours. Please don't feel your time was wasted, I assure you it was not.

This is now an extra computer, I have mine and my son bought a new one (his way of solving the problem)

Anyway its 22% done.

Anyway I really appreciate the time you took. and I sincerely thank you.

Log in or Sign up

Its Got Problems (trojans)

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Share This Page

Log in or Sign up

Its Got Problems (trojans)

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

Ranger SVO Inactive Thread Starter

Ranger SVO Inactive Thread Starter

Share This Page

Useful Searches