[Resolved] Help cannot load ie,spybot or much else

  1. 13-07-2009  #11
    nsf0502
    nsf0502 is offline Newbie

    re: [Resolved] Help cannot load ie,spybot or much else

    ComboFix 09-07-12.03 - Neil 13/07/2009 20:20.3.2 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1915.844 [GMT 1:00]
    Running from: c:\tools-av\8940\8940.exe
    Command switches used :: c:\users\Neil\Desktop\CFScript.txt
    AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
    SP: PCguard Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "c:\users\Neil\AppData\Roaming\wklnhst.dat"
    "c:\windows\HideWin.exe"
    "c:\windows\system32\c2d.dat"
    "c:\windows\system32\ck.dat"
    "c:\windows\system32\idm.dat"
    "c:\windows\system32\locsock32.dll"
    "c:\windows\system32\q1.dat"
    .

    ((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
    .

    2009-07-13 19:06 . 2009-07-13 19:24 -------- d-----w- c:\users\Neil\AppData\Local\temp
    2009-07-13 18:56 . 2009-07-13 19:06 -------- d-s---w- C:\ComboFix
    2009-07-13 17:02 . 2009-07-13 18:49 -------- d-----w- C:\Tools-AV
    2009-07-13 15:10 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-07-13 15:10 . 2009-07-13 15:10 -------- d-----w- c:\programdata\Malwarebytes
    2009-07-13 15:10 . 2009-07-13 15:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-07-13 15:10 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-13 13:08 . 2009-07-13 13:08 -------- d-----w- c:\program files\Trend Micro
    2009-07-13 12:49 . 2009-07-13 12:52 -------- d-----w- c:\users\Neil\.housecall6.6
    2009-07-13 07:44 . 2009-07-13 07:44 -------- d-----w- c:\windows\Sun
    2009-07-11 10:27 . 2009-07-11 11:00 -------- d-----w- c:\users\Neil\AppData\Local\Ahead
    2009-07-11 09:46 . 2009-07-11 09:47 -------- d-----w- c:\users\Neil\AppData\Roaming\Ahead
    2009-07-11 09:41 . 2009-07-11 09:41 -------- d-----w- c:\programdata\Nero
    2009-07-11 09:41 . 2009-07-11 10:27 -------- d-----w- c:\program files\Common Files\Ahead
    2009-07-11 09:41 . 2009-07-11 09:41 -------- d-----w- c:\program files\Nero
    2009-07-10 16:26 . 2009-07-10 16:26 -------- d-----w- c:\programdata\LightScribe
    2009-07-10 15:41 . 2009-07-10 15:41 -------- d-----w- c:\program files\Common Files\LightScribe
    2009-07-10 13:19 . 2009-07-10 13:19 -------- d-----w- c:\users\Neil\AppData\Roaming\WtmCopyProtect
    2009-07-10 13:18 . 2009-07-10 13:35 -------- d-----w- c:\program files\Wtm Copy Protection
    2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\users\Neil\AppData\Local\MicroVision Applications
    2009-07-08 18:28 . 2006-09-21 06:42 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2009-07-08 18:28 . 2006-09-21 06:42 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Common Files\SureThing Shared
    2009-07-08 18:28 . 2009-07-08 18:29 -------- d-----w- c:\program files\SureThing CD Labeler 5
    2009-07-08 16:30 . 2009-07-08 16:30 -------- d-----w- c:\program files\LightScribe
    2009-06-29 02:04 . 2009-06-29 02:04 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2009-06-29 02:01 . 2009-06-29 02:01 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2009-06-28 13:24 . 2009-06-28 13:24 -------- d-----w- c:\program files\Microsoft Small Business
    2009-06-28 13:17 . 2009-06-29 08:56 -------- d-----w- c:\program files\Microsoft SQL Server
    2009-06-28 12:50 . 2009-06-28 12:50 -------- d-----w- c:\windows\PCHEALTH
    2009-06-28 12:50 . 2009-06-28 13:19 -------- d-----w- c:\program files\Microsoft.NET
    2009-06-28 12:47 . 2009-06-28 13:03 -------- d-----w- c:\users\Neil\AppData\Local\Microsoft Help
    2009-06-28 12:46 . 2009-06-28 12:46 -------- d--h--r- C:\MSOCache
    2009-06-28 11:40 . 2009-06-28 13:26 -------- d-----w- c:\users\Neil\AppData\Roaming\GetRightToGo
    2009-06-28 08:14 . 2009-06-28 08:14 368640 ----a-w- c:\programdata\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en-GB_344187C3421752FB.dll
    2009-06-26 13:50 . 2009-06-29 16:39 -------- d-----w- c:\users\Neil\AppData\Roaming\DVD Flick
    2009-06-26 11:41 . 2003-01-26 11:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
    2009-06-26 11:41 . 2009-06-26 11:41 -------- d-----w- c:\program files\DVD Flick
    2009-06-25 19:21 . 2009-06-25 19:21 -------- d-----w- c:\programdata\WindowsSearch
    2009-06-25 03:01 . 2009-06-25 03:01 -------- d-----w- c:\users\Neil\AppData\Roaming\DivX
    2009-06-24 10:35 . 2009-06-24 10:35 -------- d-----w- c:\program files\uTorrent
    2009-06-24 10:35 . 2009-07-13 19:13 -------- d-----w- c:\users\Neil\AppData\Roaming\uTorrent
    2009-06-24 10:27 . 2009-06-24 10:27 -------- d-----w- c:\users\Neil\AppData\Roaming\DriverCure
    2009-06-24 10:27 . 2009-06-24 12:10 -------- d-----w- c:\programdata\DriverCure
    2009-06-24 10:27 . 2009-06-24 10:27 -------- d-----w- c:\programdata\ParetoLogic
    2009-06-24 09:37 . 2009-07-11 09:32 -------- d-----w- C:\Temp
    2009-06-24 09:37 . 2009-07-11 01:31 -------- d-----w- c:\temp\installtemped
    2009-06-18 12:02 . 2009-07-03 14:23 -------- d-----w- c:\users\Neil\AppData\Roaming\CD Box Labeler Pro
    2009-06-18 12:02 . 2009-06-18 12:02 -------- d-----w- c:\program files\Green Point Software
    2009-06-15 17:12 . 2009-06-15 17:12 -------- d-----w- c:\programdata\Trusteer
    2009-06-14 23:20 . 2009-06-27 09:12 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2009-06-14 23:07 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
    2009-06-14 23:06 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2009-07-13 10:04 . 2009-05-14 12:32 1 ----a-w- c:\users\Neil\AppData\Roaming\OpenOffice.org\3\use r\uno_packages\cache\stamp.sys
    2009-07-05 09:37 . 2009-05-20 12:20 -------- d-----w- c:\programdata\Apple
    2009-06-29 09:00 . 2008-08-07 16:58 -------- d-----w- c:\programdata\Microsoft Help
    2009-06-29 02:06 . 2008-08-07 17:00 -------- d-----w- c:\program files\Microsoft Works
    2009-06-28 13:12 . 2009-05-13 12:55 118576 ----a-w- c:\users\Neil\AppData\Local\GDIPFONTCACHEV1.DAT
    2009-06-24 10:30 . 2008-08-07 16:54 -------- d-----w- c:\program files\Google
    2009-06-12 10:21 . 2009-06-12 10:20 -------- d-----w- c:\program files\iTunes
    2009-06-12 10:20 . 2009-06-12 10:20 -------- d-----w- c:\program files\iPod
    2009-06-12 10:20 . 2009-05-20 12:20 -------- d-----w- c:\program files\Common Files\Apple
    2009-06-12 10:17 . 2009-06-12 10:17 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
    2009-06-12 10:16 . 2009-05-20 12:44 -------- d-----w- c:\program files\Safari
    2009-06-12 10:09 . 2009-06-12 10:08 -------- d-----w- c:\program files\QuickTime
    2009-06-10 18:20 . 2009-05-20 12:24 -------- d-----w- c:\users\Neil\AppData\Roaming\Apple Computer
    2009-06-08 14:44 . 2008-08-07 16:47 -------- d-----w- c:\program files\Common Files\Adobe
    2009-06-05 10:42 . 2009-06-05 10:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-06-05 10:42 . 2009-06-05 10:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
    2009-05-26 13:18 . 2009-05-26 13:18 -------- d-----w- c:\program files\Pod to PC
    2009-05-26 13:07 . 2009-05-26 13:07 -------- d-----w- c:\program files\iPodRobot
    2009-05-26 12:58 . 2009-05-26 12:58 -------- d-----w- c:\program files\Common Files\eSellerate
    2009-05-26 12:51 . 2009-05-26 12:18 -------- d-----w- c:\programdata\WindSolutions
    2009-05-26 12:19 . 2009-05-26 12:19 -------- d-----w- c:\users\Neil\AppData\Roaming\CopyTrans
    2009-05-26 12:18 . 2009-05-26 12:18 -------- d-----w- c:\program files\WindSolutions
    2009-05-26 12:18 . 2009-05-26 12:18 -------- d-----w- c:\users\Neil\AppData\Roaming\WindSolutions
    2009-05-24 09:49 . 2009-05-24 09:49 -------- d--h--w- c:\programdata\CanonBJ
    2009-05-20 12:41 . 2009-05-20 12:41 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-05-20 12:31 . 2009-05-20 12:31 -------- d-----w- c:\program files\Bonjour
    2009-05-20 12:26 . 2009-05-20 12:26 -------- d-----w- c:\program files\Apple Software Update
    2009-05-20 12:23 . 2009-05-20 12:22 -------- d-----w- c:\programdata\Apple Computer
    2009-05-18 12:21 . 2009-05-18 10:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-05-18 10:52 . 2009-05-18 10:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2009-05-16 10:14 . 2009-05-16 10:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 00_00.Wdf
    2009-05-13 15:52 . 2009-05-13 15:52 782664 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
    2009-05-13 14:34 . 2009-05-13 14:34 410984 ----a-w- c:\windows\system32\deploytk.dll
    2009-05-13 14:32 . 2009-05-13 14:17 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2009-05-13 12:38 . 2009-05-13 12:38 319456 ----a-w- c:\windows\DIFxAPI.dll
    2009-05-09 05:50 . 2009-06-10 18:30 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-05-09 05:34 . 2009-06-10 18:30 71680 ----a-w- c:\windows\system32\iesetup.dll
    2009-04-23 12:43 . 2009-06-10 18:31 784896 ----a-w- c:\windows\system32\rpcrt4.dll
    2009-04-23 12:42 . 2009-06-10 18:31 636928 ----a-w- c:\windows\system32\localspl.dll
    2009-04-21 11:55 . 2009-06-10 18:31 2033152 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-07-13_17.24.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 01:58 . 2009-07-13 19:13 47736 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
    - 2008-01-21 01:58 . 2009-07-13 17:19 47736 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
    + 2006-11-02 13:05 . 2009-07-13 19:13 73156 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
    - 2009-05-13 12:50 . 2009-07-13 17:17 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
    + 2009-05-13 12:50 . 2009-07-13 19:13 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
    - 2009-05-13 12:50 . 2009-07-13 17:17 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-05-13 12:50 . 2009-07-13 19:13 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-05-13 12:50 . 2009-07-13 17:17 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
    + 2009-05-13 12:50 . 2009-07-13 19:13 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
    - 2009-05-13 12:56 . 2009-07-13 15:25 4666 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2047160978-575935202-3897097581-1000_UserData.bin
    + 2009-05-13 12:56 . 2009-07-13 19:13 4666 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2047160978-575935202-3897097581-1000_UserData.bin
    - 2009-07-13 17:17 . 2009-07-13 17:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
    + 2009-07-13 19:10 . 2009-07-13 19:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
    + 2009-07-13 19:10 . 2009-07-13 19:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
    - 2009-07-13 17:17 . 2009-07-13 17:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
    + 2006-11-02 10:33 . 2009-07-13 19:15 647086 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2009-07-13 17:24 647086 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2009-07-13 17:24 123374 c:\windows\System32\perfc009.dat
    + 2006-11-02 10:33 . 2009-07-13 19:15 123374 c:\windows\System32\perfc009.dat
    + 2009-05-16 09:17 . 2009-07-13 19:13 245760 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-05-16 09:17 . 2009-07-13 15:24 245760 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-05-13 13:03 . 2009-07-13 19:09 1037168 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache3.0.0.0.dat
    - 2009-05-13 13:03 . 2009-07-13 17:16 1037168 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache3.0.0.0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-06-24 287536]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-08-07 68856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
    "WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-13 148888]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-07 29744]
    "Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
    "Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.ex e" [2008-06-25 145944]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe " [2008-01-11 574864]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792]
    "Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-01-29 2303216]
    "PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
    "-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504]
    "Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-20 1826816]

    c:\users\Neil\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleD esktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
    "{43597A08-21ED-471C-AE18-6998A0F6D651}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{3BA6AD5F-B5C4-4A70-9B1E-DA764E2474B9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{CBE1A082-D610-4818-ABCB-6BA03721BAE1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{CBA870D2-A54D-4C8D-98F7-C444E333C32E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "TCP Query User{9D82A143-B4C3-482D-8ABC-B3E15ED19EB9}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
    "UDP Query User{133815ED-2101-4602-B91D-965F1EFA0FFE}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
    "{A17EDC79-BD13-4C4A-A3D9-22D85EE1EEA5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
    "{A6EBB8D5-B3E7-45EA-8B0F-10F597BD16B0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
    "{5C92934B-0941-4569-9C59-D6AB29823690}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
    "{642B6D7A-FD80-4F9F-B163-D82DDF64C161}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
    "TCP Query User{FC67EE35-E387-41AF-AD78-B5BF228292F9}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
    "UDP Query User{4ECD070B-9DF1-4F24-9DA9-D7834B4BB798}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
    "{268D18AB-8761-46B6-88AC-EEC57FCC2ED5}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
    "EnableFirewall"= 0 (0x0)

    R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [13/05/2009 13:59 20384]
    R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [13/05/2009 14:46 57320]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [13/05/2009 14:46 239080]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [17/04/2008 00:19 40960]
    R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22:31 29263712]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/06/2009 18:11 664808]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [18/05/2009 11:21 1153368]
    R2 TempoMonitoringService;Notebook Performance Tuning Service ;c:\program files\Toshiba TEMPRO\TempoSVC.exe [24/04/2008 10:21 99720]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [06/02/2008 14:12 126976]
    R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [07/08/2008 17:24 7168]
    R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [25/08/2008 09:58 77824]
    S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/08/2008 17:54 29744]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [13/05/2009 13:59 954368]
    S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\System32\dllhost.exe [02/11/2006 09:50 7168]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    "c:\program files\Common Files\LightScribe\LSRunOnce.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{544735C9-AE13-4721-9DE7-D529BE675038}]
    rundll32 locsock32.dll,laspi
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-12 c:\windows\Tasks\User_Feed_Synchronization-{0C101944-2F0E-44AE-9523-315724FE4094}.job
    - c:\windows\system32\msfeedssync.exe [2009-05-16 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel
    IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - eBay - The UK's Online Marketplace
    IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - Amazon.co.uk: low prices in Electronics, Books, Music, DVDs & more
    FF - ProfilePath - c:\users\Neil\AppData\Roaming\Mozilla\Firefox\Prof iles\cvxnuul3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
    FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
    FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={E55D7A73-C893-598F-5AC7-E0C14C8468CD}&q=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
    .

    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-07-13 20:24
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????5`?u??P?#?x?#???#???#??

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(3440)
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    .
    Completion time: 2009-07-13 20:25
    ComboFix-quarantined-files.txt 2009-07-13 19:25
    ComboFix2.txt 2009-07-13 19:06
    ComboFix3.txt 2009-07-13 17:26

    Pre-Run: 37,676,396,544 bytes free
    Post-Run: 37,647,491,072 bytes free

    335 --- E O F --- 2009-07-09 16:34

  3. 13-07-2009  #12
    broni
    broni is offline Senior Member
    Uninstall Combofix:

    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u"
    Restart computer.


    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.


    Post fresh HijackThis log as well.
  4. 14-07-2009  #13
    nsf0502
    nsf0502 is offline Newbie
    Well! after letting dr web run for hours as soon as i came to click on save report list i got the dreaded windows blue screen. It had deleted 2 items.

    Got this from the hijackthis. But nothing from dr web.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:34:35, on 13/07/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\Google EULA\GoogleEULALauncher.exe
    C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
    C:\Program Files\Virgin Broadband\PCguard\RPS.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {61DC85A0-4A32-4c38-92CF-24652B3F416C} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Google EULA Launcher] c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe IE PA
    O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
    O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
    O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
    O4 - Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - eBay - The UK's Online Marketplace (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - Amazon.co.uk: low prices in Electronics, Books, Music, DVDs & more (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3. dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
    O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Unknown owner - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
    O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Notebook Performance Tuning Service (TempoMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 11624 bytes
  5. 14-07-2009  #14
    broni
    broni is offline Senior Member
    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.

    ================================================== ==============

    Disable Windows Defender, as it'll interfere with cleaning process:
    - Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
    - Click Tools
    then...

    ++ Windows XP:
    - Click General Settings
    - Scroll down to Real Time Protection Options
    - Uncheck Turn on Real Time Protection
    - After you uncheck this, click on the Save button
    - Close Windows Defender

    ++ Windows Vista:
    - Click Options
    - Under Administrator options, clear the Use Windows Defender check box, and then click Save.

    Enable Windows Defender, when all cleaning is done.

    ================================================== ===========


    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: (no name) - {61DC85A0-4A32-4c38-92CF-24652B3F416C} - (no file)

    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    - O4 - HKLM\..\Run: [Google EULA Launcher] c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe IE PA
    - O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    - O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    - O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
    - O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    - O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    - O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    - O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    - O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
    - O4 - Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe





    5. Click on Fix checked button.

    7. Restart computer.

    8. Post new HijackThis log.
  6. 14-07-2009  #15
    nsf0502
    nsf0502 is offline Newbie
    Ok, have done as you said. Ran Dr web to clean and it deleted 2 trojans, only thing is when i clicked on save report list it just disapeared. This is the hijackthis log from after restart.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:10:21, on 14/07/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\Google EULA\GoogleEULALauncher.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Virgin Broadband\PCguard\RPS.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\msfeedssync.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
    O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
    O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - eBay - The UK's Online Marketplace (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - Amazon.co.uk: low prices in Electronics, Books, Music, DVDs & more (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3. dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
    O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Unknown owner - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
    O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Notebook Performance Tuning Service (TempoMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 10242 bytes


    and this is from before retart:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:04:07, on 14/07/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\Google EULA\GoogleEULALauncher.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
    C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
    C:\Program Files\Virgin Broadband\PCguard\RPS.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {61DC85A0-4A32-4c38-92CF-24652B3F416C} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Google EULA Launcher] c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe IE PA
    O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
    O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
    O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
    O4 - Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - eBay - The UK's Online Marketplace (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - Amazon.co.uk: low prices in Electronics, Books, Music, DVDs & more (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3. dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
    O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Unknown owner - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
    O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Notebook Performance Tuning Service (TempoMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 11543 bytes
  7. 14-07-2009  #16
    broni
    broni is offline Senior Member
    Your computer is clean

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    7. Download, and install WOT (Web OF Trust): Internet Security | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?

    10. Let me know, how is your computer doing.
  8. 14-07-2009  #17
    nsf0502
    nsf0502 is offline Newbie
    Had a heart stopping moment then after following those instructions. Everything shut down and then restarted asking for password, entered password and all that appeared was a blank Toshiba background.No windows, no icons or anything. Eventually got it to power down. When it restarted it started in safe mode and came up telling me it needed to run repair. Is this normal and should it of happened?
  9. 14-07-2009  #18
    broni
    broni is offline Senior Member
    It did shut down after which step?
    What's your situation right now?
  10. 15-07-2009  #19
    nsf0502
    nsf0502 is offline Newbie
    After i had disabled the restore point for vista. Took my eye off it for a moment so not sure if it was rge dreaded blue screen again. Evrything seems ok now. Have run a few different spywares and virus checkers. Spybot found another trojen so it was deleted. Only thing now is i have a windows security alert in tray saying that my PCguard is running but is sending messages to windows security center that is not recognisable.
  11. 15-07-2009  #20
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    I'm glad nothing serious happened. Hiccups happen sometimes.

    I'm not very familiar with PCGuard. I assume, it came free from your ISP.
    Those security tools coming form ISPs are usually pretty poor tools, but it's your decision.
    If you want to switch to something else, I can advice you. If you want to keep it, try to reinstall it.
    Sometimes, cleaning procedure may corrupt some files.
+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
« [Resolved] Help with removal of Trojan Horse Dropper.VB.4.J | [Resolved] Infested »