|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-16-2009, 12:25 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
First steps complete...Please help
Original post
Help please? Hi, I have now completed the first steps instructions. I hope I've done this right?? I recently rebooted my whole computer so it was back to scratch, before I even had chance to put an antivirus on I think I got a virus. I couldn't download things like Live Messenger or AVG but have since managed to put Kaspersky on, only the trial version for now and I ran a full system scan in safe mode which took over 15 hours!! It found a couple of trojans. That seemed to solve the problem of being able to install Live messenger etc but I still keep getting hijacked in google and parts of websites like the adverts come up as page can not be displayed. My DDS report as follows: DDS (Ver_09-07-30.01) - NTFSx86 Run by Sue at 19:04:07.64 on 16/08/2009 Internet Explorer: 7.0.6001.18000 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3070.1725 [GMT 1:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\FsUsbExService.Exe C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe C:\Windows\system32\TODDSrv.exe C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Toshiba\ConfigFree\NDSTray.exe C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe C:\Program Files\Toshiba\Power Saver\TPwrMain.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Toshiba\SmoothView\SmoothView.exe C:\Program Files\Toshiba\FlashCards\TCrdMain.exe C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Windows\System32\spool\drivers\w32x86\3\E_FATIBZE.EXE C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wuauclt.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\msiexec.exe C:\Windows\System32\svchost.exe -k swprv C:\Windows\system32\DllHost.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Sue\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.ebay.co.uk/ BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [EPSON Stylus D92 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibze.exe /fu "c:\windows\temp\E_SAC84.tmp" /EF "HKCU" uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe" mRun: [NDSTray.exe] NDSTray.exe mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Desktop SMS] c:\program files\idm\desktop sms\DesktopSMS.exe /auto mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start mRun: [HDMICtrlMan] c:\program files\toshiba\hdmictrlman\HDMICtrlMan.exe mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [NPSStartup] mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe" mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: {16714085-A6E4-4E3B-87FB-41CDB15024B4} = 193.0.249.6,193.0.249.70 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL Notify: igfxcui - igfxdev.dll Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-7-9 20496] R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960] R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-8-5 233472] R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976] R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392] R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-2-26 187904] R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-8-5 36608] R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472] R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192] RUnknown SASDIFSV;SASDIFSV; [x] RUnknown SASENUM;SASENUM; [x] RUnknown SASKUTIL;SASKUTIL; [x] =============== Created Last 30 ================ 2009-08-14 11:04 <DIR> --d----- c:\program files\NCH Software 2009-08-13 20:54 <DIR> --d----- C:\HJT 2009-08-13 13:56 71,680 a------- c:\windows\system32\atl.dll 2009-08-13 13:56 160,256 a------- c:\windows\system32\wkssvc.dll 2009-08-13 13:56 2,066,432 a------- c:\windows\system32\mstscax.dll 2009-08-13 13:56 91,136 a------- c:\windows\system32\avifil32.dll 2009-08-13 13:56 313,344 a------- c:\windows\system32\wmpdxm.dll 2009-08-13 13:55 7,680 a------- c:\windows\system32\spwmp.dll 2009-08-13 13:55 8,147,456 a------- c:\windows\system32\wmploc.DLL 2009-08-13 13:55 4,096 a------- c:\windows\system32\msdxm.ocx 2009-08-13 13:55 4,096 a------- c:\windows\system32\dxmasf.dll 2009-08-13 13:55 43,520 a------- c:\windows\system32\msdxm.tlb 2009-08-13 13:55 18,432 a------- c:\windows\system32\amcompat.tlb 2009-08-12 09:51 81 a------- C:\CTX.DAT 2009-08-12 09:50 <DIR> --d----- c:\users\sue\Citrix 2009-08-12 09:46 184 a------- c:\windows\WFCMGR.INI 2009-08-12 09:44 48 a------- c:\windows\webica.ini 2009-08-12 09:41 28 a------- C:\WFCNAME.INI 2009-08-12 09:41 <DIR> --d----- C:\ICA16 2009-08-12 09:40 358,136 a------- c:\windows\ISUN16.EXE 2009-08-12 09:40 26,768 a------- c:\windows\system\CTL3D.DLL 2009-08-12 09:34 <DIR> --d----- c:\users\sue\Tracing 2009-08-12 09:33 <DIR> --d----- c:\program files\Microsoft 2009-08-12 09:33 <DIR> --d----- c:\program files\Windows Live SkyDrive 2009-08-12 09:27 <DIR> --d----- c:\program files\common files\Windows Live 2009-08-11 09:18 105,395 a------- c:\windows\system32\drivers\klin.dat 2009-08-11 09:18 94,643 a------- c:\windows\system32\drivers\klick.dat 2009-08-11 09:16 3,247,136 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-08-11 09:16 368,672 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-08-11 09:16 27,496 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-08-11 09:16 3,388 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-08-11 09:16 <DIR> --d----- c:\programdata\Kaspersky Lab 2009-08-11 09:16 <DIR> --d----- c:\program files\Kaspersky Lab 2009-08-11 09:16 <DIR> --d----- c:\progra~2\Kaspersky Lab 2009-08-11 08:13 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files 2009-08-11 08:13 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files 2009-08-10 09:43 428,544 a------- c:\windows\system32\EncDec.dll 2009-08-10 09:43 217,088 a------- c:\windows\system32\psisrndr.ax 2009-08-10 09:43 293,376 a------- c:\windows\system32\psisdecd.dll 2009-08-10 09:43 177,664 a------- c:\windows\system32\mpg2splt.ax 2009-08-10 09:43 80,896 a------- c:\windows\system32\MSNP.ax 2009-08-10 09:43 57,856 a------- c:\windows\system32\MSDvbNP.ax 2009-08-10 09:43 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll 2009-08-10 09:43 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll 2009-08-10 09:42 801,280 a------- c:\windows\system32\NaturalLanguage6.dll 2009-08-09 19:40 6,103,040 a------- c:\windows\system32\chtbrkr.dll 2009-08-07 14:54 562,176 a------- c:\windows\system32\msdtcprx.dll 2009-08-07 14:54 38,912 a------- c:\windows\system32\xolehlp.dll 2009-08-07 14:51 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-07 14:51 1,695,744 a------- c:\windows\system32\gameux.dll 2009-08-07 14:51 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-08-07 14:51 303,616 a------- c:\windows\system32\wmpeffects.dll 2009-08-07 14:50 1,191,936 a------- c:\windows\system32\msxml3.dll 2009-08-07 14:41 49,152 a------- c:\windows\system32\E_DCINST.DLL 2009-08-07 14:41 76,800 a------- c:\windows\system32\E_FLBBZE.DLL 2009-08-07 14:41 62,976 a------- c:\windows\system32\E_FD4BBZE.DLL 2009-08-07 14:41 <DIR> --d----- c:\program files\EPSON 2009-08-07 14:41 <DIR> --d----- c:\programdata\EPSON 2009-08-07 14:41 <DIR> --d----- c:\progra~2\EPSON 2009-08-07 14:16 784,896 a------- c:\windows\system32\rpcrt4.dll 2009-08-07 14:16 1,314,816 a------- c:\windows\system32\quartz.dll 2009-08-07 14:12 1,334,272 a------- c:\windows\system32\msxml6.dll 2009-08-07 12:35 1,524,736 a------- c:\windows\system32\wucltux.dll 2009-08-07 12:35 83,456 a------- c:\windows\system32\wudriver.dll 2009-08-07 12:35 162,064 a------- c:\windows\system32\wuwebv.dll 2009-08-07 12:35 31,232 a------- c:\windows\system32\wuapp.exe 2009-08-06 16:42 <DIR> a-d----- c:\programdata\TEMP 2009-08-05 22:31 <DIR> --d----- c:\programdata\Yahoo! 2009-08-05 22:31 <DIR> --d----- c:\program files\Yahoo! 2009-08-05 12:26 1,060,864 a------- c:\windows\system32\MFC71.dll 2009-08-05 12:26 499,712 a------- c:\windows\system32\MSVCP71.dll 2009-08-05 12:26 348,160 a------- c:\windows\system32\MSVCR71.dll 2009-08-05 10:13 0 a------- c:\windows\NDSTray.INI 2009-08-05 10:03 138 a------- c:\users\sue\appdata\roaming\wklnhst.dat 2009-08-05 09:23 114,304 a------- c:\windows\system32\drivers\sscdmdm.sys 2009-08-05 09:23 87,936 a------- c:\windows\system32\drivers\sscdbus.sys 2009-08-05 09:23 14,976 a------- c:\windows\system32\drivers\sscdmdfl.sys 2009-08-05 09:23 12,160 a------- c:\windows\system32\drivers\sscdwhnt.sys 2009-08-05 09:23 12,160 a------- c:\windows\system32\drivers\sscdwh.sys 2009-08-05 09:23 12,160 a------- c:\windows\system32\drivers\sscdcmnt.sys 2009-08-05 09:23 12,160 a------- c:\windows\system32\drivers\sscdcm.sys 2009-08-05 09:23 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers 2009-08-05 09:22 233,472 a------- c:\windows\system32\FsUsbExService.Exe 2009-08-05 09:22 110,592 a------- c:\windows\system32\FsUsbExDevice.Dll 2009-08-05 09:22 36,608 a------- c:\windows\system32\FsUsbExDisk.Sys 2009-08-05 09:22 <DIR> --d----- c:\users\sue\appdata\roaming\Samsung 2009-08-05 09:22 <DIR> --d----- c:\program files\MarkAny 2009-08-05 09:21 <DIR> --d----- c:\program files\Samsung 2009-08-05 09:00 <DIR> --d----- c:\program files\Microsoft Visual Studio 8 2009-08-05 08:53 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com 2009-08-05 08:53 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com 2009-08-05 08:50 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-08-05 08:50 <DIR> --d----- c:\users\sue\appdata\roaming\SUPERAntiSpyware.com 2009-08-05 08:39 <DIR> --d----- c:\users\sue\appdata\roaming\AVG8 2009-08-04 18:40 <DIR> --d----- c:\program files\PowerDataRecovery 2009-08-04 12:15 634 a------- c:\windows\system32\MAPISVC.INF 2009-08-04 12:15 <DIR> --d----- c:\program files\Ontrack 2009-08-04 11:19 <DIR> --d----- c:\users\sue\appdata\roaming\Citrix 2009-08-04 11:15 3,426,072 a------- c:\windows\system32\d3dx9_32.dll 2009-08-04 11:15 <DIR> --d----- c:\programdata\TOSHIBA 2009-08-04 11:14 285,184 a------- c:\windows\system32\drivers\tos_sps32.sys 2009-08-04 11:12 <DIR> --d----- c:\program files\common files\Toshiba Shared 2009-08-04 11:11 18,432 a------- c:\windows\system32\drivers\UVCFTR_S.SYS 2009-08-04 11:11 <DIR> --d----- c:\program files\Camera Assistant Software for Toshiba 2009-08-04 11:11 0 a--shr-- c:\windows\system32\drivers\TOSHIBA_Satellite P300_06557-KS_PSPC4E-02401.MRK 2009-08-04 11:08 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf 2009-08-04 11:08 <DIR> --d----- c:\windows\system32\ENU 2009-08-04 11:08 <DIR> --d----- c:\program files\Synaptics 2009-08-04 11:08 936,472 a------- c:\windows\system32\imsmudlg.exe 2009-08-04 11:07 <DIR> --d----- c:\program files\ATI Technologies 2009-08-04 11:07 0 a------- c:\windows\ativpsrm.bin 2009-08-04 11:06 <DIR> --d----- c:\program files\ATI 2009-08-04 10:59 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2009-08-04 10:46 44,544 a------- c:\windows\system32\agremove.exe 2009-08-04 10:27 <DIR> --d----- c:\programdata\ATI 2009-08-04 10:27 <DIR> --dsh--- C:\$RECYCLE.BIN 2009-08-04 10:24 <DIR> --d----- c:\programdata\ToshibaEurope 2009-08-04 10:24 <DIR> --d----- c:\users\Sue ==================== Find3M ==================== 2009-08-11 09:33 33,808 a------- c:\windows\system32\drivers\klbg.sys 2009-08-11 09:17 143,360 a------- c:\windows\inf\infstrng.dat 2009-08-11 09:17 86,016 a------- c:\windows\inf\infstor.dat 2009-08-11 09:17 51,200 a------- c:\windows\inf\infpub.dat 2009-08-09 19:54 665,600 a------- c:\windows\inf\drvindex.dat 2009-07-18 17:06 827,904 a------- c:\windows\system32\wininet.dll 2009-07-18 17:01 78,336 a------- c:\windows\system32\ieencode.dll 2009-07-18 10:46 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-06-15 16:24 156,672 a------- c:\windows\system32\t2embed.dll 2009-06-15 16:20 72,704 a------- c:\windows\system32\fontsub.dll 2009-06-15 16:20 10,240 a------- c:\windows\system32\dciman32.dll 2009-06-15 13:52 289,792 a------- c:\windows\system32\atmfd.dll 2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini 2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat ============= FINISH: 19:04:44.08 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-16-2009, 03:55 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,918
OS: WinXP and Vista
|
Re: First steps complete...Please help
Hello Sueby78, you did just fine. :)
I'd like to take a second look with another rootkit scanner. Download RootRepeal
|
|
|
|
|
08-17-2009, 01:28 AM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
Hi, thanks for quick reply.
Root appeal: ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/08/17 08:23 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_iaStor.sys Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys Address: 0x8FE97000 Size: 819200 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0x9AB4F000 Size: 49152 File Visible: No Signed: - Status: - Processes ------------------- Path: SYSTEM PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1320 Status: Locked to the Windows API! Stealth Objects ------------------- Object: Hidden Module [Name: msgsres.dll] Process: msnmsgr.exe (PID: 3044) Address: 0x64820000 Size: 11403264 Object: Hidden Module [Name: msgslang.14.0.8064.0206.dll] Process: msnmsgr.exe (PID: 3044) Address: 0x66ac0000 Size: 315392 Object: Hidden Module [Name: msgrvsta.thm] Process: msnmsgr.exe (PID: 3044) Address: 0x6a4e0000 Size: 20480 ==EOF== Thanks Sue |
|
|
|
|
08-17-2009, 11:25 PM
|
#4 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,918
OS: WinXP and Vista
|
Re: First steps complete...Please help
Download ComboFix here
* IMPORTANT - Save ComboFix.exe to your Desktop ==================================================== Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. ==================================================== Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review. How is the system behaving? |
|
|
|
|
08-18-2009, 02:31 AM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
The system is a bit slow but I have put that down to the fact that 35GB of data has been recovered which was lost which Im working through deleting the junk and trying to find the documents I need.
Google is still being kidnapped or was before I ran that last report and adverts on side bars like MSN/Ebay/Facebook are page can not be displayed. Other than that I think its ok, just running slow and being kidnapped all time. |
|
|
|
|
08-18-2009, 02:33 AM
|
#6 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
sorry forgot attachment!!
ComboFix Beta_09-08-17.02 - Sue 18/08/2009 9:13.1.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3070.1897 [GMT 1:00] Running from: c:\users\Sue\Desktop\ComboFix.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Sue\AppData\Local\Temp\ppcrlui_4300_2 c:\windows\Cursors\aero_link.cur c:\windows\Installer\WMEncoder.msi . ((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 ))))))))))))))))))))))))))))))) . 2009-08-18 08:18 . 2009-08-18 08:18 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-08-17 16:41 . 2009-08-17 16:41 17408 ----a-w- c:\windows\system32\rpcnetp.dll 2009-08-17 16:40 . 2009-08-17 16:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe 2009-08-17 06:03 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll 2009-08-17 06:03 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-08-17 06:03 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll 2009-08-17 06:03 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll 2009-08-17 06:03 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe 2009-08-17 06:03 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll 2009-08-17 06:03 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe 2009-08-17 05:57 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll 2009-08-17 05:57 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll 2009-08-17 05:57 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll 2009-08-17 05:57 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll 2009-08-17 05:57 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll 2009-08-14 10:04 . 2009-08-14 10:09 -------- d-----w- c:\program files\NCH Software 2009-08-14 09:54 . 2009-08-14 09:54 -------- d-----w- c:\users\Sue\AppData\Roaming\TOSHIBA 2009-08-13 19:54 . 2009-08-13 20:06 -------- d-----w- C:\HJT 2009-08-13 12:56 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll 2009-08-13 12:56 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll 2009-08-13 12:56 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-08-13 12:56 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll 2009-08-13 12:56 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll 2009-08-13 12:55 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-08-13 12:55 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-08-13 12:55 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL 2009-08-12 08:51 . 2009-08-12 08:51 81 ----a-w- C:\CTX.DAT 2009-08-12 08:50 . 2009-08-17 09:10 -------- d-----w- c:\users\Sue\Citrix 2009-08-12 08:48 . 2009-08-12 08:48 -------- d-----w- c:\windows\Sun 2009-08-12 08:41 . 2009-08-12 08:44 -------- d-----w- C:\ICA16 2009-08-12 08:40 . 2001-07-16 17:04 26768 ----a-w- c:\windows\system\CTL3D.DLL 2009-08-12 08:40 . 2001-07-16 17:04 358136 ----a-w- c:\windows\ISUN16.EXE 2009-08-12 08:34 . 2009-08-18 06:40 -------- d-----w- c:\users\Sue\Tracing 2009-08-12 08:33 . 2009-08-12 08:33 -------- d-----w- c:\program files\Microsoft 2009-08-12 08:33 . 2009-08-12 08:33 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-08-12 08:32 . 2009-08-12 08:33 -------- d-----w- c:\program files\Windows Live 2009-08-12 08:27 . 2009-08-12 08:27 -------- d-----w- c:\program files\Common Files\Windows Live 2009-08-11 08:33 . 2009-08-11 08:33 12888 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\wmiav.exe 2009-08-11 08:33 . 2009-08-11 08:33 12888 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\wmias.exe 2009-08-11 08:33 . 2009-08-11 08:33 33808 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys 2009-08-11 08:33 . 2009-08-11 08:33 208616 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe 2009-08-11 08:33 . 2009-08-11 08:33 239120 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\Vista\klif.sys 2009-08-11 08:18 . 2009-08-11 08:33 94643 ----a-w- c:\windows\system32\drivers\klick.dat 2009-08-11 08:18 . 2009-08-11 08:33 105395 ----a-w- c:\windows\system32\drivers\klin.dat 2009-08-11 08:16 . 2009-08-18 08:08 426016 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-08-11 08:16 . 2009-08-18 07:48 3842080 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-08-11 08:16 . 2009-08-18 06:40 -------- d-----w- c:\programdata\Kaspersky Lab 2009-08-11 08:16 . 2009-08-11 08:16 -------- d-----w- c:\program files\Kaspersky Lab 2009-08-11 07:13 . 2009-08-11 07:13 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files 2009-08-10 08:43 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll 2009-08-10 08:43 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll 2009-08-10 08:43 . 2008-06-26 01:45 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll 2009-08-10 08:43 . 2008-06-26 01:45 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll 2009-08-10 08:42 . 2008-06-26 03:29 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll 2009-08-09 18:40 . 2008-05-27 05:21 1582592 ----a-w- c:\windows\system32\tquery.dll 2009-08-09 18:32 . 2009-08-09 18:32 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2009-08-07 13:54 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll 2009-08-07 13:54 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll 2009-08-07 13:51 . 2008-11-01 03:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-07 13:51 . 2008-11-01 01:21 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-07 13:51 . 2008-03-08 04:21 1695744 ----a-w- c:\windows\system32\gameux.dll 2009-08-07 13:51 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll 2009-08-07 13:50 . 2008-09-05 05:14 1191936 ----a-w- c:\windows\system32\msxml3.dll 2009-08-07 13:42 . 2006-04-18 03:00 102400 ----a-w- c:\programdata\EPSON\EPW!3 SSRP\E_S30RP1.EXE 2009-08-07 13:41 . 2004-09-10 19:12 49152 ----a-w- c:\windows\system32\E_DCINST.DLL 2009-08-07 13:41 . 2006-12-08 01:04 76800 ----a-w- c:\windows\system32\E_FLBBZE.DLL 2009-08-07 13:41 . 2006-04-19 01:00 62976 ----a-w- c:\windows\system32\E_FD4BBZE.DLL 2009-08-07 13:41 . 2009-08-07 13:41 -------- d-----w- c:\program files\EPSON 2009-08-07 13:41 . 2009-08-07 13:42 -------- d-----w- c:\programdata\EPSON 2009-08-07 13:16 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll 2009-08-07 13:16 . 2008-04-26 08:08 1314816 ----a-w- c:\windows\system32\quartz.dll 2009-08-07 13:12 . 2008-09-10 03:40 1334272 ----a-w- c:\windows\system32\msxml6.dll 2009-08-07 11:35 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe 2009-08-07 11:35 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 11:35 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-07 11:35 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll 2009-08-07 11:35 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 11:35 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll 2009-08-07 11:35 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll 2009-08-07 11:35 . 2008-10-16 13:08 162064 ----a-w- c:\windows\system32\wuwebv.dll 2009-08-07 11:35 . 2008-10-16 12:56 31232 ----a-w- c:\windows\system32\wuapp.exe 2009-08-06 15:29 . 2009-08-06 15:29 -------- d-----w- c:\users\Sue\AppData\Local\Yahoo 2009-08-05 21:32 . 2009-08-05 21:32 -------- d-----w- c:\users\Sue\AppData\Roaming\Yahoo! 2009-08-05 21:31 . 2009-08-06 15:29 -------- d-----w- c:\programdata\Yahoo! 2009-08-05 21:31 . 2009-05-26 20:50 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe 2009-08-05 21:31 . 2009-08-06 20:11 -------- d-----w- c:\program files\Yahoo! 2009-08-05 11:26 . 2003-03-18 19:20 1060864 ----a-w- c:\windows\system32\MFC71.dll 2009-08-05 11:26 . 2003-03-18 18:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll 2009-08-05 11:26 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll 2009-08-05 11:26 . 2009-08-05 11:26 -------- d-----w- c:\program files\Alwil Software 2009-08-05 09:03 . 2009-08-05 09:03 -------- d-----w- c:\users\Sue\AppData\Roaming\Template 2009-08-05 08:36 . 2009-08-05 08:36 -------- d-----w- c:\users\Sue\AppData\Roaming\HP 2009-08-05 08:25 . 2009-08-05 08:24 69632 ----a-w- c:\users\Sue\AppData\Roaming\Samsung\New PC Studio\DriverChecker.exe 2009-08-05 08:23 . 2008-02-22 14:33 14976 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys 2009-08-05 08:23 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys 2009-08-05 08:23 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwh.sys 2009-08-05 08:23 . 2008-02-22 14:33 114304 ----a-w- c:\windows\system32\drivers\sscdmdm.sys 2009-08-05 08:23 . 2008-02-22 14:33 87936 ----a-w- c:\windows\system32\drivers\sscdbus.sys 2009-08-05 08:23 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys 2009-08-05 08:23 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcm.sys 2009-08-05 08:23 . 2009-08-05 08:23 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers 2009-08-05 08:22 . 2009-01-08 08:42 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys 2009-08-05 08:22 . 2009-01-08 08:42 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe 2009-08-05 08:22 . 2009-01-08 08:42 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll 2009-08-05 08:22 . 2009-08-05 08:22 -------- d-----w- c:\users\Sue\AppData\Roaming\Samsung 2009-08-05 08:22 . 2009-08-05 08:22 -------- d-----w- c:\program files\MarkAny 2009-08-05 08:21 . 2009-08-05 08:21 -------- d-----w- c:\program files\Samsung 2009-08-05 08:16 . 2009-08-05 08:20 -------- d-----w- c:\users\Sue\AppData\Local\Downloaded Installations 2009-08-05 08:00 . 2009-08-05 08:00 -------- d-----w- c:\program files\Microsoft Visual Studio 8 2009-08-05 07:59 . 2009-08-05 07:59 -------- d-----w- c:\users\Sue\AppData\Local\Microsoft Help 2009-08-05 07:53 . 2009-08-05 07:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2009-08-05 07:50 . 2009-08-16 17:56 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-05 07:50 . 2009-08-16 17:56 -------- d-----w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com 2009-08-05 07:39 . 2009-08-05 07:39 -------- d-----w- c:\users\Sue\AppData\Roaming\AVG8 2009-08-04 17:40 . 2009-08-04 17:42 -------- d-----w- c:\program files\PowerDataRecovery 2009-08-04 11:15 . 2009-08-04 11:15 -------- d-----w- c:\program files\Ontrack 2009-08-04 10:19 . 2009-08-04 10:19 -------- d-----w- c:\users\Sue\AppData\Roaming\Citrix 2009-08-04 10:15 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll 2009-08-04 10:15 . 2009-08-04 09:27 -------- d-----w- c:\programdata\TOSHIBA 2009-08-04 10:14 . 2008-01-21 14:42 285184 ----a-w- c:\windows\system32\drivers\tos_sps32.sys 2009-08-04 10:12 . 2009-08-04 10:15 -------- d-----w- c:\program files\Common Files\Toshiba Shared 2009-08-04 10:11 . 2007-12-17 10:45 18432 ----a-w- c:\windows\system32\drivers\UVCFTR_S.SYS 2009-08-04 10:11 . 2009-08-04 10:12 -------- d-----w- c:\program files\Camera Assistant Software for Toshiba 2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\windows\system32\ENU 2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\Synaptics . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-17 16:42 . 2009-08-11 08:16 3528 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-08-17 16:42 . 2009-08-11 08:16 32088 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-08-17 11:15 . 2008-02-26 11:02 -------- d-----w- c:\programdata\Microsoft Help 2009-08-14 05:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-08-11 08:33 . 2008-01-29 16:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys 2009-08-09 18:54 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat 2009-08-09 18:46 . 2008-02-26 10:58 -------- d-----w- c:\program files\Microsoft Works 2009-08-07 13:31 . 2009-08-05 09:03 138 ----a-w- c:\users\Sue\AppData\Roaming\wklnhst.dat 2009-08-05 08:25 . 2008-02-26 10:14 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-05 08:10 . 2009-08-04 09:24 114400 ----a-w- c:\users\Sue\AppData\Local\GDIPFONTCACHEV1.DAT 2009-08-05 08:04 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild 2009-08-04 17:29 . 2008-02-26 10:47 -------- d-----w- c:\program files\Google 2009-08-04 10:15 . 2008-02-26 10:19 -------- d-----w- c:\program files\Toshiba 2009-08-04 10:11 . 2009-08-04 10:11 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite P300_06557-KS_PSPC4E-02401.MRK 2009-08-04 10:08 . 2009-08-04 10:08 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf 2009-08-04 10:08 . 2008-02-26 09:55 -------- d-----w- c:\program files\Intel 2009-08-04 10:04 . 2008-02-26 10:00 -------- d-----w- c:\program files\CONEXANT 2009-08-04 09:59 . 2009-08-04 09:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2009-08-04 09:34 . 2008-02-26 10:43 -------- d-----w- c:\programdata\McAfee 2009-08-04 09:24 . 2009-08-04 09:24 -------- d-----w- c:\programdata\ToshibaEurope 2009-08-04 09:24 . 2009-08-04 09:24 -------- d-----w- c:\users\Sue\AppData\Roaming\InstallShield 2009-07-18 16:06 . 2009-08-07 13:32 827904 ----a-w- c:\windows\system32\wininet.dll 2009-07-18 16:01 . 2009-08-07 13:32 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-07-18 09:46 . 2009-08-07 13:32 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-06-15 15:24 . 2009-08-07 13:52 156672 ----a-w- c:\windows\system32\t2embed.dll 2009-06-15 15:20 . 2009-08-07 13:52 72704 ----a-w- c:\windows\system32\fontsub.dll 2009-06-15 15:20 . 2009-08-07 13:52 10240 ----a-w- c:\windows\system32\dciman32.dll 2009-06-15 12:52 . 2009-08-07 13:52 289792 ----a-w- c:\windows\system32\atmfd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-12-29 430080] "AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-01-08 98304] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "Desktop SMS"="c:\program files\IDM\Desktop SMS\DesktopSMS.exe" [2007-06-18 1507328] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-06 366400] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1029416] "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696] "HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-01-25 716800] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456] "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704] "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-08-11 208616] "NDSTray.exe"="NDSTray.exe" [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2502975623-4279911475-2124463466-1000] "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{5B19D1F5-9547-440E-9896-F6812ACBA565}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{DB724E29-1866-4068-98BE-E793F4CEBC73}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{5FEFF2CE-F88B-48B1-85A1-484F40A20299}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{4B2B1F90-0BA1-48EB-A9D8-6FD7CAF35788}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{799E1F9F-C40E-412E-AF05-4BB3B58D9EB6}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{5282E43B-281F-4D57-A83E-3E58ECBAA089}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{489E8631-C897-4840-A648-BDD0413E64A5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{5B6F2F3C-14FE-4A68-B2B4-1904A92AAA80}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server "{8FF8E41D-11F2-4F6A-86B3-DF69151A7837}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server "{CF6D3C0F-A780-4A91-B0D3-3B5D82483319}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server "{9BDA0C05-F91F-4D65-B8E0-7010B8198291}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server "{E240AE71-E443-48A8-A7FB-07C03E40B59A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{4009FEA4-4A4C-41B0-AB16-8D4035ED3672}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "TCP Query User{3431147B-0896-48F0-BEF7-616C0DAA3980}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger "UDP Query User{465C4F62-0819-4430-89F9-D547141856F6}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger "TCP Query User{CD8D64E5-A6BA-420B-A64B-D40B3E6973D4}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent "UDP Query User{66544A36-D70E-4E15-B762-78321CE6A2B1}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [29/01/2008 17:29 33808] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [09/07/2008 17:28 20496] R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [25/12/2007 14:07 40960] R2 FsUsbExService;FsUsbExService;c:\windows\System32\FsUsbExService.Exe [05/08/2009 09:22 233472] R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [03/12/2007 17:03 126976] R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\System32\drivers\CHDART.sys [26/02/2008 10:37 187904] R3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [05/08/2009 09:22 36608] R3 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [15/01/2008 10:34 48472] R3 QIOMem;Generic IO & Memory Access;c:\windows\System32\drivers\QIOMem.sys [09/04/2007 16:13 8192] . - - - - ORPHANS REMOVED - - - - HKLM-Run-ITSecMng - c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe HKLM-Run-NPSStartup - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ebay.co.uk/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: {16714085-A6E4-4E3B-87FB-41CDB15024B4} = 193.0.249.6,193.0.249.70 . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????"%=m????P?w?x?w???w???w?? scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2009-08-18 9:23 ComboFix-quarantined-files.txt 2009-08-18 08:23 Pre-Run: 72,529,072,128 bytes free Post-Run: 72,683,958,272 bytes free Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8,9 296 --- E O F --- 2009-08-17 06:07 Last edited by Ried; 08-18-2009 at 08:59 AM. |
|
|
|
|
08-18-2009, 04:24 AM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
Since I have ran that last report I have had problem getting into Yahoo? Took a screen shot & attached the message that comes up when I try to look at emails via the messanger tab in right of screen......
|
|
|
|
|
08-18-2009, 09:11 AM
|
#8 (permalink) | ||
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,918
OS: WinXP and Vista
|
Re: First steps complete...Please help
We'll try to deal with that error message after we take care of the redirects.
Quote:
Open Notepad and copy/paste the contents in the code box below, into Notepad. Quote:
It should look like this:  Double click on look.bat & allow it to run. Then post the log which it produces |
||
|
|
|
|
08-18-2009, 02:15 PM
|
#9 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
The error message has disappeared since I have restarted the computer.
Kasperkey deleted: 11/08/2009 22:00:32 Detected: Trojan.Win32.Monderd.gen Kaspersky Anti-Virus c:\$recycle.bin\s-1-5-21-2502975623-4279911475-2124463466-1000\$rg1pav0\kav.en.exe/data0002 11/08/2009 22:00:42 Detected: Trojan-Downloader.Win32.NanoDesu.u Kaspersky Anti-Virus c:\$recycle.bin\s-1-5-21-2502975623-4279911475-2124463466-1000\$rg1pav0\kav.en.exe/data0003/KAVEN~1.EXE/iMUL 11/08/2009 22:00:49 Detected: Trojan-Dropper.Win32.Agent.uba Kaspersky Anti-Virus c:\$recycle.bin\s-1-5-21-2502975623-4279911475-2124463466-1000\$rg1pav0\kav.en.exe/data0003/file.exe 11/08/2009 22:00:49 Deleted: Trojan-Dropper.Win32.Agent.uba Kaspersky Anti-Virus c:\$recycle.bin\s-1-5-21-2502975623-4279911475-2124463466-1000\$rg1pav0\kav.en.exe Look Report: # Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ::1 localhost |
|
|
|
|
08-19-2009, 12:53 AM
|
#11 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
I use a Netgear Wireless ADSL Modem Router so guess the answer to that s yes? There is another computer hooked into it which hasn't been used in months and my laptop runs wieless from it.
|
|
|
|
|
08-19-2009, 05:17 AM
|
#12 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,918
OS: WinXP and Vista
|
Re: First steps complete...Please help
Have you tried accessing the internet from that other machine? Does it get redirected as well?
How many hosts files does this tool report? Download HostsFileReader.zip by Option^Explicit, saving it to the desktop. Extract HostsFileReader.zip to your desktop
|
|
|
|
|
08-19-2009, 06:58 AM
|
#13 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
I will turn on my other computer later and have a look, it has been turned on once in about 6 months and that was a couple of weeks ago when this laptop was playing up.
Do I need to run this report from said wireless connection as I am at work at the minute so I can run the report now but wasn't sure if it needed to be connected to the router in question. |
|
|
|
|
08-19-2009, 07:21 AM
|
#14 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
Ran the report from its current location but if I need to run iyt from its usual home connection let me know.
# Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ::1 localhost |
|
|
|
|
08-19-2009, 06:20 PM
|
#16 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,918
OS: WinXP and Vista
|
Re: First steps complete...Please help
What I'd like you to do is a hard reset with your router. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained. If you need further assitance in carrying that out, let me know the brand of router you have. Are you still getting redirected? |
|
|
|
|
08-24-2009, 02:06 AM
|
#17 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
Hi, sorry for the delay in replying.
I reset my modem (Netgear 54mbps Wireless ADSL Router DG8349 V2), I held the button in for well over 10 seconds and it didn't turn off all the lights they just flased alot then reset....but now I can't get on the internet at all hence why I haven't replied over the weekedn. My laptop will connect to it but local connection only. All the lights on the modem are fine so guess I need to change soem settings?? I will try do some searches now on how to fix it but if I can't some more help on how to get back connected would be appreciated. Sue |
|
|
|
|
08-24-2009, 07:22 AM
|
#18 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,918
OS: WinXP and Vista
|
Re: First steps complete...Please help
How did you set up this router when you first got it? Do you have the documentation or disc that came with it?
I was able to find this for you, see if it helps http://www.katorlegaz.com/reviews/ne...R614/index.php 1. Set your computer to access the internet through Ethernet. 2. Turn everything off, including the broadband modem and the computers. 3. Plug the broadband modem into the appropriate port on the back of the Netgear router using the Ethernet cable supplied with the modem. 4. Using the Ethernet cable supplied with the Netgear router, connect the computer to one of the four switched ports on the back of the router. 5. Turn on the Netgear router and wait one minute. 6. Use the web browser and go to http://www.routerlogin.net/basicsetting.htm 7. Setup the router as needed using the configuration webpages (remember to set passwords in Wireless Settings). 8. Shut down everything and turn the Netgear router off. 9. Turn on the broadband modem and wait 2 minutes for the connection. 10. Turn on the Netgear router and wait one minute. 11. Turn on your computer. You should now have full network access. |
|
|
|
|
08-24-2009, 07:30 AM
|
#19 (permalink) |
|
Registered User
Join Date: Aug 2009
Posts: 13
OS: Vista
|
Re: First steps complete...Please help
I've had the router about 3 or 4 years I think so can't remember but I have the disks but one of the setting pages will not open up or run on the disk, not on the computer anyway, it does on the laptop but was asking ip addresses and other info I didn't know. I will try what you have suggested when I get home.
|
|
|
|
| Thread Tools | |
|
|
on your desktop.
tab.
button.
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
