# windows xp responding slow



## anujchopra (Mar 11, 2011)

hi,
lately my computer has been responding very slow. it takes atleast 5 mins to start and even after booting, the programs respond very slowly. i use softwares like auto cad and matlab and initially they used to work pretty fine but now the computer almost hangs even when a simple task needs to be performed.
i've checked my computer for viruses using AVG and for malwares and oher spywares using malware bytes anti malware. it showed no infected file. please help me out, its really killing me the way the system is responding.
is there any way i could regain my computers lost performance without formatting and reinstalling windows?


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome to TSG! How much memory does the system have?


----------



## anujchopra (Mar 11, 2011)

i have 4gb of ram, core 2 duo 2.2Ghz processor


----------



## anujchopra (Mar 11, 2011)

i also have an nVIDIA integrated RAM DAC, 8200M, (512MB)


----------



## rosiesdad (Jul 13, 2010)

Any more clues about when it slowed down, like after you played a game or installed something?

Me, I would uninstall AVG and install Microsoft Security Essentials (free) from Microsoft or filehippo.com
Your computer has the horsepower to run really nice.

If you have a Windows CD, you could try Start, Run, "sfc /scannow" (google that, its pretty harmless) and may actually fix something. It may or may not ask for the XP cd, but is supposed to restore system files to the original state while maintaining all data and updates on the computer.


----------



## Cheeseball81 (Mar 3, 2004)

I would suggest posting a HijackThis log too.

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## anujchopra (Mar 11, 2011)

i guess it began after i installed 3dsmax. it made my autocad also run pretty slow......
by the way, would a registry cleanup be beneficial? a friend of mine said that i probably had loads of registry files that were corrupt and needed to be cleaned. as for the hijack log, i'll be posting that soon .
thanks


----------



## anujchopra (Mar 11, 2011)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:10:55, on 3/16/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\EC2\EC2TEC~1\mulservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZKxdm605YYIN&ptb=7jMdsypKyQdv5HeIrSSv2g
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files\Softonic-Eng7\tbSof2.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - F:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SBCONVERT - {3017FB3E-9A77-4396-88C5-0EC9548FB42F} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: SearchPredictObj Class - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files\Softonic-Eng7\tbSof2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: wit for ie - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files\Softonic-Eng7\tbSof2.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - F:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Seagate SN_2GE40REE Product Registration.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hclinfosystems.in
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97D30F95-5A5D-4E7E-9821-A8175CCCC6E2}: NameServer = 59.179.243.70,203.94.243.70
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: app_dll.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: windnb32 - windnb32.dll (file missing)
O20 - Winlogon Notify: winyyq32 - winyyq32.dll (file missing)
O20 - Winlogon Notify: winzci32 - winzci32.dll (file missing)
O20 - Winlogon Notify: winzdo32 - winzdo32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mulservice - Unknown owner - C:\PROGRA~1\EC2\EC2TEC~1\mulservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleanujTNSListener - Unknown owner - E:\hello\BIN\TNSLSNR.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - F:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 12220 bytes


----------



## Cheeseball81 (Mar 3, 2004)

No, I wouldn't recommend using or downloading any registry cleaners. Sometimes they can do more harm than help.

There are some leftover malware traces in your HijackThis log.

You said MalwareBytes didn't find anything?

Run Hijack This and click *Open the Misc Tools* section.
Click Open Uninstall Manager > Save list and save the log to your Desktop.
A list of programs will open in Notepad. Post the contents of this log.

I'd also like you to run some other scans if you are okay with that.

Also, do you know how much memory the computer has?


----------



## anujchopra (Mar 11, 2011)

ya, malware bytes didnt show me anything as far as i remember.

Total Physical Memory	4,096.00 MB
Available Physical Memory	1.86 GB
Total Virtual Memory	2.00 GB
Available Virtual Memory	1.96 GB
Page File Space	5.34 GB


----------



## anujchopra (Mar 11, 2011)

Acrobat.com
Acrobat.com
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Community Help
Adobe Community Help
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Creative Suite 5 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe Media Player
Adobe Media Player
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 9
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Airtel
Aldec Active-HDL 8.1
AMCap
Any DWG to PDF Converter 2010
Ashes Cricket 2009
Ashes Cricket 2009
AutoCAD 2009 - English
AVG Free 9.0
Bluetooth Stack for Windows by Toshiba
Carbonite Online Backup Setup
Cisco Networking Academy curriculum 4.0.0.2
dBpoweramp Ogg Vorbis Codec
dBpoweramp Windows Media Audio 10 Codec
Free Studio version 4.6
Free Window Registry Repair
Garena 2010
Garena Messenger
Google Chrome Backup 1.8.0.141
Google Earth Plug-in
Google SketchUp 6
Google SketchUp 6
Google Talk (remove only)
Google Update Helper
HCL EC2 Technology
HijackThis 2.0.2
iMesh
iMesh
JPEG to PDF 1.0
K-Lite Codec Pack 4.3.1 (Full)
LogMeIn Hamachi
LogMeIn Hamachi
Malwarebytes' Anti-Malware
MATLAB R2007b
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox (3.6.13)
MSVC80_x86
MSXML 6.0 Parser (KB925673)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
PC Connectivity Solution
PDF Settings
PDF Settings CS5
PunkBuster Services
PxMergeModule
Ralink Wireless LAN
Real Alternative 2.0.2
Realtek High Definition Audio Driver
Seagate Manager Installer
Seagate Manager Installer
Skype Toolbars
Skype 4.2
Soft Modem with SmartCP
Softonic-Eng7 Toolbar
SpeedBit Video Downloader
STAAD.Pro 2003
Synaptics Pointing Device Driver
System Utility 20.01.081006.0
Tata Photon+
Uninstall 1.0.0.1
VLC media player 1.1.6
Warcraft III Reign of Chaos & The Frozen Throne
Windows Communication Foundation
Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2)
Windows Driver Package - Nokia Modem (02/24/2009 4.0)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
Yahoo! Messenger


----------



## Cheeseball81 (Mar 3, 2004)

I'm going to move your thread to the Malware Removal forum and we will continue there. 

I will leave more instructions shortly.


----------



## Cheeseball81 (Mar 3, 2004)

These programs should be uninstalled:

Go to Control Panel > Add or Remove Programs:

*iMesh
iMesh
Softonic-Eng7 Toolbar
SpeedBit Video Downloader*

Restart the computer.

Is your *AVG* up-to-date? AVG's latest version should be AVG 2011.
I will need you to uninstall it so we can run a tool. I can recommend another free anti-virus that is lighter on a computer's resources. It's called *Microsoft Security Essentials*. You can get it here: http://www.microsoft.com/security_essentials/

Then, you should do this...

Download* ComboFix *from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.


----------



## Cheeseball81 (Mar 3, 2004)

How is this going?


----------



## Cheeseball81 (Mar 3, 2004)

Since there's been no response in 7 days, I'm closing this thread. If you need it re-opened please PM me or one of the other Mods.

Anyone else with a similar problem please start a "New Thread".


----------



## Cheeseball81 (Mar 3, 2004)

Reopened for you


----------



## anujchopra (Mar 11, 2011)

please reopen. was out of town. would be really grateful.


----------



## anujchopra (Mar 11, 2011)

i dont have an active avg tray. but when i was running combofix it said that i neede to uninstall avg before i did anything


----------



## Cheeseball81 (Mar 3, 2004)

Yes unfortunately you have to. It's the only way it will work.


----------



## anujchopra (Mar 11, 2011)

hey, i tried uninstalling AVG as was told to, but , it showed an error and it couldn't be done.

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.


i saved a log, but its a huge file. do you want me to post that as-well?


----------



## anujchopra (Mar 11, 2011)

another thing, when we run an anti malware software, it sometimes shows certain keygens and registry keys as potential malwares. do i need to remove them? and if i do, would it affect the programs installed that used those keys?
PS: thanks for reopening


----------



## Cheeseball81 (Mar 3, 2004)

I find AVG can be such a pain to remove sometimes. I would either try *Revo* to uninstall it: http://www.revouninstaller.com/revo_uninstaller_free_download.html
Or AVG makes a *removal tool*: http://www.avg.com/us-en/download-tools


----------



## Cheeseball81 (Mar 3, 2004)

anujchopra said:


> another thing, when we run an anti malware software, it sometimes shows certain keygens and registry keys as potential malwares. do i need to remove them? and if i do, would it affect the programs installed that used those keys?
> PS: thanks for reopening


Which anti-malware software are you referring to?


----------



## anujchopra (Mar 11, 2011)

malware bytes


----------



## Cheeseball81 (Mar 3, 2004)

Can you post the results here? Generally we have users delete whatever it finds.


----------



## anujchopra (Mar 11, 2011)

revo ain't helping and i couldn't find a link for my version of avg in the other page u specified. combofix is producing the same result that avg is running. however, avg is not even in my installed programs list now.


----------



## anujchopra (Mar 11, 2011)

the malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4818

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/3/2011 09:00:57
mbam-log-2011-04-03 (09-00-57).txt

Scan type: Quick scan
Objects scanned: 139403
Time elapsed: 12 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## anujchopra (Mar 11, 2011)

it said that the above mentioned all were registry keys......


----------



## Cheeseball81 (Mar 3, 2004)

I see No action was taken.

Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.*


----------



## anujchopra (Mar 11, 2011)

i hope removing these items wont affect my programs running through these keys? that is the reason why i didn't take any kind of action.
by affecting i mean, will my taking action prevent the program from running anymore?


----------



## Cheeseball81 (Mar 3, 2004)

All the entries contain Adware.MyWebSearch, which is something you don't want on your system.

It's removing unwanted stuff.


----------



## anujchopra (Mar 11, 2011)

ok thanks i'll do that, but what do i do with the avg problem? it ain't letting combofix run.


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome :up:

What version of AVG are you running?


----------



## anujchopra (Mar 11, 2011)

i updated it to 2011


----------



## Cheeseball81 (Mar 3, 2004)

Okay then on the AVG removal tool page you should be the first link for: AVG Remover(32bit) 2011
(avg_remover_stf_x86_2011_1184.exe)


----------



## anujchopra (Mar 11, 2011)

ComboFix 11-04-05.02 - HCL ME 04/06/2011 14:26:52.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2268 [GMT 5.5:30]
Running from: c:\documents and settings\HCL ME\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AMCap
c:\documents and settings\All Users\Application Data\AMCap\AMCap.ini
c:\documents and settings\All Users\Application Data\AMCap\GenePccMon.ini
c:\documents and settings\HCL ME\Application Data\PriceGong
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\1.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\a.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\b.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\c.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\d.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\e.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\f.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\g.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\h.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\i.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\J.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\k.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\l.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\m.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\n.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\o.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\p.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\q.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\r.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\s.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\t.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\u.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\v.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\w.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\x.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\y.xml
c:\documents and settings\HCL ME\Application Data\PriceGong\Data\z.xml
c:\documents and settings\HCL ME\Application Data\ShoppingReport2
c:\documents and settings\HCL ME\Application Data\ShoppingReport2\cs\Config.xml
c:\documents and settings\HCL ME\Application Data\ShoppingReport2\cs\dwld\WhiteList.xip
c:\documents and settings\HCL ME\Application Data\ShoppingReport2\cs\report\aggr_storage.xml
c:\documents and settings\HCL ME\Application Data\ShoppingReport2\cs\report\send_storage.xml
c:\documents and settings\HCL ME\Application Data\ShoppingReport2\cs\res1\WhiteList.dbs
c:\documents and settings\HCL ME\Local Settings\Temporary Internet Files\_0t_NvAF_-
c:\documents and settings\HCL ME\WINDOWS
c:\program files\ShoppingReport2
c:\program files\ShoppingReport2\Bin\2.7.34\ShoppingReport.dll
c:\program files\ShoppingReport2\Uninst.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))
.
.
2011-04-06 08:39 . 2011-04-06 08:39	--------	d-----w-	c:\windows\LastGood
2011-04-03 06:52 . 2011-04-03 06:52	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\AVG10
2011-04-03 06:44 . 2011-04-06 08:39	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2011-04-03 06:40 . 2008-09-25 14:01	45056	----a-w-	c:\windows\_detmp.2
2011-04-03 02:34 . 2011-04-03 02:34	--------	d-----w-	c:\documents and settings\HCL ME\Local Settings\Application Data\VS Revo Group
2011-04-03 02:34 . 2009-12-30 05:50	27064	----a-w-	c:\windows\system32\drivers\revoflt.sys
2011-04-03 02:34 . 2011-04-03 02:34	--------	d-----w-	c:\program files\VS Revo Group
2011-03-31 01:51 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-31 01:50 . 2011-03-18 17:53	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-31 01:50 . 2011-03-18 17:53	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-03-31 01:50 . 2011-03-18 17:53	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-31 01:50 . 2011-03-18 17:53	728024	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-31 01:50 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-03-31 01:50 . 2011-03-18 17:53	1893336	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-31 01:50 . 2011-03-18 17:53	1975768	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-31 01:50 . 2011-03-31 01:36	203736	----a-w-	c:\program files\Mozilla Firefox\nsq7D.tmp\nspr4.dll
2011-03-31 01:24 . 2011-04-03 06:43	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-03-28 06:52 . 2011-03-28 06:52	--------	d-----w-	c:\documents and settings\All Users\Application Data\nView_Profiles
2011-03-19 05:54 . 2011-03-19 05:54	--------	d-----w-	c:\program files\GameSpy Arcade
2011-03-19 05:36 . 2011-03-19 05:36	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\Microsoft Games
2011-03-17 19:42 . 2011-03-30 19:42	--------	d-----w-	c:\program files\LogMeIn Hamachi
2011-03-17 19:40 . 2011-03-31 00:47	--------	d-----w-	c:\documents and settings\HCL ME\Local Settings\Application Data\LogMeIn Hamachi
2011-03-17 19:40 . 2011-04-05 01:55	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
2011-03-16 07:40 . 2011-03-16 07:40	--------	d-----w-	c:\program files\Trend Micro
2011-03-16 06:53 . 2011-03-28 06:23	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\Google Chrome Backup
2011-03-16 06:53 . 2011-03-16 06:53	--------	d-----w-	c:\program files\Google Chrome Backup
2011-03-15 02:43 . 2011-03-15 02:43	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:53 . 2011-03-31 01:51	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.

```
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\EC2\EC2 Technology from HCL\ec2-tray .exe
c:\program files\GTC\OSD\osd .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\itsecmng .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\nwiz .exe
c:\windows\system32\rundll32 .exe
</pre>
```
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 11:20	1197448	----a-w-	c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-29 13553664]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"ITSecMng"="%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-3-14 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 02:40	12536	----a-w-	c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^Seagate SN_2GE40REE Product Registration.lnk]
path=c:\documents and settings\HCL ME\Start Menu\Programs\Startup\Seagate SN_2GE40REE Product Registration.lnk
backup=c:\windows\pss\Seagate SN_2GE40REE Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 22:14	500208	------w-	c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-21 23:27	406992	----a-w-	c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-02-28 17:36	2321600	----a-w-	c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49	318096	----a-w-	c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-17 07:43	136176	----atw-	c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22	3739648	----a-w-	c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
c:\program files\Internet Download Manager\IDMan.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-03-28 10:11	1910152	----a-w-	c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 05:54	197928	----a-w-	c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-19 12:04	4347120	----a-w-	c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-03-20 09:02	1312256	----a-w-	c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-05 20:57	26102056	----a-r-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 08:07	517096	----a-w-	c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Codemasters\\Ashes Cricket 2009\\Cricket2009.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\Anuj-CS\\Counter-Strike 1.6 p48\\hl.exe"=
"f:\\Anuj\\installed\\Warcraft III Reign of Chaos & The Frozen Throne\\Warcraft III.exe"=
"c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"=
"f:\\Anuj\\thrones.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7188:TCP"= 7188:TCPlfdz
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 ntdisk;ntdisk;c:\windows\system32\drivers\ntdisk.sys [11/9/2009 18:55 27168]
R0 safnt;safnt;c:\windows\system32\drivers\safnt.sys [11/9/2009 18:55 28704]
R1 sammon;sammon;c:\windows\system32\drivers\sammon.sys [11/9/2009 18:55 14368]
R2 RPCQT;Remote Procedure Call (CQTPM);c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 17:30 14336]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\mtcBSv32.sys [3/14/2008 12:55 33792]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [11/9/2009 17:18 59264]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
R4 AvgTdiX;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 fbh5vefeu60nv;PowerUtility TV Recording Reservation; [x]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 189736]
S2 guxdjxyxkrmhfz;\??\c:\docume~;\??\c:\docume~1\HCLME~1\LOCALS~1\Temp\nbueyq.sys --> c:\docume~1\HCLME~1\LOCALS~1\Temp\nbueyq.sys [?]
S2 hbqtdirrm;\??\c:\do;\??\c:\docume~1\HCLME~1\LOCALS~1\Temp\opckrqjik.sys --> c:\docume~1\HCLME~1\LOCALS~1\Temp\opckrqjik.sys [?]
S2 jzeaiv;\??\C:;\??\c:\docume~1\HCLME~1\LOCALS~1\Temp\sevkrrjdohms.sys --> c:\docume~1\HCLME~1\LOCALS~1\Temp\sevkrrjdohms.sys [?]
S2 mulservice;mulservice;c:\progra~1\EC2\EC2TEC~1\mulservice.exe [11/9/2009 18:55 46376]
S2 OracleanujTNSListener;OracleanujTNSListener;e:\hello\BIN\TNSLSNR --> e:\hello\BIN\TNSLSNR [?]
S2 OracleOraHome81TNSListener;OracleOraHome81TNSListener;f:\oracle\Ora81\BIN\TNSLSNR --> f:\oracle\Ora81\BIN\TNSLSNR [?]
S2 tgehs;Boot Center;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 17:30 14336]
S2 ylhcnuguyeke;\??\c:\docum;\??\c:\docume~1\HCLME~1\LOCALS~1\Temp\sslbfpd.sys --> c:\docume~1\HCLME~1\LOCALS~1\Temp\sslbfpd.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 23:40 136176]
S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 15:41 1242504]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/30/2011 23:12 100736]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/3/2011 08:04 27064]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - AvgLdx86
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RPCQT
tgehs
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 22:48]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 22:48]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-606747145-1801674531-1004Core.job
- c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-17 07:43]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-606747145-1801674531-1004UA.job
- c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-17 07:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZKxdm605YYIN&ptb=7jMdsypKyQdv5HeIrSSv2g
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
TCP: {97D30F95-5A5D-4E7E-9821-A8175CCCC6E2} = 59.179.243.70,203.94.243.70
FF - ProfilePath - c:\documents and settings\HCL ME\Application Data\Mozilla\Firefox\Profiles\4ogddv92.default\
FF - prefs.js: browser.search.defaulturl - hxxp://babelfish.iamwired.net/search.php?src=tops&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://babelfish.iamwired.net/search.php?src=tops&q=
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Notify-windnb32 - windnb32.dll
Notify-winyyq32 - winyyq32.dll
Notify-winzci32 - winzci32.dll
Notify-winzdo32 - winzdo32.dll
AddRemove-Aldec Active-HDL 8.1 - c:\program files\Aldec\Active-HDL 8.1\Uninst.isu
AddRemove-Any DWG to PDF Converter_is1 - d:\college work\Any DWG to PDF Converter\unins000.exe
AddRemove-{4097ADD8-7890-4CBD-953A-1187EF2C6FA5}_is1 - d:\college work\JPEG to PDF\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-06 14:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
.
c:\documents and settings\HCL ME\Application Data\Leadertech\PowerRegister\Seagate SN:2GE40REE Product Registration.exe 1731736 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200BEVT-11ZCT0 rev.11.01A11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!! 
copy of MBR has been found in sector 10 !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleanujTNSListener]
"ImagePath"="e:\hello\BIN\TNSLSNR "
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome81TNSListener]
"ImagePath"="f:\oracle\Ora81\BIN\TNSLSNR "
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tgehs]
"ServiceDll"="c:\windows\system32\cspowzxs.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):73,32,bd,dc,2c,a3,f1,c9,3c,97,34,c3,8f,04,da,32,87,80,bb,64,78,
36,b3,89,39,c1,e5,0f,80,35,ec,d2,20,73,04,67,9c,0e,77,96,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f62b8cef-0f6d-43ad-a47c-1609c066fefb}]
@Denied: (Full) (Everyone)
"Model"=dword:00000113
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,29,53,01,52,53,ee,8c,54,f1,07,3b,cc,0e,f5,b7,d0,83,e0,8b,c5,07,bb,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-06 15:04:47
ComboFix-quarantined-files.txt 2011-04-06 09:34
.
Pre-Run: 3,161,686,016 bytes free
Post-Run: 6,716,293,120 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 08F69E372B2E315C0B087FE22B008497


----------



## Cheeseball81 (Mar 3, 2004)

Okay glad it finally ran :up:

Please locate this folder: 
c:\documents and settings\HCL ME\Local Settings\Temp

Delete all of the contents in there.

Then reboot the PC and please post a new HijackThis log.


----------



## anujchopra (Mar 11, 2011)

it has 4 hidden files along with the others. do i need to delete those as well?


----------



## Cheeseball81 (Mar 3, 2004)

Yes


----------



## anujchopra (Mar 11, 2011)

it ain't deleting one particular hidden file. says it is being used by another program or process


----------



## anujchopra (Mar 11, 2011)

should i post the log anyway?


----------



## anujchopra (Mar 11, 2011)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59:06, on 4/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\EC2\EC2TEC~1\mulservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZKxdm605YYIN&ptb=7jMdsypKyQdv5HeIrSSv2g
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - F:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: wit for ie - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - (no file)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - F:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hclinfosystems.in
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97D30F95-5A5D-4E7E-9821-A8175CCCC6E2}: NameServer = 59.179.243.70,203.94.243.70
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mulservice - Unknown owner - C:\PROGRA~1\EC2\EC2TEC~1\mulservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleanujTNSListener - Unknown owner - E:\hello\BIN\TNSLSNR.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - F:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 10093 bytes


----------



## anujchopra (Mar 11, 2011)

i had deleted everything in that folder except that one file but when i rebooted, all those files were back.


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jh...yQdv5HeIrSSv2g

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: wit for ie - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - (no file)
*

Close HijackThis and restart the PC.


----------



## anujchopra (Mar 11, 2011)

the log after performing the above actions:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:18, on 4/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\EC2\EC2TEC~1\mulservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - F:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - F:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hclinfosystems.in
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97D30F95-5A5D-4E7E-9821-A8175CCCC6E2}: NameServer = 59.179.243.70,203.94.243.70
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mulservice - Unknown owner - C:\PROGRA~1\EC2\EC2TEC~1\mulservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleanujTNSListener - Unknown owner - E:\hello\BIN\TNSLSNR.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - F:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 9670 bytes


----------



## Cheeseball81 (Mar 3, 2004)

Thanks - how are things running now?


----------



## anujchopra (Mar 11, 2011)

hi, thanks for all your support but
it still takes me about 3.5 mins(same as before) to reach my desktop screen and another about 2 to 3 minutes for me to be able to start any programs as i have to wait for the network connections in the tray to get started. 
after that when i start chrome, it again takes about the minute to start(same as before).
the system still freezes and hangs up for a few seconds in between processes. 
transferring data between drives is also taking forever.
would taking a look at the running processes be of any help?
can defragmenting benefit?
waiting for your reply.


----------



## anujchopra (Mar 11, 2011)

*this is whenever i start my computer


----------



## Cheeseball81 (Mar 3, 2004)

Hmmm and you have 4GB of RAM. On an XP machine, that's more than enough. It should be running faster. 

Yes, a Defrag definitely couldn't hurt. 

Have you tried a Disk Cleanup too?

Have you ever used msconfig to disable some unnecessary programs from running at Startup?


----------



## anujchopra (Mar 11, 2011)

ya i've used msconfig. i only have the programs that i need for the tray. haven't tried the disk cleanup though. 
to begin with,
could you suggest something regarding the network connection problem i mentioned before.


----------



## anujchopra (Mar 11, 2011)

i cant say about the processes that are invoked when the computer is switched on. the task manager shows about 45 to 50 processes when the machine starts up. can the number be reduced?


----------



## anujchopra (Mar 11, 2011)

i just checked. my disk defragmenter ain't working. i dont want to use a third party software till there is no other option left. 
heres the prob:
when i click on analyse or defragment nothing is done. nothing gets invoked. 
i've checked and the drive i chose to defragment had 15% free space present as per the requirements.
i hope there is a solution for this. 
thanks.


----------



## dvk01 (Dec 14, 2002)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## anujchopra (Mar 11, 2011)

the combifix log

ComboFix 11-04-12.02 - HCL ME 04/13/2011 16:41:44.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2295 [GMT 5.5:30]
Running from: d:\softwares\ComboFix.exe
Command switches used :: d:\softwares\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AMCap
c:\documents and settings\All Users\Application Data\AMCap\AMCap.ini
c:\documents and settings\All Users\Application Data\AMCap\GenePccMon.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GUXDJXYXKRMHFZ
-------\Legacy_HBQTDIRRM
-------\Legacy_JZEAIV
-------\Legacy_RPCQT
-------\Legacy_TGEHS
-------\Legacy_YLHCNUGUYEKE
-------\Service_guxdjxyxkrmhfz
-------\Service_hbqtdirrm
-------\Service_jzeaiv
-------\Service_RPCQT
-------\Service_tgehs
-------\Service_ylhcnuguyeke
.
.
((((((((((((((((((((((((( Files Created from 2011-03-13 to 2011-04-13 )))))))))))))))))))))))))))))))
.
.
2011-04-13 10:50 . 2011-04-13 10:50	--------	d-----w-	c:\windows\LastGood.Tmp
2011-04-03 06:52 . 2011-04-03 06:52	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\AVG10
2011-04-03 06:44 . 2011-04-13 10:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2011-04-03 06:40 . 2008-09-25 14:01	45056	----a-w-	c:\windows\_detmp.2
2011-04-03 02:34 . 2011-04-03 02:34	--------	d-----w-	c:\documents and settings\HCL ME\Local Settings\Application Data\VS Revo Group
2011-04-03 02:34 . 2009-12-30 05:50	27064	----a-w-	c:\windows\system32\drivers\revoflt.sys
2011-04-03 02:34 . 2011-04-03 02:34	--------	d-----w-	c:\program files\VS Revo Group
2011-03-31 01:51 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-31 01:50 . 2011-03-18 17:53	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-31 01:50 . 2011-03-18 17:53	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-03-31 01:50 . 2011-03-18 17:53	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-31 01:50 . 2011-03-18 17:53	728024	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-31 01:50 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-03-31 01:50 . 2011-03-18 17:53	1893336	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-31 01:50 . 2011-03-18 17:53	1975768	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-31 01:50 . 2011-03-31 01:36	203736	----a-w-	c:\program files\Mozilla Firefox\nsq7D.tmp\nspr4.dll
2011-03-31 01:24 . 2011-04-06 09:49	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-03-28 06:52 . 2011-03-28 06:52	--------	d-----w-	c:\documents and settings\All Users\Application Data\nView_Profiles
2011-03-19 05:54 . 2011-03-19 05:54	--------	d-----w-	c:\program files\GameSpy Arcade
2011-03-19 05:36 . 2011-03-19 05:36	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\Microsoft Games
2011-03-17 19:42 . 2011-03-30 19:42	--------	d-----w-	c:\program files\LogMeIn Hamachi
2011-03-17 19:40 . 2011-03-31 00:47	--------	d-----w-	c:\documents and settings\HCL ME\Local Settings\Application Data\LogMeIn Hamachi
2011-03-17 19:40 . 2011-04-05 01:55	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
2011-03-16 07:40 . 2011-03-16 07:40	--------	d-----w-	c:\program files\Trend Micro
2011-03-16 06:53 . 2011-03-28 06:23	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\Google Chrome Backup
2011-03-16 06:53 . 2011-03-16 06:53	--------	d-----w-	c:\program files\Google Chrome Backup
2011-03-15 02:43 . 2011-03-15 02:43	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:53 . 2011-03-31 01:51	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_09.29.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 15:14 . 2008-09-29 23:29	1630208 c:\windows\system32\nwiz.exe
+ 2011-04-12 09:06 . 2011-04-12 09:06	3940352 c:\windows\Installer\9490de.msi
+ 2011-04-06 10:03 . 2011-04-06 10:03	3272704 c:\windows\Installer\2e4fa.msi
+ 2011-04-06 09:53 . 2011-04-06 09:53	1611776 c:\windows\Installer\1929990.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 11:20	1197448	----a-w-	c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-29 13553664]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-3-14 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 02:40	12536	----a-w-	c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^Seagate SN_2GE40REE Product Registration.lnk]
path=c:\documents and settings\HCL ME\Start Menu\Programs\Startup\Seagate SN_2GE40REE Product Registration.lnk
backup=c:\windows\pss\Seagate SN_2GE40REE Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 22:14	500208	------w-	c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-21 23:27	406992	----a-w-	c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-02-28 17:36	2321600	----a-w-	c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49	318096	----a-w-	c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-17 07:43	136176	----atw-	c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22	3739648	----a-w-	c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-03-28 10:11	1910152	----a-w-	c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 05:54	197928	----a-w-	c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-19 12:04	4347120	----a-w-	c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-03-20 09:02	1312256	----a-w-	c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-05 20:57	26102056	----a-r-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 08:07	517096	----a-w-	c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Codemasters\\Ashes Cricket 2009\\Cricket2009.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"f:\\Anuj\\installed\\Warcraft III Reign of Chaos & The Frozen Throne\\Warcraft III.exe"=
"c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"=
"f:\\Anuj\\thrones.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7188:TCP"= 7188:TCPlfdz
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 ntdisk;ntdisk;c:\windows\system32\drivers\ntdisk.sys [11/9/2009 18:55 27168]
R0 safnt;safnt;c:\windows\system32\drivers\safnt.sys [11/9/2009 18:55 28704]
R1 sammon;sammon;c:\windows\system32\drivers\sammon.sys [11/9/2009 18:55 14368]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 189736]
R2 mulservice;mulservice;c:\progra~1\EC2\EC2TEC~1\mulservice.exe [11/9/2009 18:55 46376]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\mtcBSv32.sys [3/14/2008 12:55 33792]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [11/9/2009 17:18 59264]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 fbh5vefeu60nv;PowerUtility TV Recording Reservation; [x]
S2 OracleanujTNSListener;OracleanujTNSListener;e:\hello\BIN\TNSLSNR --> e:\hello\BIN\TNSLSNR [?]
S2 OracleOraHome81TNSListener;OracleOraHome81TNSListener;f:\oracle\Ora81\BIN\TNSLSNR --> f:\oracle\Ora81\BIN\TNSLSNR [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 23:40 136176]
S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 15:41 1242504]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/30/2011 23:12 100736]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/3/2011 08:04 27064]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 22:48]
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 22:48]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-606747145-1801674531-1004Core.job
- c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-17 07:43]
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-606747145-1801674531-1004UA.job
- c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-17 07:43]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
TCP: {97D30F95-5A5D-4E7E-9821-A8175CCCC6E2} = 59.179.243.70,203.94.243.70
FF - ProfilePath - c:\documents and settings\HCL ME\Application Data\Mozilla\Firefox\Profiles\4ogddv92.default\
FF - prefs.js: browser.search.defaulturl - hxxp://babelfish.iamwired.net/search.php?src=tops&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://babelfish.iamwired.net/search.php?src=tops&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ITSecMng - %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
MSConfigStartUp-IDMan - c:\program files\Internet Download Manager\IDMan.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-13 16:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
.
c:\documents and settings\HCL ME\Application Data\Leadertech\PowerRegister\Seagate SN:2GE40REE Product Registration.exe 1731736 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
kernel: MBR read successfully
user != kernel MBR !!! 
copy of MBR has been found in sector 10 !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleanujTNSListener]
"ImagePath"="e:\hello\BIN\TNSLSNR "
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome81TNSListener]
"ImagePath"="f:\oracle\Ora81\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):73,32,bd,dc,2c,a3,f1,c9,3c,97,34,c3,8f,04,da,32,87,80,bb,64,78,
36,b3,89,39,c1,e5,0f,80,35,ec,d2,20,73,04,67,9c,0e,77,96,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f62b8cef-0f6d-43ad-a47c-1609c066fefb}]
@Denied: (Full) (Everyone)
"Model"=dword:00000113
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,29,53,01,52,53,ee,8c,54,f1,07,3b,cc,0e,f5,b7,d0,83,e0,8b,c5,07,bb,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\nvshell.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\rundll32.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
**************************************************************************
.
Completion time: 2011-04-13 17:05:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-13 11:35
ComboFix2.txt 2011-04-06 09:34
.
Pre-Run: 8,225,964,032 bytes free
Post-Run: 8,076,574,720 bytes free
.
- - End Of File - - FE8A899493C3A1B588E0AC0006085A02


----------



## anujchopra (Mar 11, 2011)

couldn't find any zip file


----------



## dvk01 (Dec 14, 2002)

I made a mistake in the last script & didn't set the file tro delete only the rregistry entries & drivers
so we need to delete the file now & get a copy submitted

delete any existing cfscript.txt from desktop 
Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## anujchopra (Mar 11, 2011)

the log:

ComboFix 11-04-12.02 - HCL ME 04/16/2011 9:49.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2384 [GMT 5.5:30]
Running from: d:\softwares\ComboFix.exe
Command switches used :: d:\softwares\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-14 05:26 . 2011-04-14 05:26	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\Rovio
2011-04-03 06:52 . 2011-04-03 06:52	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\AVG10
2011-04-03 06:44 . 2011-04-13 10:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2011-04-03 06:40 . 2008-09-25 14:01	45056	----a-w-	c:\windows\_detmp.2
2011-04-03 02:34 . 2011-04-03 02:34	--------	d-----w-	c:\documents and settings\HCL ME\Local Settings\Application Data\VS Revo Group
2011-04-03 02:34 . 2009-12-30 05:50	27064	----a-w-	c:\windows\system32\drivers\revoflt.sys
2011-04-03 02:34 . 2011-04-03 02:34	--------	d-----w-	c:\program files\VS Revo Group
2011-03-31 01:51 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-31 01:50 . 2011-03-18 17:53	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-31 01:50 . 2011-03-18 17:53	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-03-31 01:50 . 2011-03-18 17:53	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-31 01:50 . 2011-03-18 17:53	728024	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-31 01:50 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-03-31 01:50 . 2011-03-18 17:53	1893336	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-31 01:50 . 2011-03-18 17:53	1975768	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-31 01:50 . 2011-03-31 01:36	203736	----a-w-	c:\program files\Mozilla Firefox\nsq7D.tmp\nspr4.dll
2011-03-31 01:24 . 2011-04-06 09:49	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-03-28 06:52 . 2011-03-28 06:52	--------	d-----w-	c:\documents and settings\All Users\Application Data\nView_Profiles
2011-03-19 05:54 . 2011-03-19 05:54	--------	d-----w-	c:\program files\GameSpy Arcade
2011-03-19 05:36 . 2011-03-19 05:36	--------	d-----w-	c:\documents and settings\HCL ME\Application Data\Microsoft Games
2011-03-17 19:42 . 2011-03-30 19:42	--------	d-----w-	c:\program files\LogMeIn Hamachi
2011-03-17 19:40 . 2011-03-31 00:47	--------	d-----w-	c:\documents and settings\HCL ME\Local Settings\Application Data\LogMeIn Hamachi
2011-03-17 19:40 . 2011-04-05 01:55	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:53 . 2011-03-31 01:51	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_09.29.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 15:14 . 2008-09-29 23:29	1630208 c:\windows\system32\nwiz.exe
+ 2011-04-12 09:06 . 2011-04-12 09:06	3940352 c:\windows\Installer\9490de.msi
+ 2011-04-06 10:03 . 2011-04-06 10:03	3272704 c:\windows\Installer\2e4fa.msi
+ 2011-04-06 09:53 . 2011-04-06 09:53	1611776 c:\windows\Installer\1929990.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 11:20	1197448	----a-w-	c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-29 13553664]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-3-14 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 02:40	12536	----a-w-	c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HCL ME^Start Menu^Programs^Startup^Seagate SN_2GE40REE Product Registration.lnk]
path=c:\documents and settings\HCL ME\Start Menu\Programs\Startup\Seagate SN_2GE40REE Product Registration.lnk
backup=c:\windows\pss\Seagate SN_2GE40REE Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 22:14	500208	------w-	c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-21 23:27	406992	----a-w-	c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-02-28 17:36	2321600	----a-w-	c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49	318096	----a-w-	c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-17 07:43	136176	----atw-	c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22	3739648	----a-w-	c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-03-28 10:11	1910152	----a-w-	c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 05:54	197928	----a-w-	c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-19 12:04	4347120	----a-w-	c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-03-20 09:02	1312256	----a-w-	c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-05 20:57	26102056	----a-r-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 08:07	517096	----a-w-	c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Codemasters\\Ashes Cricket 2009\\Cricket2009.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"f:\\Anuj\\installed\\Warcraft III Reign of Chaos & The Frozen Throne\\Warcraft III.exe"=
"c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"=
"f:\\Anuj\\thrones.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7188:TCP"= 7188:TCPlfdz
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 ntdisk;ntdisk;c:\windows\system32\drivers\ntdisk.sys [11/9/2009 18:55 27168]
R0 safnt;safnt;c:\windows\system32\drivers\safnt.sys [11/9/2009 18:55 28704]
R1 sammon;sammon;c:\windows\system32\drivers\sammon.sys [11/9/2009 18:55 14368]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 189736]
R2 mulservice;mulservice;c:\progra~1\EC2\EC2TEC~1\mulservice.exe [11/9/2009 18:55 46376]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\mtcBSv32.sys [3/14/2008 12:55 33792]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [11/9/2009 17:18 59264]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 fbh5vefeu60nv;PowerUtility TV Recording Reservation; [x]
S2 OracleanujTNSListener;OracleanujTNSListener;e:\hello\BIN\TNSLSNR --> e:\hello\BIN\TNSLSNR [?]
S2 OracleOraHome81TNSListener;OracleOraHome81TNSListener;f:\oracle\Ora81\BIN\TNSLSNR --> f:\oracle\Ora81\BIN\TNSLSNR [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 23:40 136176]
S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 15:41 1242504]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/30/2011 23:12 100736]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/3/2011 08:04 27064]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 22:48]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 22:48]
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-606747145-1801674531-1004Core.job
- c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-17 07:43]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-606747145-1801674531-1004UA.job
- c:\documents and settings\HCL ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-17 07:43]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\HCL ME\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
TCP: {97D30F95-5A5D-4E7E-9821-A8175CCCC6E2} = 59.179.243.70,203.94.243.70
FF - ProfilePath - c:\documents and settings\HCL ME\Application Data\Mozilla\Firefox\Profiles\4ogddv92.default\
FF - prefs.js: browser.search.defaulturl - hxxp://babelfish.iamwired.net/search.php?src=tops&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://babelfish.iamwired.net/search.php?src=tops&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 10:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
.
c:\documents and settings\HCL ME\Application Data\Leadertech\PowerRegister\Seagate SN:2GE40REE Product Registration.exe 1731736 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
kernel: MBR read successfully
user != kernel MBR !!! 
copy of MBR has been found in sector 10 !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleanujTNSListener]
"ImagePath"="e:\hello\BIN\TNSLSNR "
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome81TNSListener]
"ImagePath"="f:\oracle\Ora81\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):73,32,bd,dc,2c,a3,f1,c9,3c,97,34,c3,8f,04,da,32,87,80,bb,64,78,
36,b3,89,39,c1,e5,0f,80,35,ec,d2,20,73,04,67,9c,0e,77,96,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f62b8cef-0f6d-43ad-a47c-1609c066fefb}]
@Denied: (Full) (Everyone)
"Model"=dword:00000113
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,29,53,01,52,53,ee,8c,54,f1,07,3b,cc,0e,f5,b7,d0,83,e0,8b,c5,07,bb,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\rundll32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-16 10:10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-16 04:40
ComboFix2.txt 2011-04-13 11:35
ComboFix3.txt 2011-04-06 09:34
.
Pre-Run: 7,377,764,352 bytes free
Post-Run: 7,422,967,808 bytes free
.
- - End Of File - - 84271EEFD11FF67645BD74953416F042


----------



## anujchopra (Mar 11, 2011)

still no zip files, only 2 files (notepad, both named catch me) and 2 folders (one name d 'C' and the other registry_backups).


----------



## dvk01 (Dec 14, 2002)

it didn't get the file that time either so it means the file doesn't exist 


How is the computer now. What problems ( if any) are you still having


----------



## anujchopra (Mar 11, 2011)

sorry for the delayed reply, had my exams on.
the computer is responding just thae same as before. no improvement whatsoever.
i was thinking about defragmenting my drives to see if that made a difference but my defragmenter ain't working.
i have more than 15% free space as per the requirements and whenever i press defragment or analyse, nothing happens.
it doesn't invoke anything.
can you help me out with this?
i dont want to use a third part defragmenting software unless thats the only option.
thanks


----------



## anujchopra (Mar 11, 2011)

by the way is it normal for the system to take about 3 to 4 mins to star? it never used to take that long till a few months back.


----------



## dvk01 (Dec 14, 2002)

Run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

let it cure anything it fnds ( except SPTD.SYS, which should be ignored) & then reboot

post back with its log


----------



## anujchopra (Mar 11, 2011)

hey sorry for bothering you, but i did as you said and it asked me to reboot and i did.
it didnt produce any log that i could post.
out of the infections it found, none of them had the name SPDT.SYS .
can you guide me further?


----------



## dvk01 (Dec 14, 2002)

By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
Logs have names like: UtilityName.Version_Date_Time_log.txt.
E.g. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

post ANY logs found there, there will most likely be 2


----------



## anujchopra (Mar 11, 2011)

first log:


2011/04/24 13:46:33.0250 3844	TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/24 13:46:34.0187 3844	================================================================================
2011/04/24 13:46:34.0187 3844	SystemInfo:
2011/04/24 13:46:34.0187 3844	
2011/04/24 13:46:34.0187 3844	OS Version: 5.1.2600 ServicePack: 3.0
2011/04/24 13:46:34.0187 3844	Product type: Workstation
2011/04/24 13:46:34.0187 3844	ComputerName: HCL
2011/04/24 13:46:34.0187 3844	UserName: HCL ME
2011/04/24 13:46:34.0187 3844	Windows directory: C:\WINDOWS
2011/04/24 13:46:34.0187 3844	System windows directory: C:\WINDOWS
2011/04/24 13:46:34.0187 3844	Processor architecture: Intel x86
2011/04/24 13:46:34.0187 3844	Number of processors: 2
2011/04/24 13:46:34.0187 3844	Page size: 0x1000
2011/04/24 13:46:34.0187 3844	Boot type: Normal boot
2011/04/24 13:46:34.0187 3844	================================================================================
2011/04/24 13:46:34.0750 3844	Initialize success
2011/04/24 13:46:36.0937 1776	================================================================================
2011/04/24 13:46:36.0937 1776	Scan started
2011/04/24 13:46:36.0937 1776	Mode: Manual; 
2011/04/24 13:46:36.0937 1776	================================================================================
2011/04/24 13:46:40.0671 1776	ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/24 13:46:42.0593 1776	ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/24 13:46:45.0312 1776	aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/24 13:46:46.0078 1776	AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/04/24 13:46:53.0093 1776	AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/24 13:46:53.0890 1776	atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/24 13:46:55.0843 1776	Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/24 13:46:56.0671 1776	audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/24 13:47:03.0609 1776	Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/24 13:47:04.0390 1776	BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/04/24 13:47:05.0156 1776	BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/04/24 13:47:06.0000 1776	BTHPORT (10b85171b90c449f8da71c2640b797e9) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/04/24 13:47:06.0812 1776	BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/04/24 13:47:07.0593 1776	cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/24 13:47:08.0390 1776	CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/24 13:47:09.0921 1776	Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/24 13:47:10.0671 1776	Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/24 13:47:11.0484 1776	Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/24 13:47:12.0953 1776	CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/24 13:47:14.0468 1776	Compbatt (84a400bf6ad1d2cea0dabec848d2678d) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/24 13:47:14.0500 1776	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 84a400bf6ad1d2cea0dabec848d2678d, Fake md5: 6e4c9f21f0fae8940661144f41b13203
2011/04/24 13:47:14.0500 1776	Compbatt - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/24 13:47:20.0578 1776	Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/24 13:47:22.0375 1776	dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/24 13:47:24.0156 1776	dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/24 13:47:25.0109 1776	dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/24 13:47:25.0875 1776	DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/24 13:47:28.0687 1776	drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/24 13:47:29.0656 1776	Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/24 13:47:31.0437 1776	Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/24 13:47:32.0500 1776	Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/24 13:47:33.0421 1776	Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/24 13:47:34.0312 1776	FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/24 13:47:35.0796 1776	Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/24 13:47:36.0578 1776	Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/24 13:47:37.0781 1776	Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/24 13:47:39.0328 1776	HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/24 13:47:41.0984 1776	HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/24 13:47:42.0796 1776	HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/24 13:47:43.0656 1776	HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/24 13:47:47.0468 1776	i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/24 13:47:48.0312 1776	Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/24 13:47:50.0000 1776	IntcAzAudAddService (0be7f157d695e1d10ee102c96de4ac18) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/24 13:47:51.0656 1776	intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/24 13:47:52.0437 1776	Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/24 13:47:53.0203 1776	IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/24 13:47:53.0968 1776	IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/24 13:47:54.0718 1776	IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/24 13:47:55.0500 1776	IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/24 13:47:56.0281 1776	IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/24 13:47:57.0109 1776	isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/24 13:47:57.0875 1776	Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/24 13:47:59.0406 1776	kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/24 13:48:00.0171 1776	KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/24 13:48:01.0765 1776	mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/24 13:48:02.0546 1776	mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/24 13:48:03.0328 1776	Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/24 13:48:04.0093 1776	Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/24 13:48:05.0609 1776	MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/24 13:48:07.0156 1776	MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/24 13:48:07.0953 1776	MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/24 13:48:08.0765 1776	Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/24 13:48:09.0546 1776	MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/24 13:48:10.0343 1776	MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/24 13:48:11.0156 1776	MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/24 13:48:11.0906 1776	mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/24 13:48:12.0703 1776	MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/24 13:48:13.0468 1776	mtc0303 (b961ee3a63ed5c2245dd2489685599f2) C:\WINDOWS\system32\DRIVERS\mtcBSv32.sys
2011/04/24 13:48:14.0281 1776	Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/24 13:48:15.0046 1776	NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/24 13:48:15.0890 1776	NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/24 13:48:16.0671 1776	NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/24 13:48:17.0421 1776	NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/24 13:48:18.0234 1776	Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/24 13:48:19.0031 1776	NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/24 13:48:19.0812 1776	NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/24 13:48:20.0593 1776	NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/24 13:48:21.0375 1776	NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/24 13:48:23.0656 1776	Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/24 13:48:24.0437 1776	ntdisk (cdc59d496be56c50ca5e1b53b4123f01) C:\WINDOWS\system32\drivers\ntdisk.sys
2011/04/24 13:48:25.0234 1776	Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/24 13:48:26.0078 1776	Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/24 13:48:27.0109 1776	nv (e40db1933ca43a409ffe6783c17a2185) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/24 13:48:28.0328 1776	NVENETFD (28727d0f5ca6579890d0b6ad1598c935) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/04/24 13:48:29.0125 1776	nvnetbus (a3cd61af33e8b3cc2cc22bd37f867d54) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/04/24 13:48:29.0906 1776	nvsmu (b1fb1516fd38e69749886c9bdd357bab) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
2011/04/24 13:48:30.0750 1776	NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/24 13:48:31.0531 1776	NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/24 13:48:32.0328 1776	Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/24 13:48:33.0156 1776	PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/24 13:48:33.0937 1776	ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/24 13:48:35.0484 1776	PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/24 13:48:37.0000 1776	PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/24 13:48:37.0812 1776	Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/24 13:48:43.0562 1776	PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/24 13:48:44.0375 1776	PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/24 13:48:45.0140 1776	Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/24 13:48:50.0484 1776	RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/24 13:48:51.0250 1776	Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/24 13:48:52.0062 1776	RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/24 13:48:52.0828 1776	Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/24 13:48:53.0609 1776	Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/24 13:48:54.0375 1776	RDPCDD (1e77ab1b7a0a2e55b844818cae227e73) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/24 13:48:54.0375 1776	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 1e77ab1b7a0a2e55b844818cae227e73, Fake md5: df7f9ddbdaef6da614848ffddad88abc
2011/04/24 13:48:54.0390 1776	RDPCDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/24 13:48:55.0187 1776	RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/24 13:48:56.0015 1776	redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/24 13:48:57.0625 1776	RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/04/24 13:48:58.0453 1776	ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/04/24 13:48:59.0265 1776	RT73 (b01b2c25bd80770878285fb569090d7b) C:\WINDOWS\system32\DRIVERS\rt73.sys
2011/04/24 13:49:00.0890 1776	safnt (07dcec94913d42434275dbb263eb7fac) C:\WINDOWS\system32\drivers\safnt.sys
2011/04/24 13:49:03.0078 1776	sammon (170309f4be16b51f9331aac889603458) C:\WINDOWS\system32\drivers\sammon.sys
2011/04/24 13:49:04.0750 1776	sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/24 13:49:05.0703 1776	Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/24 13:49:06.0796 1776	Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/24 13:49:08.0375 1776	sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/04/24 13:49:09.0156 1776	sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/04/24 13:49:10.0968 1776	Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/04/24 13:49:14.0062 1776	SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/24 13:49:15.0718 1776	splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/24 13:49:16.0765 1776	sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/24 13:49:19.0640 1776	Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/24 13:49:22.0218 1776	streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/24 13:49:24.0796 1776	swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/24 13:49:27.0125 1776	swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/24 13:49:43.0500 1776	sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/24 13:49:46.0125 1776	Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/24 13:49:48.0328 1776	TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/24 13:49:52.0015 1776	TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/24 13:49:55.0625 1776	TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/24 13:50:00.0750 1776	tosporte (2c15b4856f929ac7dd144044d8334b54) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2011/04/24 13:50:01.0031 1776	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tosporte.sys. Real md5: 2c15b4856f929ac7dd144044d8334b54, Fake md5: cb591cfc1e4fdc8cf759e599a9ce505b
2011/04/24 13:50:01.0062 1776	tosporte - detected Forged file (1)
2011/04/24 13:50:02.0937 1776	tosrfbd (cd6e9c27adc6b37b0b3df29cc83e15a7) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2011/04/24 13:50:03.0156 1776	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tosrfbd.sys. Real md5: cd6e9c27adc6b37b0b3df29cc83e15a7, Fake md5: 399c5e4db7bdd5a83a7d26c96389b85a
2011/04/24 13:50:03.0156 1776	tosrfbd - detected Forged file (1)
2011/04/24 13:50:05.0750 1776	tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2011/04/24 13:50:08.0593 1776	Tosrfcom (e90ace3b4fa7a85f992bc21eb779c407) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2011/04/24 13:50:11.0343 1776	Tosrfhid (d3f87c46c7c9e5db99fbd3d17121b891) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2011/04/24 13:50:12.0921 1776	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys. Real md5: d3f87c46c7c9e5db99fbd3d17121b891, Fake md5: efc95c0dc6f96b228f58319776006548
2011/04/24 13:50:13.0078 1776	Tosrfhid - detected Forged file (1)
2011/04/24 13:50:16.0046 1776	tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2011/04/24 13:50:18.0468 1776	TosRfSnd (156d63f6898e4d95f2962f2b72862868) C:\WINDOWS\system32\drivers\tosrfsnd.sys
2011/04/24 13:50:20.0484 1776	Tosrfusb (98c04a6432ce9c2ad328f57b9384d348) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2011/04/24 13:50:22.0812 1776	Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/24 13:50:30.0515 1776	Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/24 13:50:35.0390 1776	usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/24 13:50:37.0953 1776	usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/24 13:50:40.0203 1776	usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/24 13:50:42.0156 1776	usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/24 13:50:47.0468 1776	USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/24 13:50:50.0312 1776	usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/24 13:50:52.0609 1776	VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/24 13:50:55.0812 1776	VIACRX86 (0048b81c9b2ee5ff88cfbbfd9f49cce4) C:\WINDOWS\system32\DRIVERS\viacr.sys
2011/04/24 13:50:59.0000 1776	VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/24 13:51:00.0062 1776	Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/24 13:51:05.0703 1776	wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/24 13:51:06.0703 1776	winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/24 13:51:07.0609 1776	WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/24 13:51:09.0343 1776	WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/24 13:51:11.0781 1776	================================================================================
2011/04/24 13:51:11.0781 1776	Scan finished
2011/04/24 13:51:11.0781 1776	================================================================================
2011/04/24 13:51:11.0859 2432	Detected object count: 5
2011/04/24 13:52:23.0031 2432	Compbatt (84a400bf6ad1d2cea0dabec848d2678d) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/24 13:52:23.0031 2432	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 84a400bf6ad1d2cea0dabec848d2678d, Fake md5: 6e4c9f21f0fae8940661144f41b13203
2011/04/24 13:52:23.0531 2432	Backup copy found, using it..
2011/04/24 13:52:23.0593 2432	C:\WINDOWS\system32\DRIVERS\compbatt.sys - will be cured after reboot
2011/04/24 13:52:23.0593 2432	Rootkit.Win32.TDSS.tdl3(Compbatt) - User select action: Cure 
2011/04/24 13:52:24.0359 2432	RDPCDD (1e77ab1b7a0a2e55b844818cae227e73) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/24 13:52:24.0359 2432	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 1e77ab1b7a0a2e55b844818cae227e73, Fake md5: df7f9ddbdaef6da614848ffddad88abc
2011/04/24 13:52:25.0078 2432	Backup copy found, using it..
2011/04/24 13:52:25.0078 2432	C:\WINDOWS\system32\DRIVERS\RDPCDD.sys - will be cured after reboot
2011/04/24 13:52:25.0078 2432	Rootkit.Win32.TDSS.tdl3(RDPCDD) - User select action: Cure 
2011/04/24 13:52:25.0078 2432	Forged file(tosporte) - User select action: Skip 
2011/04/24 13:52:25.0093 2432	Forged file(tosrfbd) - User select action: Skip 
2011/04/24 13:52:25.0093 2432	Forged file(Tosrfhid) - User select action: Skip 
2011/04/24 13:52:35.0468 2984	Deinitialize success


----------



## anujchopra (Mar 11, 2011)

2nd log file:




2011/04/24 14:00:37.0921 1056	TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/24 14:00:39.0046 1056	================================================================================
2011/04/24 14:00:39.0046 1056	SystemInfo:
2011/04/24 14:00:39.0046 1056	
2011/04/24 14:00:39.0046 1056	OS Version: 5.1.2600 ServicePack: 3.0
2011/04/24 14:00:39.0046 1056	Product type: Workstation
2011/04/24 14:00:39.0046 1056	ComputerName: HCL
2011/04/24 14:00:39.0046 1056	UserName: HCL ME
2011/04/24 14:00:39.0046 1056	Windows directory: C:\WINDOWS
2011/04/24 14:00:39.0046 1056	System windows directory: C:\WINDOWS
2011/04/24 14:00:39.0046 1056	Processor architecture: Intel x86
2011/04/24 14:00:39.0046 1056	Number of processors: 2
2011/04/24 14:00:39.0046 1056	Page size: 0x1000
2011/04/24 14:00:39.0046 1056	Boot type: Normal boot
2011/04/24 14:00:39.0046 1056	================================================================================
2011/04/24 14:00:40.0046 1056	Initialize success
2011/04/24 14:00:47.0296 2212	Deinitialize success


----------



## dvk01 (Dec 14, 2002)

why did you select skip on the other forged files

please run tdsskiller again & fix anything it finds 
post back with the latest report log


----------



## anujchopra (Mar 11, 2011)

it does not have an option of cure. what should i do delete or move to quarantine?


----------



## dvk01 (Dec 14, 2002)

this is what has been affected
Bluetooth Stack for Windows by Toshiba
uninstall it then delete all the bluetooth drivers shown in the list here
http://support.dell.com/support/top...=us&l=en&s=gen&docid=DSN_303833&isLegacy=true

Then either reinstall it from your install disc or from http://aps2.toshiba-tro.de/bluetooth/?page=download
then reboot & run tdsskiller again & see what it shows this time and tell us if you are still having start up or slow down problems


----------



## anujchopra (Mar 11, 2011)

out of the .sys files mentioned in table1, i had only one in the system32 folder that is tosrfusb.sys, however, it was in a folder named driverfiles. should i delete the entire folder or just the sys file?
i also have a file tosdvd.sys present which is not there in the list. 
should i remove that?

also, i didnt have any files in the inf folder as mentioned in table2.


----------



## anujchopra (Mar 11, 2011)

sorry for the initial goofup. i found the files mentioned in table 1 when i ran tdsskiller and deleted them using the same.
i havent been able to find the files mentioned in table 2 though.that is the ones mentioned in table 2.
i'll now post the tdss log after running it again.
thanks


----------



## anujchopra (Mar 11, 2011)

2011/04/26 20:05:49.0750 3692	TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/26 20:05:50.0765 3692	================================================================================
2011/04/26 20:05:50.0765 3692	SystemInfo:
2011/04/26 20:05:50.0765 3692	
2011/04/26 20:05:50.0765 3692	OS Version: 5.1.2600 ServicePack: 3.0
2011/04/26 20:05:50.0765 3692	Product type: Workstation
2011/04/26 20:05:50.0765 3692	ComputerName: HCL
2011/04/26 20:05:50.0765 3692	UserName: HCL ME
2011/04/26 20:05:50.0765 3692	Windows directory: C:\WINDOWS
2011/04/26 20:05:50.0765 3692	System windows directory: C:\WINDOWS
2011/04/26 20:05:50.0765 3692	Processor architecture: Intel x86
2011/04/26 20:05:50.0765 3692	Number of processors: 2
2011/04/26 20:05:50.0765 3692	Page size: 0x1000
2011/04/26 20:05:50.0765 3692	Boot type: Normal boot
2011/04/26 20:05:50.0765 3692	================================================================================
2011/04/26 20:05:51.0656 3692	Initialize success
2011/04/26 20:05:53.0265 0584	================================================================================
2011/04/26 20:05:53.0265 0584	Scan started
2011/04/26 20:05:53.0265 0584	Mode: Manual; 
2011/04/26 20:05:53.0265 0584	================================================================================
2011/04/26 20:05:57.0562 0584	ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/26 20:05:58.0515 0584	ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/26 20:06:00.0859 0584	aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/26 20:06:01.0843 0584	AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/04/26 20:06:17.0234 0584	AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/26 20:06:18.0640 0584	atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/26 20:06:21.0718 0584	Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/26 20:06:22.0906 0584	audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/26 20:06:35.0343 0584	Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/26 20:06:38.0765 0584	BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/04/26 20:06:41.0093 0584	BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/04/26 20:06:42.0703 0584	BTHPORT (10b85171b90c449f8da71c2640b797e9) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/04/26 20:06:44.0000 0584	BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/04/26 20:06:45.0453 0584	cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/26 20:06:47.0578 0584	CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/26 20:06:50.0796 0584	Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/26 20:06:51.0656 0584	Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/26 20:06:53.0468 0584	Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/26 20:06:56.0343 0584	CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/26 20:06:59.0375 0584	Compbatt (84a400bf6ad1d2cea0dabec848d2678d) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/26 20:06:59.0437 0584	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 84a400bf6ad1d2cea0dabec848d2678d, Fake md5: 6e4c9f21f0fae8940661144f41b13203
2011/04/26 20:06:59.0437 0584	Compbatt - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/26 20:07:02.0593 0584	Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/26 20:07:04.0125 0584	dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/26 20:07:05.0187 0584	dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/26 20:07:05.0984 0584	dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/26 20:07:06.0765 0584	DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/26 20:07:08.0296 0584	drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/26 20:07:09.0109 0584	Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/26 20:07:09.0906 0584	Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/26 20:07:10.0671 0584	Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/26 20:07:11.0453 0584	Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/26 20:07:12.0218 0584	FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/26 20:07:13.0781 0584	Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/26 20:07:14.0562 0584	Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/26 20:07:15.0734 0584	Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/26 20:07:17.0265 0584	HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/26 20:07:19.0578 0584	HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/26 20:07:20.0421 0584	HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/26 20:07:21.0281 0584	HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/26 20:07:25.0421 0584	i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/26 20:07:26.0250 0584	Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/26 20:07:28.0000 0584	IntcAzAudAddService (0be7f157d695e1d10ee102c96de4ac18) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/26 20:07:29.0593 0584	intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/26 20:07:30.0359 0584	Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/26 20:07:31.0156 0584	IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/26 20:07:31.0953 0584	IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/26 20:07:32.0703 0584	IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/26 20:07:33.0734 0584	IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/26 20:07:34.0656 0584	IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/26 20:07:35.0453 0584	isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/26 20:07:36.0250 0584	Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/26 20:07:37.0781 0584	kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/26 20:07:38.0609 0584	KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/26 20:07:40.0187 0584	mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/26 20:07:40.0968 0584	mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/26 20:07:41.0718 0584	Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/26 20:07:42.0531 0584	Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/26 20:07:44.0062 0584	MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/26 20:07:45.0578 0584	MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/26 20:07:46.0375 0584	MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/26 20:07:47.0171 0584	Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/26 20:07:47.0921 0584	MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/26 20:07:48.0718 0584	MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/26 20:07:49.0484 0584	MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/26 20:07:50.0250 0584	mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/26 20:07:51.0109 0584	MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/26 20:07:51.0953 0584	mtc0303 (b961ee3a63ed5c2245dd2489685599f2) C:\WINDOWS\system32\DRIVERS\mtcBSv32.sys
2011/04/26 20:07:52.0734 0584	Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/26 20:07:53.0515 0584	NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/26 20:07:54.0312 0584	NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/26 20:07:55.0078 0584	NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/26 20:07:55.0859 0584	NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/26 20:07:56.0640 0584	Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/26 20:07:57.0406 0584	NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/26 20:07:58.0203 0584	NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/26 20:08:00.0046 0584	NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/26 20:08:01.0000 0584	NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/26 20:08:03.0312 0584	Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/26 20:08:04.0125 0584	ntdisk (cdc59d496be56c50ca5e1b53b4123f01) C:\WINDOWS\system32\drivers\ntdisk.sys
2011/04/26 20:08:05.0031 0584	Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/26 20:08:05.0875 0584	Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/26 20:08:06.0937 0584	nv (e40db1933ca43a409ffe6783c17a2185) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/26 20:08:08.0359 0584	NVENETFD (28727d0f5ca6579890d0b6ad1598c935) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/04/26 20:08:09.0640 0584	nvnetbus (a3cd61af33e8b3cc2cc22bd37f867d54) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/04/26 20:08:10.0687 0584	nvsmu (b1fb1516fd38e69749886c9bdd357bab) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
2011/04/26 20:08:11.0937 0584	NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/26 20:08:12.0953 0584	NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/26 20:08:14.0390 0584	Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/26 20:08:15.0406 0584	PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/26 20:08:16.0218 0584	ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/26 20:08:17.0796 0584	PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/26 20:08:21.0171 0584	PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/26 20:08:21.0984 0584	Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/26 20:08:28.0281 0584	PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/26 20:08:29.0093 0584	PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/26 20:08:30.0015 0584	Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/26 20:08:36.0031 0584	RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/26 20:08:36.0796 0584	Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/26 20:08:37.0625 0584	RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/26 20:08:38.0406 0584	Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/26 20:08:39.0281 0584	Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/26 20:08:40.0046 0584	RDPCDD (1e77ab1b7a0a2e55b844818cae227e73) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/26 20:08:40.0046 0584	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 1e77ab1b7a0a2e55b844818cae227e73, Fake md5: 4912d5b403614ce99c28420f75353332
2011/04/26 20:08:40.0062 0584	RDPCDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/26 20:08:40.0875 0584	RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/26 20:08:41.0703 0584	redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/26 20:08:43.0390 0584	RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/04/26 20:08:44.0171 0584	ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/04/26 20:08:45.0031 0584	RT73 (b01b2c25bd80770878285fb569090d7b) C:\WINDOWS\system32\DRIVERS\rt73.sys
2011/04/26 20:08:45.0828 0584	safnt (07dcec94913d42434275dbb263eb7fac) C:\WINDOWS\system32\drivers\safnt.sys
2011/04/26 20:08:46.0625 0584	sammon (170309f4be16b51f9331aac889603458) C:\WINDOWS\system32\drivers\sammon.sys
2011/04/26 20:08:47.0453 0584	sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/26 20:08:48.0234 0584	Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/26 20:08:49.0078 0584	Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/26 20:08:50.0687 0584	sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/04/26 20:08:51.0515 0584	sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/04/26 20:08:53.0140 0584	Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/04/26 20:08:55.0640 0584	SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/26 20:08:57.0218 0584	splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/26 20:08:58.0203 0584	sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/26 20:08:59.0015 0584	Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/26 20:08:59.0937 0584	streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/26 20:09:00.0859 0584	swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/26 20:09:01.0734 0584	swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/26 20:09:06.0718 0584	sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/26 20:09:07.0609 0584	Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/26 20:09:08.0484 0584	TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/26 20:09:09.0453 0584	TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/26 20:09:10.0312 0584	TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/26 20:09:11.0984 0584	Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/26 20:09:14.0375 0584	Update  (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/26 20:09:16.0109 0584	usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/26 20:09:16.0906 0584	usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/26 20:09:17.0718 0584	usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/26 20:09:19.0375 0584	usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/26 20:09:20.0890 0584	USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/26 20:09:21.0656 0584	usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/26 20:09:22.0421 0584	VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/26 20:09:23.0203 0584	VIACRX86 (0048b81c9b2ee5ff88cfbbfd9f49cce4) C:\WINDOWS\system32\DRIVERS\viacr.sys
2011/04/26 20:09:24.0703 0584	VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/26 20:09:25.0546 0584	Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/26 20:09:28.0109 0584	wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/26 20:09:28.0984 0584	winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/26 20:09:29.0843 0584	WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/26 20:09:31.0421 0584	WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/26 20:09:33.0093 0584	================================================================================
2011/04/26 20:09:33.0093 0584	Scan finished
2011/04/26 20:09:33.0093 0584	================================================================================
2011/04/26 20:09:33.0109 0504	Detected object count: 2
2011/04/26 20:10:18.0609 0504	Compbatt (84a400bf6ad1d2cea0dabec848d2678d) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/26 20:10:18.0609 0504	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 84a400bf6ad1d2cea0dabec848d2678d, Fake md5: 6e4c9f21f0fae8940661144f41b13203
2011/04/26 20:10:21.0515 0504	Backup copy found, using it..
2011/04/26 20:10:21.0531 0504	C:\WINDOWS\system32\DRIVERS\compbatt.sys - will be cured after reboot
2011/04/26 20:10:21.0531 0504	Rootkit.Win32.TDSS.tdl3(Compbatt) - User select action: Cure 
2011/04/26 20:10:22.0359 0504	RDPCDD (1e77ab1b7a0a2e55b844818cae227e73) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/26 20:10:22.0359 0504	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 1e77ab1b7a0a2e55b844818cae227e73, Fake md5: 4912d5b403614ce99c28420f75353332
2011/04/26 20:10:22.0546 0504	Backup copy found, using it..
2011/04/26 20:10:22.0546 0504	C:\WINDOWS\system32\DRIVERS\RDPCDD.sys - will be cured after reboot
2011/04/26 20:10:22.0546 0504	Rootkit.Win32.TDSS.tdl3(RDPCDD) - User select action: Cure 
2011/04/26 20:10:27.0015 0668	Deinitialize success


----------



## anujchopra (Mar 11, 2011)

computer taking 2 mins and 15 secs to start up and 1.5mins for the network connections in the tray to come up. so approximately 4 to 5 mins before i can begin using the computer.
can you help me further, i'll really appreciate.
thanks


----------



## dvk01 (Dec 14, 2002)

that fpound exactly the same infected files as before, when it was supposed to have fixed them then
reboot twice & run tdsskiller again and post its new log 
please trun it in safe mode this time

if that doesn't cure it then we will need to look at alternatives


----------



## anujchopra (Mar 11, 2011)

hi,
i did as you told me.
i started my computer in safe mode
it showed the welcome screen and i logged in as the administrator.
then the moment the desktop screen loaded, about 10 seconds later the computer just abruptly shut down.
i repeated the process again and got the same result.
please help me out here.
thanks


----------



## dvk01 (Dec 14, 2002)

I think we have tried everything that is sensible to try & nothing is working
this has gone on for too long & the only safe solution now is format & reinstall windows


----------



## anujchopra (Mar 11, 2011)

i guess i'll have to do that. could you answer one last querry?
can it be a hardware related problem?


----------



## dvk01 (Dec 14, 2002)

it is extremely unlikely to be a hardware problem and you appear to have TDL4 bootkit

there is one last thing we can try

Download  aswMBR.exe  to your desktop. Double click the aswMBR.exe to run it


Click the "Scan" button to start scan. 
Upon completion of the scan, click *Save log*, and save it to your desktop. (*Note - do not select any Fix at this time*)
Please post the contents of that log in your next reply.
There will also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply


----------



## anujchopra (Mar 11, 2011)

aswMBR version 0.9.5.247 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 18:24:21
-----------------------------
18:24:21.828 OS Version: Windows 5.1.2600 Service Pack 3
18:24:21.828 Number of processors: 2 586 0x170A
18:24:21.828 ComputerName: HCL UserName: 
18:24:37.859 Initialize success
18:24:42.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:24:42.562 Disk 0 Vendor: Size: 0MB BusType: 0
18:24:44.578 Disk 0 MBR read successfully
18:24:44.578 Disk 0 MBR scan
18:24:44.578 Disk 0 unknown MBR code
18:24:44.578 Disk 0 MBR hidden
18:24:44.578 Disk 0 scanning C:\WINDOWS\system32\drivers
18:24:54.187 File: C:\WINDOWS\system32\drivers\tosporte.sys **HIDDEN**
18:24:54.187 File: C:\WINDOWS\system32\drivers\tosrfbd.sys **HIDDEN**
18:24:54.187 File: C:\WINDOWS\system32\drivers\tosrfbnp.sys **HIDDEN**
18:24:54.187 File: C:\WINDOWS\system32\drivers\tosrfcom.sys **HIDDEN**
18:24:54.203 File: C:\WINDOWS\system32\drivers\Tosrfhid.sys **HIDDEN**
18:24:54.203 File: C:\WINDOWS\system32\drivers\tosrfnds.sys **HIDDEN**
18:24:54.203 File: C:\WINDOWS\system32\drivers\TosRfSnd.sys **HIDDEN**
18:24:54.203 File: C:\WINDOWS\system32\drivers\tosrfusb.sys **HIDDEN**
18:24:54.203 Service scanning
18:24:57.140 Disk 0 trace - called modules:
18:24:57.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
18:24:57.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa7fab8]
18:24:57.171 3 CLASSPNP.SYS[ba8e8fd7] -> nt!IofCallDriver -> \Device\0000007a[0x8ad10760]
18:24:57.171 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a993940]
18:24:57.171 Scan finished successfully
18:25:50.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HCL ME\Desktop\MBR.dat"
18:25:50.500 The log file has been saved successfully to "C:\Documents and Settings\HCL ME\Desktop\aswMBR.txt"


----------



## anujchopra (Mar 11, 2011)

attached


----------



## dvk01 (Dec 14, 2002)

No obvious signs of TDL4 there
I really think we have reached the end of what we can do here and it is time to cut your losses & format & reinstall windows 

I just can't see any otther option


----------



## anujchopra (Mar 11, 2011)

thanks a lot for bearing with me.


----------

