# Blue screen of death crashing problems! :(



## High hope (Jul 16, 2007)

Hi "MR HELPER", i hope im not going to be a big problem for you! 
Im running windows xp on my toshiba x100 laptop,and for the last two months or so,i have been getting this very irritating blue screen at the worst of times followed by a reboot. After a long struggle i managed to find this error code somewhere in the administrater. I could not read what the blue screen had to say because it would only show for a second or two and then reboot. This is the error i found,
0*10000050 (0*xe15c3000, 0*00000000, 0804faff5, 0*00000001)
I hope you can help me fix this up.
Thanks a million in advance.


----------



## spdabbs (Feb 23, 2007)

0x00000050 is RAM related, download the diag disk creator from here - http://support.packardbell.com/uk/item/index.php?i=6917051000 and run the RAM test.


----------



## High hope (Jul 16, 2007)

Hi there! I got your mail you sent me,i downloaded the ram check you told me to download, but when i click on the application it asked me to put a cd in my d: drive,and after it burnt on to the cd,it asked whether i would like to reboot or not and that i should keep the cd in the drive,i selected YES.,after the reboot it just came to my normal windows and did nothing after that.
Could you please help me on that now?


----------



## engti (Oct 5, 2005)

When u reboot, press F8 and see if it allows you to boot from cd.

Otherwise, 
restart, 
press del, 
go into the BIOS and change the boot order to start with the CD drive.


----------



## High hope (Jul 16, 2007)

Ok,i wil try that when i get back home. Wil get back to you some time in the afternoon. Thats a lot once again.


----------



## spdabbs (Feb 23, 2007)

On a Tosh, holding down either the "C" or "F12" key should either boot direct from CD or bring up the menu should F8 fail.


----------



## Rollin' Rog (Dec 9, 2000)

Not all computers have an "F12" boot menu and you may have to select the boot order in the BIOS "setup" as mentioned.

But for now:

Run: *sysdm.cpl* and select Advanced > Startup and Recovery and take the check out of "automatically restart".

That should get you a full blue screen to read at your leisure. Pay attention to any driver named.

Also, you can do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to %systemroot%\minidump and copy the last few minidump files to that folder.%systemroot% is normally c:\windows. They are numbered by date. You can paste that address in address bar to get there.
3 > close the folder and right click on it and select *Send to* _Compressed (zipped) Folder_. 
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a 3rd party driver causing the error, if one exists for it.


----------



## High hope (Jul 16, 2007)

Hallo. I tried replying twice,but i was having problems. Anyway,i hope this goes through.
I tried using the F12,F8 and DEL options separately. I got a page with about 10 options to pick from when i used the F12 key,but there was nothing like 'boot from cd', so i tried using F2 and i was to find the BIOS settings.
I selected 'run from cd drive' saved the setting and it took me to windows. A few moments after getting to the windows page,i got th blue screen and it rebooted.
After the boot,it came to windows again but no blue appeared and no ram test was conducted,so i zipped the minidump and a word document (with a few error codes i collected). I hope you wil be able to help me.


----------



## High hope (Jul 16, 2007)

I am not on the laptop yet. I am using my phone browser,since i dont have a land line telephone (being a student at a university).
Could you provide me with an e-mail address so that i may mail you the zipped files?,because i cant upload them from the phone.


----------



## Rollin' Rog (Dec 9, 2000)

Can you tell me just how you created the memory tester?

Assuming that you have correctly configured the CD drive to be bootable -- it should run the test if it was properly created.

You do not just copy or drag and drop the ISO file to a writable CD.

You must normally "run" it and your Burning software such as Roxio or Nero will open and prompt you for the rest.

If you don't have burning software which supports the ISO extension you can use Deep Burner. I recommend the portable version. Since it does not associate ISO files automatically you must select the proper interface.

See the attachment.

http://www.deepburner.com/index.php?r=download


----------



## High hope (Jul 16, 2007)

Hi there! Ok, i have sent an email to you with the zipped minidump file and a zipped document file in which i have stated some of the error codes i managed to find.
I would also like to let you know that i feel that this is a problem related to a third party program that i downloaded or copied from a friends laptop who was also having the same problems. 
At time a whole week would go past without getting that BSOD,but at times it shows up maybe 3 times a days.
I would be really glad if you could work out the problem for me.
Thanks a lot once again.


----------



## Rollin' Rog (Dec 9, 2000)

An examination of just the last 2 dump files shows you have a rootkit trojan:

BugCheck 1000008E, {c0000005, 804ffe67, ef966c98, 0}

Probably caused by : windev-7f1f-743a.sys ( windev_7f1f_743a+647 )

http://www.symantec.com/security_response/writeup.jsp?docid=2007-041314-1900-99&tabid=2

>> I'm going to move your thread to the Security forum and request some help for you there.

In the meantime can you post a HijackThis Scanlog :

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe


----------



## Cookiegal (Aug 27, 2003)

Rog asked me to assist with this so once you've posted your HijackThis log as requested, I will post further instructions for you.


----------



## High hope (Jul 16, 2007)

Ok. Thanks for the help so far. I just hope this 'big problem' wil be solved. 
I wil download it when i get home.


----------



## High hope (Jul 16, 2007)

This is the log files that you requested from me, which I acquired after downloading HijachThis and running it after you instructed me 

.........................................................

Logfile of HijackThis v1.99.1
Scan saved at 10:17:38 AM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\hijackthis_sfx.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CFB3F3-66BC-41C9-AEBA-ED1B4E8BC49E}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51F2A34-09CC-40CF-8675-4438DB495F4D}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS3\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - (no file)
O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe


----------



## High hope (Jul 16, 2007)

Hi there! I hope cookiegal or rollin rog wil be able to discover and solve my problem here now.
I really appreciate your peoples help.thanks a lot. ;-)


----------



## Cookiegal (Aug 27, 2003)

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

*O17 - HKLM\System\CCS\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CCS\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CCS\Services\Tcpip\..\{37CFB3F3-66BC-41C9-AEBA-ED1B4E8BC49E}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CCS\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CCS\Services\Tcpip\..\{D51F2A34-09CC-40CF-8675-4438DB495F4D}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

O17 - HKLM\System\CS2\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

O17 - HKLM\System\CS3\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 85.255.116.26,85.255.112.104

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

Important note: Be very careful not to delete this one as it's probably your IP and is legit:

O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22

Is this your IP?

Serafino Vallorani
c/o Orange S.r.l.
Via Onesto Scavino, 10
47891 - Falciano
Republic of San Marino

*

Click *FIX CHECKED*. Close HijackThis.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\*report.txt* ), along with a new HijackThis log into this topic.


----------



## High hope (Jul 16, 2007)

ok,i downloaded the 'Fixwareout' program and followed your given instructions,
i found the following

017 - HKLM\System\SC1\services\Tcpip\Parameters:NameServer=85.255.116.26 85.255.116.104

and FIXED it.

Bellow is the 'TXT REPORT' followed by the new 'HIJACK LOG' you requested.

--------------------------------------------------------------------------------------------------

Username "SHARUKH JAVA" - 2007-07-20 9:28:23 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdeeq.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.26 85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{15031CAE-B5BF-4A1E-8035-52679079F5ED} 
"nameserver"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A} 
"nameserver"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{37CFB3F3-66BC-41C9-AEBA-ED1B4E8BC49E} 
"nameserver"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{46D7D91F-5E69-442C-B892-61CB3157340F} 
"nameserver"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D51F2A34-09CC-40CF-8675-4438DB495F4D} 
"nameserver"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{15031CAE-B5BF-4A1E-8035-52679079F5ED}
"DhcpNameServer"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}
"DhcpNameServer"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{38170140-9067-47C7-8914-B9B9EF70AD8E}
"DhcpNameServer"="85.255.116.26,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{46D7D91F-5E69-442C-B892-61CB3157340F}
"DhcpNameServer"="85.255.116.26,85.255.112.104" <Value cleared.

System was rebooted successfully.

»»»»» Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "system"="" 
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2mdm" Deleted 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}530F59079B10-A99A-8304-1067-3531047C{" Deleted 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6B8AD3C373AF-7A78-25C4-1F2A-E8C7A610{" Deleted 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "lnzmd" Deleted 
C:\WINDOWS\System32\ituzd.exe Deleted
....
»»»»» Misc files. 
C:\WINDOWS\System32\atmtd.dll Deleted
C:\WINDOWS\System32\atmtd.dll._ Deleted
C:\Program Files\SpyMarshal Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....
»»»»» Other
C:\WINDOWS\Temp\kdeeq.ren 63843 08/04/2004

C:\Program Files\MovieCommander < Found 
Additional tools are recomended.

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"TFncKy"="TFncKy.exe"
"TPSMain"="TPSMain.exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"DLCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,[email protected]"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"THotkey"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
-----------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:27:57 AM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - (no file)
O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

thank a lot me dear helpful friends


----------



## High hope (Jul 16, 2007)

oh sorry, you had asked if this was my IP:

Serafino Vallorani
c/o Orange S.r.l.
Via Onesto Scavino, 10
47891 - Falciano
Republic of San Marino

i really dont know what an IP is!

i dont think there is any dumb guy like me on this earth too. 


thanks a lot again!...


----------



## Cookiegal (Aug 27, 2003)

Please download *SmitfraudFix* (by *S!Ri*)

Extract (unzip) the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## Cookiegal (Aug 27, 2003)

IP is your Internet Provider. Are you in the Republic of San Marino?


High hope said:


> oh sorry, you had asked if this was my IP:
> 
> Serafino Vallorani
> c/o Orange S.r.l.
> ...


----------



## High hope (Jul 16, 2007)

Hi there! 
I have downloaded the 'smitfraudfix' and saved the report as you had told me,
i wil post the report to you once i get to my computer 3 hours later.
I apologise for the delay.
And thanks a lot for your help.


----------



## Cookiegal (Aug 27, 2003)

That's fine. :up:


----------



## High hope (Jul 16, 2007)

hey there!
this is the report that i got after following your given instructions.

............................................................

SmitFraudFix v2.205

Scan done at 10:20:14.73, Sat 07/21/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\zlbw.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\SHARUK~2\STARTM~1\Programs\MovieCommander FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHARUK~2\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\MovieCommander\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" c:\\windows\\system32\\ldcore.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

............................................................

i hope this would finaly solve all my problems!

thanks to you all.


----------



## Cookiegal (Aug 27, 2003)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

If the tool detects that you have a DNS hijack, it will prompt you to reconfigure the network in DHCP.

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## High hope (Jul 16, 2007)

Hi cookiegal!

I followed all your above given instruction, and like you said,my windows back ground would go,it did go.

This the new 'rapport-notepad' that showed up during the prossess, followed by a new 'Hijackthis log'

--------------------------------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 15:41:16.65, Sun 07/22/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\zlbw.dll Deleted
C:\DOCUME~1\SHARUK~2\STARTM~1\Programs\MovieCommander Deleted
C:\Program Files\MovieCommander\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

--------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:07:33 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer = 10.204.32.245 209.212.96.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - (no file)
O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--------------------------------------------------------------------------------------------------------
Thanks a lot for all your help!


----------



## Cookiegal (Aug 27, 2003)

In normal mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*.
Select option #5- *Search and clean DNS Hijack* by typing *5* and press "*Enter*" .

A text file will appear onscreen following this procedure. Please copy and paste that log in your next reply, along with a new HijackThis log.


----------



## High hope (Jul 16, 2007)

Hi there,
I have done the search and clean DNS hijack and also did a new hijackthis log.
these are as follows, the smitfraudfix and then the hijackthis log.

--------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 21:29:03.85, Sun 07/22/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

---------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:30:59 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - (no file)
O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

-------------------------------------------------------------------------------------

this is it!...


----------



## Cookiegal (Aug 27, 2003)

Would ou please run option 5 of the Smitfraud fix again (be sure to do it in normal mode) and post the results. It should be cleaning those entries.


----------



## High hope (Jul 16, 2007)

hallo cookiegal!
I have done another fix using smitfraud, and this is the new 'rapport' i have.

----------------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 6:38:19.10, Mon 07/23/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

-----------------------------------------------------------------------------------------------------

Thats it!.


----------



## High hope (Jul 16, 2007)

Oh hi cookiegal, i forgot to mention that, since rhe first time i ran fix (number '5' option) on 'smirfraudfix',when ever i select 'shutdown' i get a small window that says ''closing WMS IDLE'' with only a close optoin in its window,which if i click wil make me loose any unsaved information.
What does this mean and How do i fix this too?


----------



## High hope (Jul 16, 2007)

Hallo! I just want to know whether you there any solution to the to the problems i am facing. 
I was asked to post a new 'rapport' note, which i have done two threads up.

Your assistence is appreciated.


----------



## Cookiegal (Aug 27, 2003)

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection services will require them.

These instructions are basically for home users.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on *Network Connections.* Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the *Networking* tab. Double-click on the *Internet Protocol (TCP/IP)* item and select the radio dial that says *Obtain DNS servers automatically*

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems
Next Go start run type cmd and hit OK
type
*ipconfig /flushdns* 
then hit enter, type exit hit enter
(that space between g and / is needed)

Then run Option 1 of the SmitfraudFix again and post that log please.


----------



## High hope (Jul 16, 2007)

HI cookiegal!

I have followed all your instructions,
but i didnt have to change any of those settings,since it was already set like that.

here is the new smitfraudfix log,

-----------------------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 10:14:05.25, Tue 07/24/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHARUK~2\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" c:\\windows\\system32\\ldcore.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

--------------------------------------------------------------------------------------------------


----------



## Cookiegal (Aug 27, 2003)

Go *here* to download AlcanShorty_en.exe. Scroll down to the middle of the page and click on "Download File" and save it to your desktop.

Double click the *alcanShorty.exe* file and follow prompts. 
It will make a folder on desktop called *Alcan Shorty*
Open the Alcan Shorty folder & double click the *run.bat* file to run it.
This will download a file called BFU.exe and a BFU script. 
If your firewall asks for permission to connect to the Internet you must allow it.
A message box will pop up saying "complete". 
Be patient and wait for the message box to appear as it may take some time.
Press OK then BFU.exe will open. 
Select the option to "Show log after script ends"
Execute the script by clicking the *Execute* button.
Note that you should see a progress bar while the script is being executed.
When the script has finished press "copy" and that will make a copy of the report in your clipboard. 
Paste the log into Notepad and save it to your desktop in case it's needed later.
*Note*: If you have any questions about the use of BFU please read *here*.

Reboot and post a new HijackThis log please.


----------



## High hope (Jul 16, 2007)

Hey there cookiegal,
I have followed your above given instructions,
and after rebooting i have done a hijackthis log,the result of which is as follows.
It did take a bit of time though!.

_________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 10:40:58 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - (no file)
O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

_____________________________________________________________________

thanks a lot for your help!


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*FunWebProducts
MyWebSearch*

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - (no file)

O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
*

Then boot to safe mode:

Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*c:\windows\system32\ldcore.dll*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to windows normally.

I want to check your DNS settings to be sure all is fine so please go to *Start *- *Run *- type in *CMD *and click OK to open a command prompt:

Type the following command:

*IPCONFIG /ALL*

Right click in the command window and choose Select All, then hit Enter.
Paste the results in a message here.


----------



## High hope (Jul 16, 2007)

Hi there! ok i did follow your instructions,but had a few problems this time,

1) After 'CHECHING' the boxes you told me to,i clicked FIX, so while it was doing the fix,it gave me a kind of error on number 020, so i pressed OK and it cotinued wth rest of the fixes.

2) After getting into SAFEMODE and running KILLBOX, i pasted the " c:\windows\system32\ldcore.dll" in the box and selected the red button,but it siad that it did not seem to exist, so i tried a second and then a third time too,but it responded in the same way.
I then continued with the rest of the proccess there.

3) After coming back to nomal mode windows, and typing CMD,the command window came up where in i typed IPCONFIG /ALL,then did a right click and selected all and pressed ENTER but nothing seem to happen after that,so i tried a second and a third time but it was just the same.

I am sorry. Maybe i made a mistake some where or ... i really don't know what's happening!.


----------



## High hope (Jul 16, 2007)

Error

in the above post on number (2) i said that " it did seem to exist" 
in actual fact it was supposed to be "it did NOT seem to exsist"


----------



## Cookiegal (Aug 27, 2003)

After typing in the command hit "Enter" before doing the right click etc.....


----------



## Cookiegal (Aug 27, 2003)

Note that you can edit your post if made within 24 hours but I've done it for you.  


Please post your IP Config log and also a new HijackThis log.


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
Ok,thanks for doing the correction for me.

I tried doing the CMD proccess again, and pressed enter before using the right click,
but i dont think this is the result expected,this (below) is what i got...

_______________________________________________________________________

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\SHARUKH JAVA>IPCONFIG /ALL

Windows IP Configuration

C:\Documents and Settings\SHARUKH JAVA>

__________________________________________________________________

hope this is what you wanted!
I tried it many times but this is what i got all the time..


----------



## Cookiegal (Aug 27, 2003)

Did you type that or did you get it by right clicking and selecting all, hitting enter and then pasting here?


----------



## Cookiegal (Aug 27, 2003)

Also, please do the following:

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now do a search for this file and let me know the entire paths to all instances found please:
*
ipconfig.exe*


----------



## High hope (Jul 16, 2007)

Hallo!

No, i only typed the command 'ipconfig /all' then pressed ENTER and thats what it showed me.

Ok,i have done the search after changing the search options to what you told me,and this is what i got,
i got three results i could not copy and paste,
and during the search i got an error,
this is what it was like,
____________________________________________________________________

AppName: explorer.exe AppVer: 6.0.2900.2180 ModName: unknown
ModVer: 0.0.0.0 Offset: c0000001

____________________________________________________________________


----------



## High hope (Jul 16, 2007)

Oh my!
I just realised that its not possible to copy/paste the search results, so when i get back i will type out the three results i had found in my next post..

Thanks anyway.


----------



## High hope (Jul 16, 2007)

Hi cookiegal, 
These are the search results i got,,

________________________________________________________________________

1) IPCONFIG.EXE-2395F30B.pf C:\WINDOWS\Prefech 26kb PF File 7/25/2007 9:28PM
2) ipconfig.exe C:\WINDOWS\system32 55kb Application 8/4/2004 2:00PM
3) ipconfig.exe C:\WINDOWS.0\system32 55kb Application 9/20/2006 9:59AM

_____________________________________________________________________

By the way,is there any other way of checking/testing RAM besides using the boot cd?
How do i clear my system cache? (if it is safe to do so) be cause it seems to be using a lot of space.

.............


----------



## Cookiegal (Aug 27, 2003)

It looks like you have two operating systems installed. Is that the case?


----------



## High hope (Jul 16, 2007)

Hallo!

yes i do have two operating systems

sorry for the delay.


----------



## Cookiegal (Aug 27, 2003)

Are they two different operating systems or both XP?


----------



## High hope (Jul 16, 2007)

They are both XP operating systems.
And i would be happy to deiete one of them (if possible) or if necessary.


----------



## Cookiegal (Aug 27, 2003)

It must be taking up a lot of resources unnecessarily. Do you ever boot to it? Do you have any valuable data saved on it?

If Rog is still following this thread, hopefully he will jump in and advise you on that.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *- type in *cmd *and click OK.

At the command prompt type in:

*netsh winsock reset catalog*

Press enter.

then type in:

*netsh int ip reset resetlog.txt*

Press enter.

You will need to reboot afterwards.

Then try running the *ipconfig /all *command again please.


----------



## Rollin' Rog (Dec 9, 2000)

Are these two XP installations on separate drives or partitions? If so it shouldn't be a problem.

But if they are on the same drive -- it could be problematic.

If you run *msconfig* and look at the boot.ini tab -- are both installations listed there?

Which one are you now booting to? Do they both have the same problems?

Cookiegal has done a great job here -- but I'm wondering if the original "windev*.sys" trojan is still hiding. Typically this gets configured as a service -- but I didn't see it in the services profile and I don't know if it was deleted by any of the scans.

Maybe Cookiegal might suggest a rootkit scanner at this point?


----------



## Cookiegal (Aug 27, 2003)

Sure Rog. I wasn't finished as I was just hoping to get that second OS dumped before going any further and I'm not sure how to do that. 

Download GMER from: http://majorgeeks.com/download.php?det=5198

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## High hope (Jul 16, 2007)

Hi there!

I tried those entries you told me to enter,then rebooted and tried the 'ipconfig' but it gave the same answer as before..


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine. Please run the GMER scan.


----------



## High hope (Jul 16, 2007)

The operaters are both on one drive, and i do get the blue screen when im on that window too.
I still get that blue screen, i got it today morning and day before yesterday. 
I also still get the 'CLOSING WMS IDLE' screen when i am shuting down.

Ok, i will follow your newly given insructions when i get back.

THANKS ANYWAY...


----------



## High hope (Jul 16, 2007)

Halo cookiegal and rollin rog,
I downloaded the 'GMER' program and ran it too, 
this bellow is the result of the scan i have saved to a note pad and pasted here too,,

___________________________________________________________________

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-28 22:23:32
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\windev-7f1f-743a.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\windev-7f1f-743a.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\windev-7f1f-743a.sys ZwQueryDirectoryFile <-- ROOTKIT !!!

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] [6F89DE0D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] [6F89DE25] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyA] [6F89DDDD] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyW] [6F89DDF5] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileAttributesW] [715B4F3C] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateEventW] [715B4EA4] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateEventA] [715B4E50] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!wsprintfA] [715B50F3] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[2256] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY  [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7D16404] avg7rsw.sys

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [F093092A] DLAIFS_M.SYS
Device \FileSystem\meiudf \MeiUDF_Disk IRP_MJ_FILE_SYSTEM_CONTROL [F0930942] DLAIFS_M.SYS
Device \FileSystem\meiudf \MeiUDF_CdRom IRP_MJ_FILE_SYSTEM_CONTROL [F0930942] DLAIFS_M.SYS
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [F093092A] DLAIFS_M.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F012079C] windev-7f1f-743a.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D8A85A] avgtdi.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_NAMED_PIPE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_WRITE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DIRECTORY_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FILE_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SHUTDOWN [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_LOCK_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_MAILSLOT [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_POWER [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CHANGE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_QUOTA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_QUOTA [F7333E10] SynTP.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F012079C] windev-7f1f-743a.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D8A85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F012079C] windev-7f1f-743a.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D8A85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F012079C] windev-7f1f-743a.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D8A85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F012079C] windev-7f1f-743a.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D8A85A] avgtdi.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS  [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7D16404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7D16404] avg7rsw.sys

---- Services - GMER 1.0.13 ----

Service C:\WINDOWS\system32\windev-7f1f-743a.sys (*** hidden *** ) [AUTO] windev-7f1f-743a <-- ROOTKIT !!!


----------



## High hope (Jul 16, 2007)

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-4BD1-1721 
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-7F1F-743A 
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-7f1f-743a 
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 2
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-4BD1-1721 
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A 
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\0000\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-7f1f-743a 
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 2
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-7f1f-743a\[email protected] Root\LEGACY_WINDEV-7F1F-743A\0000
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4BD1-1721 
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A 
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\0000\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-7F1F-743A\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-7f1f-743a 
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] windev-7f1f-743a
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-7f1f-743a\[email protected] Root\LEGACY_WINDEV-7F1F-743A\0000
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\system32\windev-7f1f-743a.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] windev-7f1f-743a

---- Files - GMER 1.0.13 ----

File C:\WINDOWS\system32\windev-4bd1-1721.sys 
File C:\WINDOWS\system32\windev-7f1f-743a.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\windev-peers.ini 

---- EOF - GMER 1.0.13 ----
_____________________________________________________________________

Ooops! it said the text is too long,so i have posted it in two parts.


----------



## Cookiegal (Aug 27, 2003)

This program will get the rootkit.

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## Rollin' Rog (Dec 9, 2000)

Ok, I see you are well on your way with the rootkit cleaning.

>> I'm not sure if the two installations are a problem or not.

But if both are fully installed you should see them listed in msconfig > boot.ini

There ONE will be listed as the default -- what you boot to if no action is taken to choose on startup.

You can have msconfig check to see if both paths are valid. If one is NOT valid it will tell you so and offer to remove it.

Now the problem remains that you would have 2 Windows directories on the same drive.

Am I right about the 2 Windows directories?

You could rename, and if no problems, subsequently delete one that is not in use.


If msconfig finds that both boot paths are valid there is no option to delete one in msconfig. 

You could still rename the Windows directory you are not booting to and don't want.

After rebooting if you run msconfig > boot.ini > check valid paths, this time it SHOULD tell you one is invalid and you could have it removed as a startup option.

>> I also need to add that any programs that were installed under the installation that you are deleting will no longer work -- and should be removed through Add/Remove programs first.

If you need to remove something afterwards, Add/Remove programs will not be able to do it and you would have to delete the remaining folders for them manually.


----------



## High hope (Jul 16, 2007)

Hallo there!
I have done the SDfix and pasted a result of it here followed by a new hijackthis report.

___________________________________________________________________

SDFix: Version 1.94

Run by SHARUKH JAVA on Mon 07/30/2007 at 02:21 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\SHARUK~2\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
windev-7f1f-743a

ImagePath:
\??\C:\WINDOWS\system32\windev-7f1f-743a.sys

windev-7f1f-743a - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\windev-4bd1-1721.sys - Deleted
C:\WINDOWS\system32\windev-7f1f-743a.sys - Deleted
C:\WINDOWS\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~3.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~4.DLL - Deleted
C:\WINDOWS\system32\paars.ini - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\via.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"="C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"E:\\iTunes\\iTunes.exe"="E:\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\SHARUK~2\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\CdaC14BA.DLL
C:\WINDOWS\U0hBUlVLSCBKQVZB\asappsrv.dll
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\CdaC13BA.EXE
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\LOGO.SYS
C:\WINDOWS\LOGOS.SYS
C:\WINDOWS\LOGOW.SYS
C:\WINDOWS\U0hBUlVLSCBKQVZB\oX11o5pMmF14kpt1.vbs

Finished

-------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:25:41 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer = 10.204.32.245 209.212.96.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

_____________________________________________________________________

Thanks a lot!


----------



## High hope (Jul 16, 2007)

Hi there rollin rog!
I ran the 'mscofig',and yes,both operating systems are listed there as you said, but i dont know how to check which one is valid and which is not, could you please help me on that?
One is WINDOWS XP PROFESSIONAL and the other is WINDOWS XP HOME.
I am using 'HOME' (which is my default) and would like to get rid of 'PROFESSIONAL'.
Thanks again!


----------



## Rollin' Rog (Dec 9, 2000)

Just click "check all boot paths" and see what it says.

I think for now you should just go ahead with the rootkit cleaning and see if that resolves things.

This might be more of a side track unless there are problems encountered with the cleaning which require removing one of the directories.

But if both paths are valid what you can try doing is renaming the directory that Professional is installed in. You would only be able to do this if you boot to Home.

If it renames without issue and there are no problems after doing this -- you can delete it. Then you would be able to remove the boot option using msconfig > check all boot paths because that one would be invalid.

Another method to edit boot.ini is to run *sysdm.cpl* and select > Advanced > Startup and Recovery > Edit.

The two boot path options will be listed there under "operating systems" and you can blank out the one that points to Professional. This is a little riskier if you delete the wrong thing. The directory will still remain afterwards and would have to be deleted manually -- you would have just eliminated the boot option.


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on this folder:

C:\WINDOWS\*U0hBUlVLSCBKQVZB*

Go *here* to download AlcanShorty_en.exe. Scroll down to the middle of the page and click on "Download File" and save it to your desktop.

Double click the *alcanShorty.exe* file and follow prompts. 
It will make a folder on desktop called *Alcan Shorty*
Open the Alcan Shorty folder & double click the *run.bat* file to run it.
This will download a file called BFU.exe and a BFU script. 
If your firewall asks for permission to connect to the Internet you must allow it.
A message box will pop up saying "complete". 
Be patient and wait for the message box to appear as it may take some time.
Press OK then BFU.exe will open. 
Select the option to "Show log after script ends"
Execute the script by clicking the *Execute* button.
Note that you should see a progress bar while the script is being executed.
When the script has finished press "copy" and that will make a copy of the report in your clipboard. 
Paste the log into Notepad and save it to your desktop in case it's needed later.
*Note*: If you have any questions about the use of BFU please read *here*.

Let me know how that goes please.


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
I didnt really understand on how to run 'killbox' on that file,
could you please detail the procedure for me?
I also have a 'Alcanshorty/BFU.EXE' on my laptop which i had downloaded earlier on during one of the procedures,so i did not download it again but instead tried to use the same one,
but i wasnt lucky enough,because when i hit the EXECUTE button it almost immidiately said it had 'finished'.
Anyway i did save it as it was,and if you say,i can post it on?


----------



## Cookiegal (Aug 27, 2003)

Sorry but since we've used Killbox before, I didn't think it was necessary to repeat the instructions but I will repeat them here for you:

Boot to safe mode.

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

* C:\WINDOWS\U0hBUlVLSCBKQVZB
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Then please run GMER again and post the new log.


----------



## High hope (Jul 16, 2007)

Hi there!
I did run the 'killbox' and entered 'C:\WINDOWS\U0hBUlVLSCBKQVZB' and clicked the RED "X" button but it did said that the file did not exist,so i carried on with the rest of the proccces.
This below here is the new log of GMER followed by a BFU report that i got yesterday...

--------------------------------------------------------------------------------------------------------

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-01 13:08:59
Windows 5.1.2600 Service Pack 2

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] [6F89DE0D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] [6F89DE25] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyA] [6F89DDDD] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyW] [6F89DDF5] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileAttributesW] [715B4F3C] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateEventW] [715B4EA4] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateEventA] [715B4E50] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!wsprintfA] [715B50F3] C:\WINDOWS\AppPatch\AcLayers.DLL
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\GetRight\getright.exe[428] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7D00404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7D00404] avg7rsw.sys

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [F090F92A] DLAIFS_M.SYS
Device \FileSystem\meiudf \MeiUDF_Disk IRP_MJ_FILE_SYSTEM_CONTROL [F090F942] DLAIFS_M.SYS
Device \FileSystem\meiudf \MeiUDF_CdRom IRP_MJ_FILE_SYSTEM_CONTROL [F090F942] DLAIFS_M.SYS
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [F090F92A] DLAIFS_M.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D7485A] avgtdi.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_NAMED_PIPE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_WRITE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_EA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_VOLUME_INFORMATION [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DIRECTORY_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FILE_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SHUTDOWN [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_LOCK_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_MAILSLOT [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_SECURITY [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_POWER [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SYSTEM_CONTROL [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CHANGE [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_QUOTA [F7333E10] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_QUOTA [F7333E10] SynTP.sys


----------



## High hope (Jul 16, 2007)

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D7485A] avgtdi.sys
Device \Device\00000067 IRP_MJ_CREATE [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_CREATE_NAMED_PIPE [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_CLOSE [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_READ [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_WRITE [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_QUERY_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SET_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_QUERY_EA [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SET_EA [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_FLUSH_BUFFERS [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_QUERY_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SET_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_DIRECTORY_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_FILE_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SHUTDOWN [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_LOCK_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_CLEANUP [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_CREATE_MAILSLOT [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_QUERY_SECURITY [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SET_SECURITY [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_POWER [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_DEVICE_CHANGE [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_QUERY_QUOTA [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_SET_QUOTA [F7787CB8] ACPI.sys
Device \Device\00000067 IRP_MJ_PNP [F7787CB8] ACPI.sys
Device \Device\00000067 FastIoDetachDevice [F77880D4] ACPI.sys
Device \Device\00000068 IRP_MJ_CREATE [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_CREATE_NAMED_PIPE [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_CLOSE [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_READ [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_WRITE [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_QUERY_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SET_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_QUERY_EA [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SET_EA [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_FLUSH_BUFFERS [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_QUERY_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SET_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_DIRECTORY_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_FILE_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SHUTDOWN [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_LOCK_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_CLEANUP [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_CREATE_MAILSLOT [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_QUERY_SECURITY [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SET_SECURITY [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_POWER [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_DEVICE_CHANGE [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_QUERY_QUOTA [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_SET_QUOTA [F7787CB8] ACPI.sys
Device \Device\00000068 IRP_MJ_PNP [F7787CB8] ACPI.sys
Device \Device\00000068 FastIoDetachDevice [F77880D4] ACPI.sys
Device \Device\00000069 IRP_MJ_CREATE [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_CREATE_NAMED_PIPE [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_CLOSE [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_READ [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_WRITE [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_QUERY_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SET_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_QUERY_EA [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SET_EA [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_FLUSH_BUFFERS [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_QUERY_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SET_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_DIRECTORY_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_FILE_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_INTERNAL_DEVICE_CONTROL  [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SHUTDOWN [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_LOCK_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_CLEANUP [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_CREATE_MAILSLOT [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_QUERY_SECURITY [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SET_SECURITY [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_POWER [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_DEVICE_CHANGE [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_QUERY_QUOTA [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_SET_QUOTA [F7787CB8] ACPI.sys
Device \Device\00000069 IRP_MJ_PNP [F7787CB8] ACPI.sys
Device \Device\00000069 FastIoDetachDevice [F77880D4] ACPI.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D7485A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D7485A] avgtdi.sys
Device \Device\0000006a IRP_MJ_CREATE [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_CREATE_NAMED_PIPE [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_CLOSE [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_READ [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_WRITE [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_QUERY_INFORMATION [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SET_INFORMATION [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_QUERY_EA [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SET_EA [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_FLUSH_BUFFERS [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_QUERY_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SET_VOLUME_INFORMATION [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_DIRECTORY_CONTROL [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_FILE_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_INTERNAL_DEVICE_CONTROL [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SHUTDOWN [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_LOCK_CONTROL [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_CLEANUP [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_CREATE_MAILSLOT [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_QUERY_SECURITY [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SET_SECURITY [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_POWER [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SYSTEM_CONTROL [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_DEVICE_CHANGE [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_QUERY_QUOTA [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_SET_QUOTA [F7787CB8] ACPI.sys
Device \Device\0000006a IRP_MJ_PNP [F7787CB8] ACPI.sys
Device \Device\0000006a FastIoDetachDevice [F77880D4] ACPI.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D7485A] avgtdi.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F090F912] DLAIFS_M.SYS

---- EOF - GMER 1.0.13 ----

-------------------------------------------------------------------------------------------------

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 7:14:26 AM, on 7/31/2007

Script completed.

-----------------------------------------------------------------------------------------------------

Sorry,it was too long to fit in one post.
Thanks a lot!


----------



## Cookiegal (Aug 27, 2003)

That rootkit is gone now. Please run SDFix again.


----------



## High hope (Jul 16, 2007)

Hi there!
I have done the SDfix, and this is the log below here..

----------------------------------------------------------------------------------------------------

SDFix: Version 1.94

Run by SHARUKH JAVA on Thu 08/02/2007 at 02:24 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\SHARUK~2\Desktop\PCCLEA~1\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"="C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"E:\\iTunes\\iTunes.exe"="E:\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files:
---------------

Files with Hidden Attributes:

C:\WINDOWS\CdaC14BA.DLL
C:\WINDOWS\U0hBUlVLSCBKQVZB\asappsrv.dll
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\CdaC13BA.EXE
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\LOGO.SYS
C:\WINDOWS\LOGOS.SYS
C:\WINDOWS\LOGOW.SYS
C:\WINDOWS\SoftwareDistribution\Download\04ca01d3516e62847eb74defda094165\BIT43.tmp
C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\download\BIT2D.tmp
C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT38.tmp
C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\BIT30.tmp
C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT40.tmp
C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT35.tmp
C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT37.tmp
C:\WINDOWS\SoftwareDistribution\Download\3470d8afe674adae2ee1cba944cf0413\BIT44.tmp
C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT3D.tmp
C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\BIT31.tmp
C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT42.tmp
C:\WINDOWS\SoftwareDistribution\Download\4bff3a39d84c79b75274c24d8341568c\BIT3C.tmp
C:\WINDOWS\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT3F.tmp
C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\BIT3E.tmp
C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\download\BIT48.tmp
C:\WINDOWS\SoftwareDistribution\Download\76f9fc8f1dc6a72a021c08d35c113036\BIT32.tmp
C:\WINDOWS\SoftwareDistribution\Download\89b70ceab9c1882c80e33e4e8d6798ba\BIT36.tmp
C:\WINDOWS\SoftwareDistribution\Download\926205650391c256def4021265d66d17\BIT49.tmp
C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT39.tmp
C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT2F.tmp
C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT41.tmp
C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\BIT34.tmp
C:\WINDOWS\SoftwareDistribution\Download\d28db6c4cd67a8d177238f554b7e11c7\BIT2E.tmp
C:\WINDOWS\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT45.tmp
C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT33.tmp
C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT46.tmp
C:\WINDOWS\SoftwareDistribution\Download\edc9e523d8678897d85b5ee0ef1bbf7a\download\BIT47.tmp
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b488590ef3c1f3bbfd68\BIT3B.tmp
C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT3A.tmp
C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\download\BIT4A.tmp
C:\WINDOWS\U0hBUlVLSCBKQVZB\oX11o5pMmF14kpt1.vbs

Finished

-------------------------------------------------------------------------------------------------

THANKS ONCE AGAIN!


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and navigate to this folder. Right click on it and delete it.

C:\WINDOWS\*U0hBUlVLSCBKQVZB*


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
I tried lookin for the above mentioned item,but i failed to find it.
I checked for it in both my windows (XP home and XP professional) but its no were to be seen. I also tried a search for it but there were no results.
May be it was already deleted.


----------



## Cookiegal (Aug 27, 2003)

No, I think it's still there. You may have to unhide files first.

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Go to Start > Search - All Files ad Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"


Then see if you can file it.


----------



## High hope (Jul 16, 2007)

Hallo! Cookiegal, i did a search of that file again after changing the search options to what you told me,but no luck again.
I do remember seeing two folders of that type a few days back,but i am not sure whether i had deleted them or not.
Is ther any scan that i can run with which you will be able to tell whether this folder/file in on the system or not?

Sorry for the inconvenience i am causing.


----------



## Cookiegal (Aug 27, 2003)

That's why I had you run SDFix again as it was listed there. Try running SDFix again and post the log please.


----------



## High hope (Jul 16, 2007)

Hi there cookiegal. 
I ran SDfix again and here is the report,

----------------------------------------------------------------------------------------------------

SDFix: Version 1.95

Run by SHARUKH JAVA on Sun 08/05/2007 at 09:44 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\SHARUK~2\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\kr_done1 - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"="C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"E:\\iTunes\\iTunes.exe"="E:\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\SHARUK~2\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\CdaC14BA.DLL
C:\WINDOWS\U0hBUlVLSCBKQVZB\asappsrv.dll
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\CdaC13BA.EXE
C:\WINDOWS\U0hBUlVLSCBKQVZB\command.exe
C:\LOGO.SYS
C:\WINDOWS\LOGOS.SYS
C:\WINDOWS\LOGOW.SYS
C:\WINDOWS\SoftwareDistribution\Download\04ca01d3516e62847eb74defda094165\BIT43.tmp
C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\download\BIT2D.tmp
C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT38.tmp
C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\download\BITB.tmp
C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT40.tmp
C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT35.tmp
C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT37.tmp
C:\WINDOWS\SoftwareDistribution\Download\3470d8afe674adae2ee1cba944cf0413\BIT44.tmp
C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT3D.tmp
C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\download\BITC.tmp
C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT42.tmp
C:\WINDOWS\SoftwareDistribution\Download\4bff3a39d84c79b75274c24d8341568c\BIT3C.tmp
C:\WINDOWS\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT3F.tmp
C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\BIT3E.tmp
C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\download\BIT48.tmp
C:\WINDOWS\SoftwareDistribution\Download\76f9fc8f1dc6a72a021c08d35c113036\BIT32.tmp
C:\WINDOWS\SoftwareDistribution\Download\89b70ceab9c1882c80e33e4e8d6798ba\BIT36.tmp
C:\WINDOWS\SoftwareDistribution\Download\926205650391c256def4021265d66d17\BIT49.tmp
C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT39.tmp
C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT2F.tmp
C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT41.tmp
C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\download\BITE.tmp
C:\WINDOWS\SoftwareDistribution\Download\d28db6c4cd67a8d177238f554b7e11c7\BIT2E.tmp
C:\WINDOWS\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT45.tmp
C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT33.tmp
C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT46.tmp
C:\WINDOWS\SoftwareDistribution\Download\edc9e523d8678897d85b5ee0ef1bbf7a\download\BIT47.tmp
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b488590ef3c1f3bbfd68\BIT3B.tmp
C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT3A.tmp
C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\download\BIT4A.tmp
C:\WINDOWS\U0hBUlVLSCBKQVZB\oX11o5pMmF14kpt1.vbs

Finished 
---------------------------------------------------------------------------------------------------

It seems it is still there,
i will try and locate it again..


----------



## High hope (Jul 16, 2007)

Hey cookiegal! I found the folder this time! And i have deleted it now. 
So is there anything else that i have to do now?


----------



## Cookiegal (Aug 27, 2003)

That's great but please run SDFix again. I'd like to be absolutely sure it's gone.


----------



## High hope (Jul 16, 2007)

Hallo there cookiegal!
I have done the SDfix again and here is the report below..

---------------------------------------------------------------------------------------------

SDFix: Version 1.95

Run by SHARUKH JAVA on Mon 08/06/2007 at 01:09 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\SHARUK~2\Desktop\PCCLEA~1\NEWSDF~1\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"="C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"E:\\iTunes\\iTunes.exe"="E:\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files:
---------------

Files with Hidden Attributes:

C:\WINDOWS\CdaC14BA.DLL
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\CdaC13BA.EXE
C:\LOGO.SYS
C:\WINDOWS\LOGOS.SYS
C:\WINDOWS\LOGOW.SYS
C:\WINDOWS\SoftwareDistribution\Download\04ca01d3516e62847eb74defda094165\BIT43.tmp
C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\download\BIT2D.tmp
C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT38.tmp
C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\download\BITB.tmp
C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT40.tmp
C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\download\BITA.tmp
C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT37.tmp
C:\WINDOWS\SoftwareDistribution\Download\3470d8afe674adae2ee1cba944cf0413\BIT44.tmp
C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT3D.tmp
C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\download\BITC.tmp
C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT42.tmp
C:\WINDOWS\SoftwareDistribution\Download\4bff3a39d84c79b75274c24d8341568c\BIT3C.tmp
C:\WINDOWS\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT3F.tmp
C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\BIT3E.tmp
C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\download\BIT48.tmp
C:\WINDOWS\SoftwareDistribution\Download\76f9fc8f1dc6a72a021c08d35c113036\BIT32.tmp
C:\WINDOWS\SoftwareDistribution\Download\89b70ceab9c1882c80e33e4e8d6798ba\BIT36.tmp
C:\WINDOWS\SoftwareDistribution\Download\926205650391c256def4021265d66d17\BIT49.tmp
C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT39.tmp
C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT2F.tmp
C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT41.tmp
C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\download\BITE.tmp
C:\WINDOWS\SoftwareDistribution\Download\d28db6c4cd67a8d177238f554b7e11c7\BIT2E.tmp
C:\WINDOWS\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT45.tmp
C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT33.tmp
C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT46.tmp
C:\WINDOWS\SoftwareDistribution\Download\edc9e523d8678897d85b5ee0ef1bbf7a\download\BIT47.tmp
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b488590ef3c1f3bbfd68\BIT3B.tmp
C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT3A.tmp
C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\download\BIT4A.tmp

Finished

---------------------------------------------------------------------------------------------------

Thanks a million!


----------



## Cookiegal (Aug 27, 2003)

That's great. It's gone now. Are you able to run this command now?

*Start *- *Run *- type in *CMD *and click OK to open a command prompt:

Type the following command (be sure to include the space between the G and the /:

*IPCONFIG /ALL*

Hit Enter.

Right click in the command window and choose Select All, then hit Enter.
Paste the results in a message here.


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
I tried running the comand, but i wasnt lucky,because i got the same answer i used to get,and nothing more.
"Windows IP Configuration" is all i got.
I dont know but may be you want to check for internet provider?
I am not using any landline internet connection,and have never used one before, i am using my mobile network as a modem for my laptop.


----------



## Cookiegal (Aug 27, 2003)

Maybe Rog can comment on why we can't get an ipconfig /all log?

Are you having any other problems?


----------



## High hope (Jul 16, 2007)

Ya,may be he can out that for us.
Well,all seems to be good presently, i didnt get the BSOD for the last few days! and i hope i dont ever get it again, the 'CLOSING WMS IDLE' window i used to get is also gone now after i deleted and reinstalled an older version of a nero program,.
All seems to be good!.
Thanks a trillion!


----------



## Rollin' Rog (Dec 9, 2000)

I don't know -- but I didn't really understand this either:


> I am not using any landline internet connection,and have never used one before, i am using my mobile network as a modem for my laptop.


Do I understand this to be a cell phone type "wifi" connection?
I don't know what to expect from those.

Can you run *netsh diag gui* ?

Give it a moment to come up through Help and Support -- do a diagnostic scan and when finished, click the "save to file" option, then upload the results here.

PS: you may have to resave it as a text file -- I don't remember whether the attachement options here include "html" files.

But what problems are you experiencing now that might be networking related if any?


----------



## Cookiegal (Aug 27, 2003)

I'm concerned Rog because when running Option 1 of the SmifraudFix DNS hijacker IPs are still showing when they should be gone so I'd like to see the DNS settings to be sure but can't get the log.

But, let's try running option 1 again as it may have changed.

High Hope, can you do this please?

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


----------



## High hope (Jul 16, 2007)

Hi there!
Iv done both of them.
and here they are...
-------------------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 13:13:49.46, Thu 08/09/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHARUK~2\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

-----------------------------------------------------------------------------------------------

Internet Service
Default Outlook Express Mail

Not Configured

Default Outlook Express News

Not Configured

Internet Explorer Web Proxy

Not Configured

Computer Information
+ Computer System

TOSHIBA-USER

AdminPasswordStatus = 1
AutomaticResetBootOption = TRUE
AutomaticResetCapability = TRUE
BootOptionOnLimit = 3
BootOptionOnWatchDog = 3
BootROMSupported = TRUE
BootupState = Normal boot
Caption = TOSHIBA-USER
ChassisBootupState = 3
CreationClassName = Win32_ComputerSystem
CurrentTimeZone = 120
Description = AT/AT COMPATIBLE
Domain = MSHOME
DomainRole = 0
EnableDaylightSavingsTime = TRUE
FrontPanelResetStatus = 3
InfraredSupported = FALSE
KeyboardPasswordStatus = 3
Manufacturer = TOSHIBA
Model = Satellite A105
Name = TOSHIBA-USER
NumberOfProcessors = 1
+ OEMStringArray
1
PSAA2U-04E018,SQ003982,11V
PartOfDomain = FALSE
PauseAfterReset = 3932100000
PowerOnPasswordStatus = 1
PowerState = 0
PowerSupplyState = 3
PrimaryOwnerName = SHARUKH JAVA
ResetCapability = 1
ResetCount = -1
ResetLimit = -1
Status = OK
+ SupportContactDescription
For Technical Support:
In the USA, call 1(800)457-7777, 24 hours a day,
seven days/week for software and hardware support.
SystemStartupDelay = 3
+ SystemStartupOptions
"Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
"Microsoft Windows XP Professsional" /noexecute=optin /fastdetect
SystemStartupSetting = 0
SystemType = X86-based PC
ThermalState = 3
TotalPhysicalMemory = 467845120
UserName = TOSHIBA-USER\SHARUKH JAVA
WakeUpType = 6
+ Operating System

Microsoft Windows XP Home Edition

BootDevice = \Device\HarddiskVolume1
BuildNumber = 2600
BuildType = Uniprocessor Free
Caption = Microsoft Windows XP Home Edition
CodeSet = 1252
CountryCode = 1
CreationClassName = Win32_OperatingSystem
CSCreationClassName = Win32_ComputerSystem
CSDVersion = Service Pack 2
CSName = TOSHIBA-USER
CurrentTimeZone = 120
DataExecutionPrevention_32BitApplications = FALSE
DataExecutionPrevention_Available = FALSE
DataExecutionPrevention_Drivers = FALSE
DataExecutionPrevention_SupportPolicy = 2
Debug = FALSE
Description = Microsoft Windows XP Home Edition
Distributed = FALSE
EncryptionLevel = 168
ForegroundApplicationBoost = 2
FreePhysicalMemory = 102248
FreeSpaceInPagingFiles = 800096
FreeVirtualMemory = 2054464
InstallDate = 2:11:21 PM 4/26/2006
LargeSystemCache = 0
LastBootUpTime = 1:03:08 PM 8/9/2007
LocalDateTime = 1:10:22 PM 8/9/2007
Locale = 0409
Manufacturer = Microsoft Corporation
MaxNumberOfProcesses = -1
MaxProcessMemorySize = 2097024
Name = Microsoft Windows XP Home Edition|C:\WINDOWS|\Device\Harddisk0\Partition1
NumberOfProcesses = 54
OSLanguage = 1033
OSType = 18
Primary = TRUE
ProductType = 1
QuantumLength = 0
QuantumType = 0
RegisteredUser = SHARUKH JAVA
SerialNumber = 76477-OEM-0011903-00111
ServicePackMajorVersion = 2
ServicePackMinorVersion = 0
SizeStoredInPagingFiles = 1079272
Status = OK
SuiteMask = 784
SystemDevice = \Device\HarddiskVolume1
SystemDirectory = C:\WINDOWS\system32
SystemDrive = C:
TotalVirtualMemorySize = 2097024
TotalVisibleMemorySize = 456880
Version = 5.1.2600
WindowsDirectory = C:\WINDOWS
+ Version

5.1.2600

Version = 5.1.2600
BuildVersion = 2600.0000
Modems and Network Adapters
+ Modems

+ TOSHIBA Software Modem
AttachedTo = COM3
BlindOff = X4
BlindOn = X3
Caption = TOSHIBA Software Modem
CompressionOff = %C0
CompressionOn = %C1
ConfigManagerErrorCode = 0
ConfigManagerUserConfig = FALSE
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
194
1
0
21
32
0
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = TOSHIBA Software Modem
DeviceID = HDAUDIO\FUNC_02&VEN_11C1&DEV_3026&SUBSYS_11790001&REV_1007\4&396EF7C8&0&0001
DeviceType = Internal Modem
DriverDate = 2:00:00 AM 11/15/2005
ErrorControlForced = \N4
ErrorControlOff = \N1
ErrorControlOn = \N3
FlowControlHard = &K3
FlowControlOff = &K0
FlowControlSoft = &K4
InactivityScale = "3c000000"
InactivityTimeout = 0
Index = 0
MaxBaudRateToSerialPort = 115200
Model = TOSHIBA Software Modem
ModemInfPath = oem7.inf
ModemInfSection = INTEL_AZL.Modem
ModulationBell = B1B16B2
ModulationCCITT = B0B15B2
Name = TOSHIBA Software Modem
PNPDeviceID = HDAUDIO\FUNC_02&VEN_11C1&DEV_3026&SUBSYS_11790001&REV_1007\4&396EF7C8&0&0001
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
192
1
0
0
255
0
0
0
255
0
0
0
7
0
0
0
ProviderName = Agere
Pulse = P
Reset = AT&F
ResponsesKeyName = TOSHIBA Software Modem::Agere::Agere
SpeakerModeDial = M1
SpeakerModeOff = M0
SpeakerModeOn = M2
SpeakerModeSetup = M3
SpeakerVolumeHigh = L3
SpeakerVolumeLow = L0
SpeakerVolumeMed = L2
Status = OK
StatusInfo = 3
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
+ Nokia GSM Phone USB Modem
AttachedTo = COM5
BlindOff = X5
BlindOn = X3
Caption = Nokia GSM Phone USB Modem
CompressionOff = +DS=0,0;
CompressionOn = +DS=3,0;
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
8
7
0
21
32
0
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = Nokia GSM Phone USB Modem
DeviceID = Modem0
DeviceType = External Modem
DriverDate = 2:00:00 AM 10/9/2006
FlowControlHard = &K3
FlowControlOff = &K0
FlowControlSoft = &K4
Index = 1
MaxBaudRateToSerialPort = 115200
Model = Nokia GSM Phone USB Modem
ModemInfPath = oem24.inf
ModemInfSection = ModemDeviceInstallGSMPhone
ModulationBell = B1
ModulationCCITT = B0
Name = Nokia GSM Phone USB Modem
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
128
0
0
0
255
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Nokia
Pulse = P
Reset = ATZ
ResponsesKeyName = Nokia GSM Phone USB Modem::Nokia::Nokia
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
+ Nokia GSM Phone USB Modem
AttachedTo = COM7
BlindOff = X5
BlindOn = X3
Caption = Nokia GSM Phone USB Modem
CompressionOff = +DS=0,0;
CompressionOn = +DS=3,0;
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
8
7
0
21
32
0
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = Nokia GSM Phone USB Modem
DeviceID = Modem1
DeviceType = External Modem
DriverDate = 2:00:00 AM 10/9/2006
FlowControlHard = &K3
FlowControlOff = &K0
FlowControlSoft = &K4
Index = 2
MaxBaudRateToSerialPort = 115200
Model = Nokia GSM Phone USB Modem
ModemInfPath = oem24.inf
ModemInfSection = ModemDeviceInstallGSMPhone
ModulationBell = B1
ModulationCCITT = B0
Name = Nokia GSM Phone USB Modem #2
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
128
0
0
0
255
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Nokia
Pulse = P
Reset = ATZ
ResponsesKeyName = Nokia GSM Phone USB Modem::Nokia::Nokia
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
+ Nokia GSM Phone USB Modem
AttachedTo = COM9
BlindOff = X5
BlindOn = X3
Caption = Nokia GSM Phone USB Modem
CompressionOff = +DS=0,0;
CompressionOn = +DS=3,0;
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
8
7
0
21
32
0
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = Nokia GSM Phone USB Modem
DeviceID = Modem2
DeviceType = External Modem
DriverDate = 2:00:00 AM 10/9/2006
FlowControlHard = &K3
FlowControlOff = &K0
FlowControlSoft = &K4
Index = 3
MaxBaudRateToSerialPort = 115200
Model = Nokia GSM Phone USB Modem
ModemInfPath = oem24.inf
ModemInfSection = ModemDeviceInstallGSMPhone
ModulationBell = B1
ModulationCCITT = B0
Name = Nokia GSM Phone USB Modem #3
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
128
0
0
0
255
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Nokia
Pulse = P
Reset = ATZ
ResponsesKeyName = Nokia GSM Phone USB Modem::Nokia::Nokia
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
+ Standard Modem over Bluetooth link
AttachedTo = COM11
Caption = Standard Modem over Bluetooth link
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
194
1
0
21
32
0
0
0
0
+ Default
0
0
0
0
0
0
0
0
0
0
Description = Standard Modem over Bluetooth link
DeviceID = Modem3
DeviceType = External Modem
DriverDate = 2:00:00 AM 8/3/2004
Index = 8
MaxBaudRateToSerialPort = 115200
Model = Standard Modem over Bluetooth link
ModemInfPath = mdmbtmdm.inf
ModemInfSection = GenericCellPhone
Name = Standard Modem over Bluetooth link
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
128
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Microsoft
Pulse = P
Reset = ATZ
ResponsesKeyName = Standard Modem over Bluetooth link::Standard Cell Phones::Microsoft
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
+ Nokia 6230 Bluetooth Modem
AttachedTo = COM12
Caption = Nokia 6230 Bluetooth Modem
CompressionOff = +DS=0,0;
CompressionOn = +DS=3,0;
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
8
7
0
21
32
0
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = Nokia 6230 Bluetooth Modem
DeviceID = Modem4
DeviceType = External Modem
DriverDate = 2:00:00 AM 4/6/2006
FlowControlHard = &K3
FlowControlOff = &K0
FlowControlSoft = &K4
Index = 9
MaxBaudRateToSerialPort = 115200
Model = Nokia 6230 Bluetooth Modem
ModemInfPath = oem217.inf
ModemInfSection = Nokia6230Modem
Name = Nokia 6230 Bluetooth Modem
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
0
0
0
0
255
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Nokia
Reset = ATZ
ResponsesKeyName = Nokia 6230 Bluetooth Modem::Nokia::Nokia
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
+ Standard Modem over Bluetooth link
AttachedTo = COM16
Caption = Standard Modem over Bluetooth link
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
194
1
0
21
32
0
0
0
0
+ Default
0
0
0
0
0
0
0
0
0
0
Description = Standard Modem over Bluetooth link
DeviceID = Modem5
DeviceType = External Modem
DriverDate = 2:00:00 AM 8/3/2004
Index = 10
MaxBaudRateToSerialPort = 115200
Model = Standard Modem over Bluetooth link
ModemInfPath = mdmbtmdm.inf
ModemInfSection = GenericCellPhone
Name = Standard Modem over Bluetooth link #3
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
128
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Microsoft
Pulse = P
Reset = ATZ
ResponsesKeyName = Standard Modem over Bluetooth link::Standard Cell Phones::Microsoft
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
+ Sony Ericsson Device 039 USB WMC Modem
AttachedTo = COM18
Caption = Sony Ericsson Device 039 USB WMC Modem
CompressionOff = +DS=0;
CompressionOn = +DS=3,0,2048,32;
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
194
1
0
21
32
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = Sony Ericsson Device 039 USB WMC Modem
DeviceID = Modem6
DeviceType = External Modem
DriverDate = 2:00:00 AM 4/28/2006
Index = 12
MaxBaudRateToSerialPort = 115200
Model = Sony Ericsson Device 039 USB WMC Modem
ModemInfPath = oem213.inf
ModemInfSection = Sony_Ericsson_Dev39.Install
Name = Sony Ericsson Device 039 USB WMC Modem
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
0
0
0
0
255
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Sony Ericsson
Reset = AT&F
ResponsesKeyName = Sony Ericsson Device 039 USB WMC Modem::Sony Ericsson::Sony Ericsson
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
+ Sony Ericsson Device 039 USB WMC Data Modem
AttachedTo = COM20
Caption = Sony Ericsson Device 039 USB WMC Data Modem
CompressionOff = +DS=0;
CompressionOn = +DS=3,0,2048,32;
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
194
1
0
21
32
0
0
0
+ Default
60
0
0
0
0
0
0
0
0
0
Description = Sony Ericsson Device 039 USB WMC Data Modem
DeviceID = Modem7
DeviceType = External Modem
DriverDate = 2:00:00 AM 4/28/2006
Index = 13
MaxBaudRateToSerialPort = 115200
Model = Sony Ericsson Device 039 USB WMC Data Modem
ModemInfPath = oem213.inf
ModemInfSection = Sony_Ericsson_Dev39.Install
Name = Sony Ericsson Device 039 USB WMC Data Modem
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
0
0
0
0
255
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Sony Ericsson
Reset = AT&F
ResponsesKeyName = Sony Ericsson Device 039 USB WMC Data Modem::Sony Ericsson::Sony Ericsson
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
+ Standard Modem over Bluetooth link
AttachedTo = COM23
Caption = Standard Modem over Bluetooth link
ConfigurationDialog = modemui.dll
CountrySelected = South Africa
CreationClassName = Win32_PotsModem
+ DCB
28
0
0
0
0
194
1
0
21
32
0
0
0
0
+ Default
0
0
0
0
0
0
0
0
0
0
Description = Standard Modem over Bluetooth link
DeviceID = Modem8
DeviceType = External Modem
DriverDate = 2:00:00 AM 8/3/2004
Index = 15
MaxBaudRateToSerialPort = 115200
Model = Standard Modem over Bluetooth link
ModemInfPath = mdmbtmdm.inf
ModemInfSection = GenericCellPhone
Name = Standard Modem over Bluetooth link #4
PortSubClass = "02"
PowerManagementSupported = FALSE
Prefix = AT
+ Properties
128
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ProviderName = Microsoft
Pulse = P
Reset = ATZ
ResponsesKeyName = Standard Modem over Bluetooth link::Standard Cell Phones::Microsoft
Status = Unknown
StatusInfo = 2
SystemCreationClassName = Win32_ComputerSystem
SystemName = TOSHIBA-USER
Terminator =
Tone = T
Network Adapters

DNS Servers

Default Gateways

DHCP Servers

IP Address

WINS Servers

+ Network Clients

+ Microsoft Terminal Services
Description = RDPNP
Manufacturer = Microsoft Corporation
Name = Microsoft Terminal Services
Status = Unknown
+ Web Client Network
Caption = WebClient
Description = Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Manufacturer = Microsoft Corporation
Name = Web Client Network
Status = OK
----------------------------------------------------------------------------------------------------

Thanks!


----------



## Rollin' Rog (Dec 9, 2000)

Can't those DNS settings just be deleted directly from the registry? They seem entirely irrelevant to the connection in any case and could not be used.

Lol, the Network diagnostic shows no network card at all, no DNS settings and no passes or fails.

I assume this is because the connection device is via Nokia/Bluetooth:



> Description = Nokia GSM Phone USB Modem
> DeviceID = Modem0
> DeviceType = External Modem
> 
> ResponsesKeyName = Standard Modem over Bluetooth link::Standard Cell Phones::Microsoft


----------



## High hope (Jul 16, 2007)

Oh,yes,if they are of no use then i dont mind deleting them. But i will need your help on how to that too.
Yes,that is what i was trying to say,that i am using my phone as a modem,i didnt know how to explain that to you.


----------



## Rollin' Rog (Dec 9, 2000)

Well I don't know why "combofix" (I think that is the program Cookiegal was using) was failing in its efforts, but you should be able to run *regedit* and navigate to the locations below:



> HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
> HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
> HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
> HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
> ...


CS1 stands for *ControlSet001*
The "..." should be *Parameters*

Look for the numeric IDs under that key in the left pane and delete those.

For this key:


> HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104


Just delete the *DhcpNameServer=85.255.116.26 85.255.112.104* in the RIGHT pane.

By the way, the problem here may be that *ControlSet1* is NOT necessarily the ACTIVE ControlSet. It may be a "bad" one that is no longer in use.

If these items are not in the key "CurrentControlSet" they are not being used.

Reboot and see if they stayed deleted.


----------



## High hope (Jul 16, 2007)

Hi rollin rog!
I ran the command yo told me to run,and i got 4 options on the left pane of the window in a tree order.but i could not locate the above mentioned 'CS1' etc.
Could you please help me on which option i should select or what i should do next?.


----------



## Rollin' Rog (Dec 9, 2000)

It's ControlSet1 as you see in my attachment. Do you not have that?

You don't want to delete that whole key -- just the items covered above, if there.

For example, right click on and delete the bold part here:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\*{15031CAE-B5BF-4A1E-8035-52679079F5ED}*


----------



## High hope (Jul 16, 2007)

Hi there rollin rog,
i found the location and deleted the mentioned details. I then rebooted and checked to see if they stay deleted and yes they are nowhere to be seen now.
Is that it now? Any thing else to be done?
....................................
Thanks a lot for all your help so far!


----------



## Cookiegal (Aug 27, 2003)

Can you run option 1 of the SmitfraudFix again please? I know it's probably overkill but I like to be sure things are gone.


----------



## High hope (Jul 16, 2007)

Ok cookiegal, here is the new smitfraudfix report

-----------------------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 17:26:54.95, Mon 08/13/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHARUK~2\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,


----------



## High hope (Jul 16, 2007)

Ok cookiegal, here is the new report...

------------------------------------------------------------------------------------------------

SmitFraudFix v2.205

Scan done at 17:26:54.95, Mon 08/13/2007
Run from C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SHARUKH JAVA\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHARUK~2\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38E4794F-7175-4299-9FB9-A5F89346AF15}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67BD4382-47EC-4F5B-AF05-724274224E50}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97AC77DB-AE4F-471E-A843-109B7A4F4664}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: DhcpNameServer=85.255.116.26,85.255.112.104
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}: NameServer=62.94.144.232,151.13.150.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.116.26 85.255.112.104

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------------------------------------------------------------------------------

Thanks anyway!


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a LookCS1Parameters.zip file to this post. Save it to your desktop. Unzip it and double click the LookCS1Parameters.bat file and allow it to run. It will open up a report in Notepad automatically. Please post the contents of that report here.


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
This bellow is the report you asked for,,,

--------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
"NV Hostname"="toshiba-user"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="toshiba-user"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"TcpMaxDataRetransmissions"=dword:00000005
"DhcpNameServer"="85.255.116.26 85.255.112.104"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,33,00,38,00,31,00,37,00,30,00,31,00,\
34,00,30,00,2d,00,39,00,30,00,36,00,37,00,2d,00,34,00,37,00,43,00,37,00,2d,\
00,38,00,39,00,31,00,34,00,2d,00,42,00,39,00,42,00,39,00,45,00,46,00,37,00,\
30,00,41,00,44,00,38,00,45,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,36,00,37,\
00,42,00,44,00,34,00,33,00,38,00,32,00,2d,00,34,00,37,00,45,00,43,00,2d,00,\
34,00,46,00,35,00,42,00,2d,00,41,00,46,00,30,00,35,00,2d,00,37,00,32,00,34,\
00,32,00,37,00,34,00,32,00,32,00,34,00,45,00,35,00,30,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,39,00,37,00,41,00,43,00,37,00,37,00,44,00,42,00,2d,00,41,\
00,45,00,34,00,46,00,2d,00,34,00,37,00,31,00,45,00,2d,00,41,00,38,00,34,00,\
33,00,2d,00,31,00,30,00,39,00,42,00,37,00,41,00,34,00,46,00,34,00,36,00,36,\
00,34,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,44,00,30,00,45,00,39,00,44,00,\
37,00,44,00,46,00,2d,00,42,00,42,00,44,00,36,00,2d,00,34,00,42,00,37,00,30,\
00,2d,00,38,00,30,00,34,00,45,00,2d,00,41,00,43,00,36,00,46,00,35,00,34,00,\
42,00,38,00,31,00,30,00,35,00,33,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:40,01,17,38,67,90,c7,47,89,14,b9,b9,ef,70,ad,8e,82,43,bd,67,\
ec,47,5b,4f,af,05,72,42,74,22,4e,50,db,77,ac,97,4f,ae,1e,47,a8,43,10,9b,7a,\
4f,46,64,df,d7,e9,d0,d6,bb,70,4b,80,4e,ac,6f,54,b8,10,53

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,32,00,37,00,41,00,32,00,39,00,34,00,\
39,00,46,00,2d,00,39,00,43,00,39,00,42,00,2d,00,34,00,43,00,31,00,31,00,2d,\
00,38,00,46,00,45,00,39,00,2d,00,32,00,33,00,39,00,33,00,35,00,45,00,35,00,\
44,00,42,00,37,00,39,00,41,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{38E4794F-7175-4299-9FB9-A5F89346AF15}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,33,00,38,00,45,00,34,00,37,00,39,00,\
34,00,46,00,2d,00,37,00,31,00,37,00,35,00,2d,00,34,00,32,00,39,00,39,00,2d,\
00,39,00,46,00,42,00,39,00,2d,00,41,00,35,00,46,00,38,00,39,00,33,00,34,00,\
36,00,41,00,46,00,31,00,35,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{46D7D91F-5E69-442C-B892-61CB3157340F}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,34,00,36,00,44,00,37,00,44,00,39,00,\
31,00,46,00,2d,00,35,00,45,00,36,00,39,00,2d,00,34,00,34,00,32,00,43,00,2d,\
00,42,00,38,00,39,00,32,00,2d,00,36,00,31,00,43,00,42,00,33,00,31,00,35,00,\
37,00,33,00,34,00,30,00,46,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,39,00,31,00,45,00,41,00,45,00,\
36,00,34,00,2d,00,33,00,39,00,38,00,41,00,2d,00,34,00,43,00,45,00,33,00,2d,\
00,41,00,39,00,41,00,35,00,2d,00,39,00,45,00,42,00,37,00,32,00,46,00,34,00,\
41,00,37,00,39,00,42,00,37,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15031CAE-B5BF-4A1E-8035-52679079F5ED}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpNameServer"="85.255.116.26,85.255.112.104"
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpNameServer"="85.255.116.26,85.255.112.104"
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38170140-9067-47C7-8914-B9B9EF70AD8E}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"RegisterAdapterName"=dword:00000000
"RegistrationEnabled"=dword:00000000
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38E4794F-7175-4299-9FB9-A5F89346AF15}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpNameServer"="85.255.116.26,85.255.112.104"
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{46D7D91F-5E69-442C-B892-61CB3157340F}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpNameServer"="85.255.116.26,85.255.112.104"
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{67BD4382-47EC-4F5B-AF05-724274224E50}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"="62.94.144.232,151.13.150.22"
"DhcpClassIdBin"=hex:
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{97AC77DB-AE4F-471E-A843-109B7A4F4664}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NameServer"="62.94.144.232,151.13.150.22"
@="62.94.144.232,151.13.150.22"
"Domain"=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"="62.94.144.232,151.13.150.22"
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
33,00,00,00,00,00
"DhcpNameServer"="85.255.116.26,85.255.112.104"
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

------------------------------------------------------------------------------------------------

THANKS A LOT!.


----------



## Cookiegal (Aug 27, 2003)

If you didn't save the exported copy of this key earlier, then please run the LookCS1parameters.bat again and save it to your desktop and keep it as a backup as it can be restored if you make a mistake. Note that it has a .reg file extension by default and that is necessary so don't change it.

Now locate this key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15031CAE-B5BF-4A1E-8035-52679079F5ED}

In the right-hand pane, double click on *DhcpNameServer* to open it up and in the "edit string" box that appears, remove any reference to these two IPs only and click OK:

*85.255.116.26
85.255.112.104*

Do the exact same procedure as above for each of the following:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38E4794F-7175-4299-9FB9-A5F89346AF15}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{46D7D91F-5E69-442C-B892-61CB3157340F}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}

Also, locate this key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters

Double click on *DhcpNameServer *and remove any reference to those same two IP numbers.

Then close the registry editor and reboot the machine.

Now, run the LookCS1parameters.bat again but this time save it with a different name so you don't override the one you kept as a back-up.

Copy and paste the new exported key here please.


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
I have finally managed to follow your above procedures,and here is the new report i have for you----

-----------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
"NV Hostname"="toshiba-user"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="toshiba-user"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"TcpMaxDataRetransmissions"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,33,00,38,00,31,00,37,00,30,00,31,00,\
34,00,30,00,2d,00,39,00,30,00,36,00,37,00,2d,00,34,00,37,00,43,00,37,00,2d,\
00,38,00,39,00,31,00,34,00,2d,00,42,00,39,00,42,00,39,00,45,00,46,00,37,00,\
30,00,41,00,44,00,38,00,45,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,36,00,37,\
00,42,00,44,00,34,00,33,00,38,00,32,00,2d,00,34,00,37,00,45,00,43,00,2d,00,\
34,00,46,00,35,00,42,00,2d,00,41,00,46,00,30,00,35,00,2d,00,37,00,32,00,34,\
00,32,00,37,00,34,00,32,00,32,00,34,00,45,00,35,00,30,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,39,00,37,00,41,00,43,00,37,00,37,00,44,00,42,00,2d,00,41,\
00,45,00,34,00,46,00,2d,00,34,00,37,00,31,00,45,00,2d,00,41,00,38,00,34,00,\
33,00,2d,00,31,00,30,00,39,00,42,00,37,00,41,00,34,00,46,00,34,00,36,00,36,\
00,34,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,44,00,30,00,45,00,39,00,44,00,\
37,00,44,00,46,00,2d,00,42,00,42,00,44,00,36,00,2d,00,34,00,42,00,37,00,30,\
00,2d,00,38,00,30,00,34,00,45,00,2d,00,41,00,43,00,36,00,46,00,35,00,34,00,\
42,00,38,00,31,00,30,00,35,00,33,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:40,01,17,38,67,90,c7,47,89,14,b9,b9,ef,70,ad,8e,82,43,bd,67,\
ec,47,5b,4f,af,05,72,42,74,22,4e,50,db,77,ac,97,4f,ae,1e,47,a8,43,10,9b,7a,\
4f,46,64,df,d7,e9,d0,d6,bb,70,4b,80,4e,ac,6f,54,b8,10,53

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,32,00,37,00,41,00,32,00,39,00,34,00,\
39,00,46,00,2d,00,39,00,43,00,39,00,42,00,2d,00,34,00,43,00,31,00,31,00,2d,\
00,38,00,46,00,45,00,39,00,2d,00,32,00,33,00,39,00,33,00,35,00,45,00,35,00,\
44,00,42,00,37,00,39,00,41,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{38E4794F-7175-4299-9FB9-A5F89346AF15}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,33,00,38,00,45,00,34,00,37,00,39,00,\
34,00,46,00,2d,00,37,00,31,00,37,00,35,00,2d,00,34,00,32,00,39,00,39,00,2d,\
00,39,00,46,00,42,00,39,00,2d,00,41,00,35,00,46,00,38,00,39,00,33,00,34,00,\
36,00,41,00,46,00,31,00,35,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{46D7D91F-5E69-442C-B892-61CB3157340F}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,34,00,36,00,44,00,37,00,44,00,39,00,\
31,00,46,00,2d,00,35,00,45,00,36,00,39,00,2d,00,34,00,34,00,32,00,43,00,2d,\
00,42,00,38,00,39,00,32,00,2d,00,36,00,31,00,43,00,42,00,33,00,31,00,35,00,\
37,00,33,00,34,00,30,00,46,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,39,00,31,00,45,00,41,00,45,00,\
36,00,34,00,2d,00,33,00,39,00,38,00,41,00,2d,00,34,00,43,00,45,00,33,00,2d,\
00,41,00,39,00,41,00,35,00,2d,00,39,00,45,00,42,00,37,00,32,00,46,00,34,00,\
41,00,37,00,39,00,42,00,37,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15031CAE-B5BF-4A1E-8035-52679079F5ED}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38170140-9067-47C7-8914-B9B9EF70AD8E}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"RegisterAdapterName"=dword:00000000
"RegistrationEnabled"=dword:00000000
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38E4794F-7175-4299-9FB9-A5F89346AF15}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{46D7D91F-5E69-442C-B892-61CB3157340F}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{67BD4382-47EC-4F5B-AF05-724274224E50}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"="62.94.144.232,151.13.150.22"
"DhcpClassIdBin"=hex:
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{97AC77DB-AE4F-471E-A843-109B7A4F4664}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NameServer"="62.94.144.232,151.13.150.22"
@="62.94.144.232,151.13.150.22"
"Domain"=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"="62.94.144.232,151.13.150.22"
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F91EAE64-398A-4CE3-A9A5-9EB72F4A79B7}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"="62.94.144.232,151.13.150.22"
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
33,00,00,00,00,00
@="62.94.144.232,151.13.150.22"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

---------------------------------------------------------------------------------------------

Thanks again!


----------



## Cookiegal (Aug 27, 2003)

Good job! :up: 


How are things now?


----------



## High hope (Jul 16, 2007)

Oh thanks!
Ya things a good presently,infact i noticed the difference when i had first run the SDfix or some other program before that while we were going through this whole proccess! Since then i never got the BSOD!
I'm happy! 

Thanks to you all there,! you really do a good job!!!


----------



## Cookiegal (Aug 27, 2003)

You're welcome.  

Would you please post one final HijackThis log and then if everything is fine, I will have some final instructions for you to help you keep the system clean.


----------



## High hope (Jul 16, 2007)

Hi there cookiegal!
Here is the new hijackthis log

------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:18:27 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: GetRight Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

-------------------------------------------------------------------------------------------

Thanks!


----------



## Cookiegal (Aug 27, 2003)

You really should have your AVG anti-virus program configured to run at start-up.

*Your Sun Java is out of date.* Older versions have vulnerabilities that malware can exploit to infect your system.
*Please follow these steps to remove older version Java components and update.*

*Updating Java:* 

Download the latest version of *Java Runtime Environment (JRE) 6u2*. 
Scroll down to where it says "_Java Runtime Environment (JRE) 6u2 allows end-users to run Java applications_". 
Click the "*Download*" button to the right. 
Check the box that says: "*Accept*_ License Agreement_". 
The page will refresh. 
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop. 
Close any programs you may have running - especially your web browser. 
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java. 
Check any item with Java Runtime Environment (JRE or J2SE) in the name. 
Click the *Remove* or *Change/Remove* button. 
Repeat as many times as necessary to remove each Java versions. 
Reboot your computer once all Java components are removed. 
Then from your desktop double-click on the download to install the newest version.

Everything else looks good. :up:

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.

***

You should trim down your start-ups as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## High hope (Jul 16, 2007)

Hi there!
I was having problems while trying to download the 'jre 6u2' so i just deleted the old java i had. May be u could provide me with a new link where i can download a new java from please,
Should i stil go on with the rest of your instructions?or do i have to wait til i have downloaded the new java?


----------



## Cookiegal (Aug 27, 2003)

What was the problem you were having with the download?

Try going to this site and use any of the links that appear under "Free Downloads From""

http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html


----------



## High hope (Jul 16, 2007)

Oh, i just found out that it was not a problem related to the site or links,it was related to the mobile network.
Any way i am going to use your newly provided link and will get back to you when i finish with it.!


----------



## Cookiegal (Aug 27, 2003)

Sounds good. :up:


----------



## High hope (Jul 16, 2007)

Hi there!
Sorry for the delay, had been busy with some work.
I am still going through the list of startup options,trying to figure out what is what,and then i will get back to you some time next week.
Thanks a lot!


----------



## Cookiegal (Aug 27, 2003)

That's fine.


----------



## High hope (Jul 16, 2007)

Hi cookiegal!
I never got time to sort my startup options yet. But i suddenly got the "old friend" blue screen of death again. :-(
It was fine all along,but today i got it again.
If i send you the error report,will you be able to find out what is causing the problem?


----------



## Cookiegal (Aug 27, 2003)

We'll see. Please post the error report.


----------



## High hope (Jul 16, 2007)

Hi, this is the mini dump folder...


----------



## Cookiegal (Aug 27, 2003)

I don't know if Rog is still following along here to read the minidump for us. I don't have the tools necessary for that. I was referring to the error in the Event Viewer. Can you check there please?


----------



## Rollin' Rog (Dec 9, 2000)

Sorry, I seem to have dropped the ball here.

For what it's worth AVG was the cause of the Blue Screen



BugCheck 10000050, {fffffff8, 0, ef8d2552, 0}


*** ERROR: Module load completed but symbols could not be loaded for avg7rsxp.sys


Probably caused by : avg7rsxp.sys ( avg7rsxp+2163 )


----------



## Cookiegal (Aug 27, 2003)

Thanks Rog. :up: 

High Hope, are you still with us?

I see others are having similar problems with this driver and the actual cause has not really been determined although it looks like it may be a conflict with a driver on your machine.

As a first suggestion, I would try uninstalling AVG via Add/Remove programs and then reinstall it and see if you still have problems.


----------



## Rollin' Rog (Dec 9, 2000)

No problem.


----------



## High hope (Jul 16, 2007)

Hi there techguys!
(its been a while since i called in,sorry for the delay)
Ok,like MR ROLLIN ROG said, i deleted AVG and reinstalled it again,.
I there after ran a scan using the AVG and i got some threats,but unfortunately i am a slow typer,so before i could copy all the details of the the search,it had completed the scan and the window changed.
This below here is what i had managed to copy.

-----------------------------------------------------------------------------------------------------------------
1. pdp[2].exe Trojan horse Downloader.Tibs.4.AM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\7BR1ECAK\pdp[2].exe
2. inst[1].exe Trojan horse Downloader.Tibs.4.AD C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GY3KWI6R\inst[1].exe
3. patch.exe Trojan horse Agent.FHW C:\Documents and Settings\SHARUKH JAVA\Desktop\FOLDERS\PC PROGRAMS\Multimedia\DirectDVD 4.48 ES Edition\crack\patch.exe
4. windev-4bd1-1721.sys Trojan horse SpamTool.VC C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SDFix\backups_old1\backups.zip:\backups\windev-4bd1-1721.sys
5. windev-7f1f-743a.sys Trojan horse SpamTool.UE C:\Documents and Settings\SHARUKH JAVA\Desktop\PC cleaners\SDFix\
6.
7.
-----------------------------------------------------------------------------------------------------------------

After running a second scan i did not get any of the above results, it seems as though it deleted them automatically.
I hope this solves the problem now.

Thanks a lot.


----------



## Cookiegal (Aug 27, 2003)

Some of those were just found in SDFix's backups so those were not a problem. It looks like AVG took care of everything else. AVG keeps logs of scans so you could check the log.

Please post a new HijackThis log.


----------



## High hope (Jul 16, 2007)

Yes i hope so.
Here is the new Hijack this log that you requested

_______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 11:23:56 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldusa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldusa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.sgnappo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CFB3F3-66BC-41C9-AEBA-ED1B4E8BC49E}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{CECFD3A7-5418-497C-BB22-5DC6DDEF7887}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer = 194.133.122.47 194.133.122.42
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51F2A34-09CC-40CF-8675-4438DB495F4D}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS3\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

______________________________________________________________________

Thanks!


----------



## Cookiegal (Aug 27, 2003)

I just want to verify a couple of things with you.

Did you put this site in your trusted zone intentionally?

O15 - Trusted Zone: www.sgnappo.com

Are you (your IP) located in Republic of San Marino?


----------



## High hope (Jul 16, 2007)

No i did not put this site in my trusted zone intentionally. Infact i dont even know what this site is about. 
I am not located in the Republic of San Marino.


----------



## Cookiegal (Aug 27, 2003)

Download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop. Right click the file and select install, that will reset the zone settings that have been altered.

Rescan with HijackThis and fix these entries that are bolded in black but b*e careful NOT to fix the one in red *that's sandwiched in between the others as this would be your actual IP and is valid. We don't want to delete that one.

*O17 - HKLM\System\CCS\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{27A2949F-9C9B-4C11-8FE9-23935E5DB79A}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CFB3F3-66BC-41C9-AEBA-ED1B4E8BC49E}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{46D7D91F-5E69-442C-B892-61CB3157340F}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{CECFD3A7-5418-497C-BB22-5DC6DDEF7887}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer = 194.133.122.47 194.133.122.42
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51F2A34-09CC-40CF-8675-4438DB495F4D}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22
O17 - HKLM\System\CS3\Services\Tcpip\..\{15031CAE-B5BF-4A1E-8035-52679079F5ED}: NameServer = 62.94.144.232,151.13.150.22*

Reboot and post a new HijackThis log please.


----------



## High hope (Jul 16, 2007)

Hi there.
I have done all the above you told me to do,
this is the new hijackthis log...

---------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:14:02 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\SHARUKH JAVA\Desktop\PC software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldusa.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldusa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E9D7DF-BBD6-4B70-804E-AC6F54B81053}: NameServer = 194.133.122.47 194.133.122.42
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

-------------------------------------------------------------------------------------------------

Thanks again!


----------



## Cookiegal (Aug 27, 2003)

The log looks good now. :up:


----------

