Hijack Regedit

March 22, 2010 at 13:09:09
Specs: Microsoft Windows Vista Home Premium, 3.07 GHz / 3325 MB

Good evening all.

I discovered that my computer is infected by "hijack regedit". I do not really know what it does but from what I could read here and there, it does not seem to be a friendly bug...

Anyway, everything I have done so far was useless and I can not get rid of it. I have a fully up to date Panda Internet Security 2010 antivirus, I've ran Spybot, Malwarebytes and downloaded Hijackthis but did not do anything by fear of messing something up...

Has anybody got an idea to suppress the virus?


See More: Hijack Regedit

Report •


#1
March 22, 2010 at 20:17:27

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
March 22, 2010 at 23:20:14

Thanks Jabuck.

Will do that as soon as I get home tonight.
Any idea as to what this virus exactly does though?


Report •

#3
March 23, 2010 at 03:50:48

No, there are several that have a similar trait.

Report •

Related Solutions

#4
March 23, 2010 at 12:10:15

Hi Jabuck.

As promised, here is my hijackthis log file.
Hope it makes sence to you...

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 19:08:45, on 23/03/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\Lexmark 9300 Series\ezprint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Panda Security\Panda Internet Security 2010\ApVxdWin.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Panda Security\Panda Internet Security 2010\PavBckPT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 9300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2010\Inicio.exe"
O4 - HKLM\..\RunOnce: [AFixOldWscUnreg] C:\Windows\Temp\PSPPK1\HFSetup4.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c991fcb4495903) (gupdate1c991fcb4495903) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\pavsrvx86.exe
O23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PskSvc.exe
O23 - Service: PskSvcRetailInst - Panda Security, S.L. - C:\Users\Jey\AppData\Local\Temp\ISSCAN\PskSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 9368 bytes


Report •

#5
March 23, 2010 at 17:11:24

Although Hijack This is no longer the preferred method for system analysis it will do in a pinch.

Run Hijack This again, close all browsers and windows except Hijack This, place a check to the left of the following items and press "fix checked".

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Exit Hijack This.

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your Panda antivirus and Windows Defender must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
March 24, 2010 at 15:18:23

Here is my Combo Fix log:

Thank you.

ComboFix 10-03-24.01 - Jey 24/03/2010 21:54:31.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3325.2121 [GMT 0:00]
Running from: c:\users\Jey\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
c:\users\Jey\AppData\Local\Windows Server
c:\users\Jey\AppData\Local\Windows Server\flags.ini
c:\users\Jey\AppData\Local\Windows Server\uses32.dat
c:\users\Jey\FAVORI~1\_favdata.dat
c:\users\Jey\Favorites\_favdata.dat

.
((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-24 22:06 . 2010-03-24 22:06 -------- d-----w- c:\users\Jey\AppData\Local\temp
2010-03-24 22:06 . 2010-03-24 22:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-20 18:43 . 2010-03-20 18:43 -------- d-----w- c:\program files\TrendMicro
2010-03-20 11:20 . 2010-03-20 11:20 -------- d-----w- c:\users\Jey\AppData\Roaming\Malwarebytes
2010-03-20 11:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-20 11:20 . 2010-03-20 11:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-20 11:20 . 2010-03-20 11:20 -------- d-----w- c:\programdata\Malwarebytes
2010-03-20 11:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 21:59 . 2010-03-19 21:59 -------- d-----w- c:\users\Jey\AppData\Local\Panda Security
2010-03-19 21:59 . 2010-03-19 21:59 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2010-03-19 21:59 . 2010-03-19 21:59 262 ----a-w- c:\windows\system32\PavCPL.dat
2010-03-19 21:59 . 2010-03-24 21:42 203920 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-03-19 21:59 . 2008-06-18 16:06 46720 ----a-w- c:\windows\system32\drivers\wnmflt.sys
2010-03-19 21:59 . 2008-06-18 16:06 193792 ----a-w- c:\windows\system32\drivers\idsflt.sys
2010-03-19 21:59 . 2008-06-18 16:06 52992 ----a-w- c:\windows\system32\drivers\dsaflt.sys
2010-03-19 21:48 . 2008-06-19 17:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-03-19 21:48 . 2009-06-02 13:12 177416 ----a-w- c:\windows\system32\drivers\PavProc.sys
2010-03-19 21:48 . 2008-03-04 15:59 41144 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys
2010-03-19 21:47 . 2010-03-19 21:47 -------- d-----w- c:\program files\Common Files\Panda Security
2010-03-18 17:29 . 2010-03-18 17:29 -------- d-----w- C:\7573eb5365566cd897d05645b0ac
2010-03-17 21:20 . 2010-03-18 05:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-17 21:20 . 2010-03-17 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 21:18 . 2010-03-16 21:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-16 21:15 . 2010-03-20 05:49 -------- d-----w- c:\program files\AutoCAD 2010
2010-03-16 21:15 . 2010-03-16 21:30 -------- d-----w- c:\users\Jey\AppData\Roaming\Autodesk
2010-03-16 21:15 . 2010-03-16 21:21 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-16 21:15 . 2010-03-16 21:15 -------- d-----w- c:\users\Jey\AppData\Local\Autodesk
2010-03-16 21:15 . 2010-03-16 21:15 -------- d-----w- c:\programdata\Autodesk
2010-03-16 20:03 . 2010-03-16 20:03 -------- d-----w- C:\Autodesk
2010-03-10 21:46 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 21:46 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-10 21:46 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-07 08:07 . 2010-03-07 08:07 -------- d-----w- c:\users\Jey\AppData\Roaming\hott notes 4
2010-03-07 08:07 . 2010-03-07 08:07 -------- d-----w- c:\program files\hott notes 4
2010-02-28 11:45 . 2010-02-28 11:45 -------- d-----w- c:\users\Jey\AppData\Roaming\DassaultSystemes
2010-02-28 11:45 . 2010-02-28 11:45 -------- d-----w- c:\users\Jey\AppData\Local\DassaultSystemes
2010-02-28 11:45 . 2010-02-28 11:45 -------- d-----w- c:\programdata\DassaultSystemes
2010-02-26 19:16 . 2010-02-26 19:16 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-02-25 17:45 . 2010-02-25 17:45 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-23 18:30 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 21:42 . 2010-03-19 21:59 203920 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-03-24 21:21 . 2009-02-18 19:10 -------- d-----w- c:\programdata\Google Updater
2010-03-24 17:06 . 2010-03-19 21:59 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-03-24 17:06 . 2010-03-19 21:59 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-03-24 17:04 . 2009-01-16 18:52 -------- d-----w- c:\users\Jey\AppData\Roaming\IM
2010-03-23 20:54 . 2009-01-11 12:51 1842 ----a-w- c:\windows\bthservsdp.dat
2010-03-21 17:29 . 2009-01-11 17:15 -------- d-----w- c:\program files\Lx_cats
2010-03-21 17:04 . 2010-03-21 17:04 27969776 ----a-w- c:\programdata\SPLD73B.tmp
2010-03-21 16:40 . 2009-01-28 20:21 -------- d-----w- c:\users\Jey\AppData\Roaming\Skype
2010-03-21 16:39 . 2009-01-28 20:23 -------- d-----w- c:\users\Jey\AppData\Roaming\skypePM
2010-03-21 16:10 . 2010-03-21 16:10 20338920 ----a-w- c:\programdata\SPL432B.tmp
2010-03-19 21:57 . 2010-03-19 21:57 -------- d-----w- c:\programdata\Backup
2010-03-19 21:57 . 2009-01-11 18:39 -------- d-----w- c:\program files\Panda Security
2010-03-19 21:57 . 2010-03-19 21:57 -------- d-----w- c:\users\Jey\AppData\Roaming\Panda Security
2010-03-19 21:57 . 2010-03-19 21:57 -------- d-----w- c:\programdata\Panda Security
2010-03-19 21:57 . 2009-01-11 18:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-19 19:44 . 2010-03-19 19:44 1148083 ----a-w- c:\programdata\SPL6B36.tmp
2010-03-17 18:59 . 2009-01-10 21:39 1356 ----a-w- c:\users\Jey\AppData\Local\d3d9caps.dat
2010-03-16 21:27 . 2009-10-25 12:42 -------- d-----w- c:\programdata\FLEXnet
2010-03-16 21:20 . 2009-01-10 21:40 149896 ----a-w- c:\users\Jey\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-10 21:49 . 2009-01-16 18:57 -------- d-----w- c:\programdata\Microsoft Help
2010-02-28 17:31 . 2009-01-16 20:10 -------- d-----w- c:\users\Jey\AppData\Roaming\SolidWorks
2010-02-28 12:05 . 2009-01-23 19:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-28 12:02 . 2009-01-23 19:45 -------- d-----w- c:\program files\Codemasters
2010-02-28 11:56 . 2009-02-21 13:08 -------- d-----w- c:\program files\RACE 07 Offline
2010-02-24 10:16 . 2009-10-02 15:54 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-09 19:24 . 2009-02-18 19:10 -------- d-----w- c:\program files\Google
2010-01-27 20:37 . 2010-01-27 20:37 -------- d-----w- c:\program files\bfgclient
2010-01-24 21:05 . 2009-08-01 18:45 -------- d-----w- c:\programdata\Apple Computer
2010-01-17 14:52 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-02 06:38 . 2010-01-21 19:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 19:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 19:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 19:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]
"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]
"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]
"LXCQCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-06-24 7320872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-01-15 23552]
"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE" [2009-06-05 574720]
"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2010\Inicio.exe" [2009-04-21 56064]

c:\users\Jey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):f8,1d,4e,a4,85,97,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-435583444-1162328459-4176552519-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate1c991fcb4495903;Google Update Service (gupdate1c991fcb4495903);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 133104]
R2 PskSvcRetailInst;PskSvcRetailInst;c:\users\Jey\AppData\Local\Temp\ISSCAN\PskSvc.exe [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2009-06-24 83240]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot.sys [2008-06-19 28544]
S0 ZetSFD;Zetera Storage Class Filter Driver;c:\windows\system32\DRIVERS\ZetSFD.sys [2007-08-08 13824]
S1 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT.SYS [2008-06-25 73728]
S1 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT.SYS [2008-06-18 52992]
S1 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetmon.SYS [2008-03-28 22072]
S1 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT.SYS [2008-06-18 193792]
S1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [2003-07-11 14912]
S1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETFLTDI.SYS [2008-07-11 14:58 158848]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-25 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
S1 SSHDRV84;SSHDRV84;c:\windows\system32\drivers\SSHDRV84.sys [2009-09-21 76800]
S1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT.SYS [2008-06-18 46720]
S2 AmFSM;AmFSM;c:\windows\system32\DRIVERS\amm8660.sys [2008-02-13 49208]
S2 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [2010-03-19 13880]
S2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost [x]
S2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe [2006-12-05 537520]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2009-06-02 177416]
S2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2010\PskSvc.exe [2008-06-25 28928]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S2 SFSZ;DataPlow SFS for Zetera Storage Devices;c:\windows\system32\drivers\sfsz.sys [2007-08-14 289792]
S2 Z-SANService;Z-SAN Service;c:\program files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe [2007-08-08 376891]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys [x]
S3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\DRIVERS\neti1634.sys [2008-06-26 197888]
S3 PavSRK.sys;PavSRK.sys;c:\windows\system32\PavSRK.sys [x]
S3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [x]
S3 ZetBus;Zetera Virtual Bus;c:\windows\system32\DRIVERS\ZetBus.sys [2007-08-08 15488]
S3 ZetMPD;ZetMPD;c:\windows\system32\DRIVERS\ZetMPD.sys [2007-08-08 6656]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
panda REG_MULTI_SZ Gwmsrv
.
Contents of the 'Scheduled Tasks' folder

2010-03-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 22:16]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 19:11]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 19:11]

2010-03-24 c:\windows\Tasks\User_Feed_Synchronization-{A66EF05C-76C7-4398-A16A-A399FA985CDE}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Jey\AppData\Roaming\Mozilla\Firefox\Profiles\1lxbyxwl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Jey\AppData\Roaming\Mozilla\Firefox\Profiles\1lxbyxwl.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-AFixOldWscUnreg - c:\windows\Temp\PSPPK1\HFSetup4.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 22:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCQCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


c:\windows\TEMP\TMP000000968E00DDEF397A011A 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-24 22:14:15
ComboFix-quarantined-files.txt 2010-03-24 22:14

Pre-Run: 294,987,128,832 bytes free
Post-Run: 295,142,330,368 bytes free

- - End Of File - - 06C4DD01963F1DC860FE20F011AD293D


Report •

#7
March 24, 2010 at 19:19:16

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\programdata\SPL432B.tmp
c:\programdata\SPL432B.tmp

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#8
March 25, 2010 at 14:25:27

Hi Jabuck,

I tried to re-run Combofix by dragging CFScript in it but my computer crashed twice during the process and I had to manually reboot my whole machine.

I also had twice the blue screen of death showing while nothing was running on the computer. Error message said "CTXfiHlp MFC application has stopped working"...

What is that due to?

I could however re-run a Malwarebytes and my virus seems to be gone.

So I am a bit confused by both these bad and good news!

Any idea as to what my next step should be?

Thanks


Report •

#9
March 25, 2010 at 18:42:29

It is a sound card help file that does not need to run at startup. I'm not sure what triggered it.

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following item and press "fix checked".

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.exe

Let me know if that stopped the error/bluescreen.


Report •

#10
March 26, 2010 at 10:46:00

I have done just that.

Everything seems to be running smoothly now.

Lets give it a couple of days and I'll update this post again.

Thanks a lot for your help.

Best


Report •

#11
March 26, 2010 at 14:22:24

Ok, just let us know.

Report •

#12
May 12, 2010 at 11:14:02

Everything has been working fine if not better ever since.
Thanks again

Report •

#13
June 2, 2010 at 06:42:07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:37 AM, on 02/06/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Users\Kevin\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.ca/welcome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.6656.net/rj.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Presented by TOSHIBA Leading Innovation >>>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: 360°²È«ÎÀÊ¿ - {B69F34DD-F0F9-42DC-9EDD-957187DA688D}! - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files (x86)\PPStream\ppsap.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
O23 - Service: ConfigFree Gadget Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - Unknown owner - C:\windows\system32\ThpSrv.exe (file missing)
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7429 bytes


Report •


Ask Question