We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Antivirus hijacker
Options
Comments
-
-
TICK these in hijack and click to FIX them ~
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\admin\AppData\Local\Temp\iiifd.dll,#1
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
..............................................
Download CCLEANER
http://www.ccleaner.com/download/builds/downloading-slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
.....................................................................
Please run COMBOFIX
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
A registry backup from CCleaner? Your having a laugh. Whats that supposed to do?
Dont you release that CF creates an ERUNT registry backup which is used to restore the system via the Windows Recovery Console should anything go wrong.
Trouble is your using CF on a Vista Box which is incompatable with the XP Recovery Console required by CF to do its job properly. So you cannot restore system should anything go wrong.
Nevermind you still have that CCleaner registry backup eh
You !!!!0 -
A registry backup from CCleaner? Your having a laugh. Whats that supposed to do?
Dont you release that CF creates an ERUNT registry backup which is used to restore the system via the Windows Recovery Console should anything go wrong.
Trouble is your using CF on a Vista Box which is incompatable with the XP Recovery Console required by CF to do its job properly. So you cannot restore system should anything go wrong.
Nevermind you still have that CCleaner registry backup eh
You !!!!
hahahaha :rotfl::rotfl::rotfl::rotfl:
COME ON mr malware ~ you ROCK :rolleyes:
(I suggest you do a little more digging as your absolutely COMPLETELY wrong on combofix):idea:0 -
yes, hijacking every thread with combofix with these unfounded scare stories
I suppose the number one Malware removal forum Bleeping computer are completely wrong on this and they are right :rolleyes:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
here is a combofix Spyware removal on a Vista PC
http://www.bleepingcomputer.com/forums/index.php?showtopic=279109&hl=vistaEx forum ambassador
Long term forum member0 -
Hi and thanks for thatTICK these in hijack and click to FIX them ~
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\admin\AppData\Local\Temp\iiifd.dll,#1
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
..............................................
Download CCLEANER
http://www.ccleaner.com/download/builds/downloading-slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
.....................................................................
Please run COMBOFIX
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
It kept complaining that AVG was running and I couldnt find any options on AVG to disable it so I went into msconfig and tried disabling it there to no avail
I ended up getting it offline and uniunstalling AVG altogether
I'll re-install it before going back online
Heres the Combofix log:
ComboFix 09-12-31.01 - admin 01/01/2010 7:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1070 [GMT 0:00]
Running from:
\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1512356094-4132057286-3945740360-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2404302579-3895107748-3874176668-500
c:\$recycle.bin\S-1-5-21-2693752779-4289103269-2278654687-500
c:\$recycle.bin\S-1-5-21-2916908409-1079700226-97939127-500
c:\$recycle.bin\S-1-5-21-4166744113-92901950-3791658389-500
.
((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))
.
2010-01-01 07:47 . 2010-01-01 07:47
d
w- c:\users\admin\AppData\Local\temp
2010-01-01 07:47 . 2010-01-01 07:47
d
w- c:\users\Default\AppData\Local\temp
2009-12-31 17:34 . 2009-12-31 17:34
d
w- c:\program files\CCleaner
2009-12-31 14:45 . 2009-12-31 17:52
d
w- c:\program files\Spybot - Search & Destroy
2009-12-31 14:45 . 2009-12-31 17:37
d
w- c:\programdata\Spybot - Search & Destroy
2009-12-31 14:28 . 2009-12-31 14:28
d
w- c:\program files\Trend Micro
2009-12-31 12:45 . 2009-12-31 12:45
d
w- c:\users\admin\AppData\Roaming\Malwarebytes
2009-12-31 12:45 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 12:45 . 2009-12-31 12:45
d
w- c:\programdata\Malwarebytes
2009-12-31 12:45 . 2009-12-31 12:45
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 12:45 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 11:03 . 2009-12-31 14:44
d
w- c:\program files\Free Window Registry Repair
2009-12-28 02:18 . 2009-12-31 14:23
d
w- c:\users\admin\AppData\Local\xyienb
2009-12-23 16:06 . 2009-12-23 16:06 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-10 03:04 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 03:04 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 03:04 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 20:05 . 2009-05-18 14:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-09 20:05 . 2008-04-17 13:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-09 20:05 . 2009-12-09 20:05
dc----w- c:\windows\system32\DRVSTORE
2009-12-09 20:04 . 2009-12-09 20:04
d
w- c:\program files\iPod
2009-12-09 20:04 . 2009-12-09 20:05
d
w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-09 20:04 . 2009-12-09 20:05
d
w- c:\program files\iTunes
2009-12-09 20:02 . 2009-12-09 20:02
d
w- c:\program files\QuickTime
2009-12-09 19:41 . 2009-12-09 19:41 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-09 19:30 . 2009-12-09 19:30
d
w- c:\program files\Safari
2009-12-09 19:23 . 2009-12-09 19:23 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-09 19:21 . 2009-12-09 19:21
d
w- c:\program files\Bonjour
2009-12-09 18:22 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 18:12 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 18:12 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 17:58 . 2009-12-09 17:58 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9D0B.tmp.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 07:36 . 2008-02-16 22:13
d
w- c:\users\admin\AppData\Roaming\OpenOffice.org2
2010-01-01 07:32 . 2009-03-13 15:00
d
w- c:\programdata\avg8
2009-12-22 10:26 . 2007-10-08 18:49
d
w- c:\program files\Lx_cats
2009-12-10 03:23 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2009-12-10 03:07 . 2007-10-15 12:29
d
w- c:\programdata\Microsoft Help
2009-12-09 20:04 . 2008-01-22 17:25
d
w- c:\program files\Common Files\Apple
2009-12-09 19:58 . 2008-01-22 17:28
d
w- c:\users\admin\AppData\Roaming\Apple Computer
2009-11-24 14:10 . 2009-11-24 14:10 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-11-23 21:47 . 2009-11-23 21:47 949224 ----a-w- c:\programdata\SPL6D08.tmp
2009-11-21 06:40 . 2009-12-09 18:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 18:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 18:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 18:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 03:44 . 2009-11-19 03:44
d
w- c:\users\admin\AppData\Roaming\Yahoo!
2009-11-19 03:44 . 2009-11-19 03:44
d
w- c:\programdata\Yahoo! Companion
2009-11-19 03:22 . 2009-11-19 03:22
d
w- c:\program files\Yahoo!
2009-11-19 03:22 . 2009-11-18 21:05
d
w- c:\program files\Yahoo! Games
2009-11-19 02:00 . 2009-11-19 02:00
d
w- c:\programdata\GameHouse
2009-11-18 21:05 . 2009-11-18 21:05
d
w- c:\programdata\Trymedia
2009-11-17 00:05 . 2006-11-02 12:37
d
w- c:\program files\Windows Calendar
2009-11-17 00:05 . 2006-11-02 12:37
d
w- c:\program files\Windows Sidebar
2009-11-17 00:04 . 2006-11-02 12:37
d
w- c:\program files\Windows Collaboration
2009-11-17 00:04 . 2006-11-02 12:37
d
w- c:\program files\Windows Journal
2009-11-17 00:04 . 2006-11-02 12:37
d
w- c:\program files\Windows Photo Gallery
2009-11-17 00:04 . 2006-11-02 12:37
d
w- c:\program files\Windows Defender
2009-11-16 23:55 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-16 18:55 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-11-16 18:55 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-11-03 17:30 . 2007-10-08 18:19 114384 ----a-w- c:\users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-03 03:03 . 2008-03-14 15:21
d
w- c:\program files\Microsoft Works
2009-11-02 20:42 . 2009-10-03 01:25 195456
w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 17:29 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 23:35 . 2009-10-27 23:35 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 413696]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 509496]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 534648]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 438272]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-03-02 577536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-28 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-28 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-28 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-02-19 571024]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2008-12-4 479232]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxddserv.exe [26/04/2007 05:21 99248]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [31/12/2009 14:45 1153368]
S2 gupdate1c999922a23e440;Google Update Service (gupdate1c999922a23e440);c:\program files\Google\Update\GoogleUpdate.exe [28/02/2009 10:48 133104]
.
Contents of the 'Scheduled Tasks' folder
2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 10:48]
2009-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 10:48]
2010-01-01 c:\windows\Tasks\User_Feed_Synchronization-{27C7F489-C70C-47D1-8175-9BE6E22BF42C}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 07:47
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????T??g????8?8?`?8???8???8??
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
DLLs Loaded Under Running Processes
- - - - - - - > 'Explorer.exe'(1684)
c:\progra~1\SPYBOT~1\SDHelper.dll
.
Completion time: 2010-01-01 07:51:02
ComboFix-quarantined-files.txt 2010-01-01 07:51
Pre-Run: 30,039,367,680 bytes free
Post-Run: 29,769,019,392 bytes free
- - End Of File - - D6C293EAC48A7B492F8C7FF74F47C679IWasLookingBackToSeeIfSheWasLookinBackToSeeIfIWasLookinBackAtHer.....0 -
i'll let Rik answer this , he's better on the combofix logsEx forum ambassador
Long term forum member0 -
As Browntoa says, Rik is best to look at the log, but a couple of comments - you are using AVG 8/8.5, so should really be changing to 9. Also, when the dust settles (not now) you should update Vista from Service Pack 1 to 2.vinylmusic wrote: »I ended up getting it offline and uniunstalling AVG altogether
I'll re-install it before going back online0 -
I just reinstalled AVG with version 9, thanksAs Browntoa says, Rik is best to look at the log, but a couple of comments - you are using AVG 8/8.5, so should really be changing to 9. Also, when the dust settles (not now) you should update Vista from Service Pack 1 to 2.IWasLookingBackToSeeIfSheWasLookinBackToSeeIfIWasLookinBackAtHer.....0 -
Log looks clean to me
AVG 9 ~ you might have problems with it. If you do post back here
:idea:0 -
I thought it was clean but missed a few lately so left it to you...lolEx forum ambassador
Long term forum member0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards