Please Help Removing Nt_kernel_error1256
Hey there,
Ive been reading through the previous threads on this but I'm getting pretty lost here. Had this malware for about 3 days and Im just getting frustrated over it.
Ive run vundofix many times, but they end up coming back over and over again. I dunno if it helps but since i have ad aware, ran that many times as well.
Even after getting rid of all the 'vundo', it comes up with this when I startup my laptop:
Error loading C:\WINDOWS\system32\oeviflekl.dll
The specified module could not be found
And here's my hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:46 p.m., on 1/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\CAP2RSK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system320THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1156161894\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Router\Router.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\bounce.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://skcproxy/proxy1.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system320THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ThpSrv] c:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ElbyCheckRegKill] "C:\Program Files\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1156161894\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [902edfcd] rundll32.exe "C:\WINDOWS\system32\lknpajlr.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon LASER SHOT LBP-1210 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: internet.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - C:\WINDOWS\system32\proxypal.exe
O9 - Extra 'Tools' menuitem: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - C:\WINDOWS\system32\proxypal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201741129738
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.sk.edu
O17 - HKLM\Software\..\Telephony: DomainName = student.sk.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.sk.edu
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11287 bytes
Thanks in advance
Comments
-
I think you should get a decent antivirus with firewall to have the basic protection. I doubt you can remove this and remain clean without it.
0 -
I dunno if it makes any difference but heres my combofix log
ComboFix 08-02.01.5 - 10092 2008-02-01 20:52:39.1 - NTFSx86
Running from:
\Settings\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\awtqqrr.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\inetget2
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL
C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL
C:\Program Files\myglobalsearch\bar\Cache\01ABE0B9
C:\Program Files\myglobalsearch\bar\Cache\01AC22FD
C:\Program Files\myglobalsearch\bar\Cache\01AC3AE4.bin
C:\Program Files\myglobalsearch\bar\Cache\01AC55F6.bin
C:\Program Files\myglobalsearch\bar\Cache\01AC6917.bin
C:\Program Files\myglobalsearch\bar\Cache\files.ini
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\WINDOWS\b122.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\awtqqrr.dll
C:\WINDOWS\system32\lkeljveo.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\xxbay.ini
C:\WINDOWS\system32\xxbay.ini2
C:\WINDOWS\system32\yabxx.dll
C:\WINDOWS\Fonts\'
----- BITS: Possible infected sites -----
hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.
2008-02-14 23:20 . 2008-02-14 23:20 244 --ah----- C:\sqmnoopt06.sqm
2008-02-14 23:20 . 2008-02-14 23:20 232 --ah----- C:\sqmdata06.sqm
2008-02-01 18:53 . 2008-02-01 18:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 08:45 . 2008-02-01 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-01-31 21:25 . 2008-01-31 21:25 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-31 19:49 . 2008-02-01 18:19 <DIR> d-------- C:\VundoFix Backups
2008-01-31 19:17 . 2008-01-31 19:17 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-31 17:09 . 2008-01-31 19:08 <DIR> d-------- C:\Program Files\PrevxCSI
2008-01-31 16:50 . 2008-01-31 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-31 16:50 . 2008-01-31 16:51 <DIR> d-------- C:\Documents and Settings\10092\Application Data\PrevxCSI
2008-01-31 15:35 . 2008-01-31 15:35 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-31 15:06 . 2007-07-10 02:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-31 14:49 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-31 07:56 . 2008-01-31 07:56 36,864 -ra------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-01-30 20:25 . 2008-01-30 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Broderbund LLC
2008-01-30 18:19 . 2008-02-01 21:05 129,536 --a------ C:\WINDOWS\system32\bounce.exe
2008-01-29 14:14 . 2008-01-29 14:14 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 00:13 . 2008-01-21 00:13 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-17 11:51 . 2008-01-17 11:51 244 --ah----- C:\sqmnoopt08.sqm
2008-01-17 11:51 . 2008-01-17 11:51 232 --ah----- C:\sqmdata08.sqm
2008-01-16 21:19 . 2008-01-16 21:19 244 --ah----- C:\sqmnoopt07.sqm
2008-01-16 21:19 . 2008-01-16 21:19 232 --ah----- C:\sqmdata07.sqm
2008-01-03 21:45 . 2008-01-03 21:46 <DIR> d-------- C:\Documents and Settings\10092\Application Data\Snapfish
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 05:35 --------- d-----w C:\Documents and Settings\10092\Application Data\LimeWire
2008-01-31 09:35 --------- d-----w C:\Program Files\bearshare
2008-01-31 09:04 --------- d-----w C:\Program Files\Google
2008-01-31 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 08:59 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-12-27 08:29 --------- d-----w C:\Program Files\Java
2007-12-21 04:21 --------- d-----w C:\Program Files\Broderbund
2007-12-21 02:40 --------- d-----w C:\Program Files\DivX
2007-12-18 10:45 --------- d-----w C:\Program Files\Apple Software Update
2007-12-17 22:50 --------- d-----w C:\Program Files\iTunes
2007-12-17 22:48 --------- d-----w C:\Program Files\iPod
2007-12-17 22:39 --------- d-----w C:\Program Files\QuickTime
2007-12-17 11:36 --------- d-----w C:\Program Files\MSN Messenger
2007-12-17 11:36 --------- d-----w C:\Program Files\Messenger Plus! Live
2004-11-22 00:47 7,742 ----a-w C:\Program Files\ReadmeFirst.htm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{319DB315-9719-4BE7-BBC0-BA7970ADBE9E}]
C:\WINDOWS\system32\geedc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D6355B3-BAC8-43C4-B40B-BEF8DFEF1CF2}]
C:\WINDOWS\system32\qomml.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"Aim6"="" []
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-01-29 14:14 61440]
"Router"="C:\Program Files\Router\Router.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-25 13:56 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-25 13:52 126976]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-29 14:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 17:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-28 14:22 73728 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-16 12:03 135168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 21:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 21:08 495616]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 15:00 126976]
"NDSTray.exe"="NDSTray.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-10 12:07 49152]
"TPSMain"="TPSMain.exe" [2004-11-09 17:30 270336 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2004-11-09 17:30 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TFncKy"="TFncKy.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-11-12 07:43 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2004-07-10 19:49 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-28 22:05 127035]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 17:38 88361 C:\WINDOWS\agrsmmsg.exe]
"ThpSrv"="c:\WINDOWS\system32\thpsrv /logon" [ ]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11 135251]
"ElbyCheckRegKill"="C:\Program Files\DVD Region Killer\ElbyCheck.exe" [2001-12-06 13:09 45056]
"CFSServ.exe"="CFSServ.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-29 19:40 180269]
"HostManager"="C:\Program Files\Common Files\AOL\1156161894\ee\AOLSoftware.exe" [2006-05-10 13:24 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-18 05:59 124520]
"CAP2ON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE" [2005-06-29 10:36 22528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43 83608]
"902edfcd"="C:\WINDOWS\system32\lknpajlr.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-05 01:00 388608 C:\WINDOWS\system32\cmd.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Canon LASER SHOT LBP-1210 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE [2005-10-31 20:38:49 30720]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
internet.exe [2008-01-30 18:18:46 172032]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-11-23 09:21:20 155648]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{24C61C09-62C0-42ED-B640-53F7FEC9098A}"= C:\WINDOWS\system32\awtqqrr.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-1622\Scripts\Logon\0\0]
"******"=\\sweden\netlogon\settime.bat
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-01 18:49]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-14 09:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-17 08:08]
R2 RapidPort2;RapidPort2;C:\WINDOWS\system32\Drivers\CAP2LPT.SYS [2005-06-29 10:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-05 10:38]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2001-11-30 11:46]
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2004-08-03 22:06]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 19:18]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6ecbfa-5bc7-11da-85bd-000e7b0b8794}]
\Shell\AutoRun\command - \IntelDrivers\SetupWLD.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98b813d0-49af-11da-8ed4-000e7b138c94}]
\Shell\AutoRun\command - \IntelDrivers\SetupWLD.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 07:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-21 01:55:47 C:\WINDOWS\Tasks\Critical0.job"
"2007-05-15 08:21:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1162788484.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 21:05:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\CAP2RSK.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1156161894\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\bounce.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-01 21:08:33 - machine was rebooted [10092]
ComboFix-quarantined-files.txt 2008-02-01 08:08:28
.
2007-11-01 04:49:15 --- E O F ---
And instead of
Error loading C:\WINDOWS\system32\oeviflekl.dll
The specified module could not be found
I'm getting
Error loading C:\WINDOWS\system32\lknpajlr.dll
The specified module could not be found
The laptop that i use, its like compulsary for my school cos we do all our work on it and we pretty arent supposed to get other antivirus programs installed or something. So I cant do anything without getting a decent antivirus with firewall?
Thanks again
EDIT: Which anti virus program/s which you recommend?0 -
I dunno if it makes any difference but heres my combofix log
The laptop that i use, its like compulsary for my school cos we do all our work on it and we pretty arent supposed to get other antivirus programs installed or something. So I cant do anything without getting a decent antivirus with firewall?
Thanks again
EDIT: Which anti virus program/s which you recommend?
Yes it makes a difference, it makes me see things and compels me to do something about it.
About AV obviously I am using BitDefender Internet Security 8 myself and it does the job for me.
I suggest the following:
1. Usninstall P2P application (utorent, Bitlord, Limewire, etc) and remove its folder from program files. You may later on install it again.
2. Viewpoint is not a malware or spyware but is installed without the users knowledge and permission. I suggest you uninstall it via add/remove programs and remove the folder from the program files(C:\Program Files\Viewpoint).
3. Remove old Java versions due to serious security vulnerability: Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) from here but not install it now: http://java.sun.com/javase/downloads/index.jsp
4. Go to add/remove and uninstall all items with Java, JRE or J2SE in it. Then remove Java folder from the program file (C:\Program Files\java).
5.Open a notepad (start menu-all programs-accessories-notepad)
Copy and paste the text in the code box below into it.File::
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\oeviflekl.dll
C:\WINDOWS\system32\oeviflekl.*
C:\WINDOWS\system32\lknpajlr.dll
C:\WINDOWS\system32\lknpajlr.*
C:\WINDOWS\system32\levifleko.dll
C:\WINDOWS\system32\rknpajll.*
C:\WINDOWS\mrofinu1188.exe.tmp
Click File-save as …
Select save in:desktop
Fill in File name: CFScript.txt
save as type: All file types (*.*)
*Close/disable all anti virus and anti malware programs so they do not interfere with the running of *ComboFix. After Combofix is finished turn on/enable your anti virus again.
*Drag CFScript.txt into ComboFix.exe. You can see the image showing this here: http://www.fromsej.saknet.dk/billeder/cfscript.gif
*ComboFix will now run a scan on your system.
*It may reboot your system when it finishes. This is normal. Copy and paste the content of combofix.txt into your reply.
* Reboot and make a fresh HJT log and post it along with the combofix log to your reply. Do you still get the error warning?0
