17 replies to this topic

[soccerari18]

Hi,

I was looking on these forums because I found someone who had a similar problem a few months ago. I believe my computer has almost the same symptoms as Docfxit had on this page http://www.malwarebytes.org/forums/index.p...cfxit&st=20.

It looks like after a lot of attempts at fixing his computer, he had to resort to re-installing windows. I had already resigned to doing this, but upon trying to move my documents on to an external hard drive, I discovered that I can't even move files. This sort of leaves me in a pickle. If anyone could help me simply make a copy of my files before I reformat, I would be extremely grateful.

As for some details:

My problems first appeared about a week ago, after installing what I thought were windows updates (now I'm starting to think it was something malicious pretending to be windows updates). Here are all the problems I have found:
-My start menu and taskbar are gone
-I can't access the internet because there are no network connections
-I can't do a system restore, even from the command prompt in safe mode.
-When I try to run MBAM I get a message saying "run-time error '372': failed to load control 'vbalgrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application."
-And my latest discovery, I can't even move a file by dragging and dropping it.

Lastly, this is my first time ever posting in a forums like this, so if I posted in the wrong place, please let me know where it would be more appropriate.

Thanks so much,

Ari

[AdvancedSetup]

Hello Ari and Welcome to Malwarebytes.

Well let's try and see if we can get your computer back up and running again or not.

Do you have access to another PC that can burn a CD?

If so then let's start out by running this below and go from there.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.
[indent]Avira AntiVir Rescue System - download[/indent]

Avira AntiVir Rescue System
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:
[indent]

• repair a damaged system,
  
  
• rescue data,
  
  
• scan the system for virus infections.[/indent]
  Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
  The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

[soccerari18]

Thanks for your prompt response!

Yes I do have access to a working PC. I burned a copy of the boot CD and ran it in the computer that isn't working.

After running the virus scanner, the results were 56 alerts and 14 warnings. Many of the alerts say there are trojans of various names. I'm not sure if it is possible to get the log on to a functioning computer so that I can show it to you? Do you have any suggestions on how to do that, or is it unnecessary?

Thanks again,

Ari

[AdvancedSetup]

Not too necessary at the moment. Can you start the PC now in Normal mode even if it can't access the Internet?

If not, what happens when you try to start the PC ?

Can you start in Safe Mode?

[soccerari18]

Yes, I can start my PC both normally and in Safe Mode, however all the problems I wrote in my first post are still there (no start/taskbar, can't move files, can't connect to internet, can't open MBAM, etc.)

[AdvancedSetup]

Did you run the Avira AntiVir Rescue System I posted above?


Try copying this over to the infected PC

• Download FixPolicies.exe by Bill Castner and save it to your desktop.
  
• Double click on FixPolicies.exe to run it.
  
• Click on Install. It will create a folder named FixPolicies on your desktop.
  
• Open the FixPolicies folder.
  
• Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  
• Reboot your computer after it runs

If possible also try this:

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Try downloading Hijackthis and rename the file to your name or some random name but keep the .EXE on the end and see if you can run it or not.

[soccerari18]

Yes I did run the Avira AntiVir Rescue System boot disk, but it only seemed capable of doing a virus scan, which I told you the results of last night (56 alerts, 14 warnings). Was the program supposed to do something more than this? I noticed I could change the configuration to try and repair the problems, which I did not have checked when I did the scan. Should I do the scan again with this box checked?

By using a flash drive to open the fixpolicies.exe file, I was able to install the folder on to my desktop. I opened the cmd file and command prompt did open and close as you said it would. Then I rebooted. Everything seems to be the same as before (still has all the problems) except I now see a few hidden files that weren't appearing before. They show up kind of translucent, both on my desktop and on my flash drive (and any other folder I look in actually).

Next I opened Dr. Web from my flash drive and pressed start. When it asked to start scan now I pressed yes. The express scan found one file called seekmotb.dll and I clicked the cure button. The little menu popped up asking if I want to delete, move or rename the incurable. I selected move. Back at the main window i ran a custom scan on all three drives (hard, cdrom and flash). When it asked if I want to move infected files i said yes to all. At the end I clicked cure (I couldn't find the button you have an image of) and then clicked move incurable. I saved the log to both the desktop and my flash drive (because I wouldn't be able to move it from my desktop). Then I closed the program and rebooted.

Here is the Dr.Web log:

seekmotb.dll;c:\program files\seekmo programs\seekmo toolbar;Adware.Seekmo;Incurable.Moved.;
data018\data003;C:\Documents and Settings\Ari\Local Settings\Temp\duf21j2u.exe\data018;Adware.Hotbar;;
data018\data004;C:\Documents and Settings\Ari\Local Settings\Temp\duf21j2u.exe\data018;Adware.Hotbar;;
data018;C:\Documents and Settings\Ari\Local Settings\Temp\duf21j2u.exe;Archive contains infected objects;;
duf21j2u.exe\data021;C:\Documents and Settings\Ari\Local Settings\Temp\duf21j2u.exe;Adware.Hotbar;;
data023\data006;C:\Documents and Settings\Ari\Local Settings\Temp\duf21j2u.exe\data023;Adware.Hotbar;;
data023;C:\Documents and Settings\Ari\Local Settings\Temp\duf21j2u.exe;Archive contains infected objects;;
duf21j2u.exe;C:\Documents and Settings\Ari\Local Settings\Temp;Archive contains infected objects;Moved.;
kb456456[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\FZJZ70L9;Trojan.Virtumod.based.12;Incurable.Moved.;
kb516107[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\FZJZ70L9;Trojan.Virtumod.based.12;Incurable.Moved.;
kb767887[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\FZJZ70L9;Trojan.Virtumod.based.12;Incurable.Moved.;
kb767887[3];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\FZJZ70L9;Trojan.Virtumod.based.12;Incurable.Moved.;
kb456456[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\G9CR8R43;Trojan.Virtumod.based.12;Incurable.Moved.;
kb516107[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\G9CR8R43;Trojan.Virtumod.based.12;Incurable.Moved.;
kb671231[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\G9CR8R43;Trojan.Virtumod.based.12;Incurable.Moved.;
kb713501[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\G9CR8R43;Trojan.LowZones.884;Deleted.;
kb456456[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\KLGXIXMP;Trojan.Virtumod.based.12;Incurable.Moved.;
kb516107[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\KLGXIXMP;Trojan.Virtumod.based.12;Incurable.Moved.;
hctp[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\PLLNE6BA;Trojan.Virtumod.based.12;Incurable.Moved.;
kb456456[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\PLLNE6BA;Trojan.Virtumod.based.12;Incurable.Moved.;
kb767887[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\PLLNE6BA;Trojan.Virtumod.based.12;Incurable.Moved.;
kb516107[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\SHIBQR2P;Trojan.Virtumod.based.12;Incurable.Moved.;
kb713501[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\SHIBQR2P;Trojan.LowZones.884;Deleted.;
query[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\SHIBQR2P;Trojan.Virtumod.based.12;Incurable.Moved.;
kb767887[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\STGHEFO3;Trojan.Virtumod.based.12;Incurable.Moved.;
kb516107[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\WJM3M7UB;Trojan.Virtumod.based.12;Incurable.Moved.;
CA58QHPZ;C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\Z4SWXLZU;Trojan.Virtumod.368;Deleted.;
kb456456[1];C:\Documents and Settings\Ari\Local Settings\Temporary Internet Files\Content.IE5\Z4SWXLZU;Trojan.Virtumod.based.12;Incurable.Moved.;
npclntax.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Zango;Incurable.Moved.;
SeekmoTBUninstaller.exe;C:\Program Files\Seekmo Programs\Seekmo Toolbar;Adware.Zango;Incurable.Moved.;
A0078941.dll;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP479;Adware.Seekmo;Incurable.Moved.;
bxvbchpb.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
ctnnbgfc.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
eocvqibf.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
fvghgmjw.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
govmegnb.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
gveofkpy.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
iaqjugug.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
jmdjdqyc.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
jnrcjmcx.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
judjttdg.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
kyiusgxa.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
lggprbco.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
ljlellux.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
lpockmur.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
mdmdpjmu.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
mlsefujy.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
osowtlya.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
qrhprvso.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
uityeede.dll;C:\WINDOWS\system32;Trojan.Virtumod.365;Deleted.;
vfesiibp.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Deleted.;
xklnjboo.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;
ymsxfmcj.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.12;Incurable.Moved.;

Finally, I installed Hijackthis under a different filename and ran it. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:46 AM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\java.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78F1D43D-466D-434C-908F-C5F291133715} - C:\WINDOWS\system32\ljJDTLEt.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1876057954-2297916726-2049805388-1006\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-1876057954-2297916726-2049805388-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: urqPhgeb - urqPhgeb.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9330 bytes

[AdvancedSetup]

Yes, you were supposed to have Avira cleanup any found items.

Please try the following and let me know the results.

[indent]Please make sure you have your files and data backed up first, and run the following.

STEP01
Run this file to repair file and registry permissions
fixacl.exe

STEP02
Run this file after to remove an invalid startup entry. Double click and say Yes to import the settings.
clearinit.reg

STEP03
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location.

STEP04
Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

STEP05
The RESTART the computer again and AFTER the restart run HJT Scan and Save log and post back all NEW logs.[/indent]

[soccerari18]

I can't backup any of my files because I still can't move anything from my infected PC onto a flashdrive or external hardrive. This is my biggest problem, otherwise I would just reformat the hardrive. Is there a high risk of doing the steps you suggest in your last post, or do you have any other suggestions for how to move the files before I do them?

[AdvancedSetup]

The risk is minimal in that at worst case the computer might not boot into Windows again, but it will not cause data loss and all data can be copied to another system by multiple means.

Please proceed and do the above last posted routines and post back the requested information.

[soccerari18]

I did steps 1, 2 and 3 as you reccomended. I will post the aclreset and javaRa logs below.

When I tried to do step 4, I was unable to even open MalwareBytes Anti-Malware. I got the same message as before: "run-time error '372': failed to load control 'vbalgrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application."

Even though I couldn't do step 4 I still rebooted and did ran Hijackthis again, and I'll post that log too.

Here are all the logs:

aclreset:

HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} : 2 The system cannot find the file specified.



HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32 : 2 The system cannot find the file specified.



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser : 2 The system cannot find the file specified.



MBAMExt.MBAMShlExt : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt : new ace for builtin\administrators
MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt : new ace for nt authority\system
MBAMExt.MBAMShlExt : delete Perm. ACE 1 nt authority\restricted
MBAMExt.MBAMShlExt : new ace for nt authority\restricted
MBAMExt.MBAMShlExt : delete Perm. ACE 5 laptop-ari\ari
MBAMExt.MBAMShlExt : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt : 9 change(s)
MBAMExt.MBAMShlExt\CLSID : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt\CLSID : new ace for builtin\administrators
MBAMExt.MBAMShlExt\CLSID : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt\CLSID : new ace for nt authority\system
MBAMExt.MBAMShlExt\CLSID : delete Perm. ACE 1 nt authority\restricted
MBAMExt.MBAMShlExt\CLSID : new ace for nt authority\restricted
MBAMExt.MBAMShlExt\CLSID : delete Perm. ACE 5 laptop-ari\ari
MBAMExt.MBAMShlExt\CLSID : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt\CLSID : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID : 9 change(s)
MBAMExt.MBAMShlExt\CurVer : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt\CurVer : new ace for builtin\administrators
MBAMExt.MBAMShlExt\CurVer : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt\CurVer : new ace for nt authority\system
MBAMExt.MBAMShlExt\CurVer : delete Perm. ACE 1 nt authority\restricted
MBAMExt.MBAMShlExt\CurVer : new ace for nt authority\restricted
MBAMExt.MBAMShlExt\CurVer : delete Perm. ACE 5 laptop-ari\ari
MBAMExt.MBAMShlExt\CurVer : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt\CurVer : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer : 9 change(s)

MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt.1 : new ace for builtin\administrators
MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt.1 : new ace for nt authority\system
MBAMExt.MBAMShlExt.1 : delete Perm. ACE 1 nt authority\restricted
MBAMExt.MBAMShlExt.1 : new ace for nt authority\restricted
MBAMExt.MBAMShlExt.1 : delete Perm. ACE 5 laptop-ari\ari
MBAMExt.MBAMShlExt.1 : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt.1 : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 : 9 change(s)
MBAMExt.MBAMShlExt.1\CLSID : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt.1\CLSID : new ace for builtin\administrators
MBAMExt.MBAMShlExt.1\CLSID : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt.1\CLSID : new ace for nt authority\system
MBAMExt.MBAMShlExt.1\CLSID : delete Perm. ACE 1 nt authority\restricted
MBAMExt.MBAMShlExt.1\CLSID : new ace for nt authority\restricted
MBAMExt.MBAMShlExt.1\CLSID : delete Perm. ACE 5 laptop-ari\ari
MBAMExt.MBAMShlExt.1\CLSID : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt.1\CLSID : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID : 9 change(s)

SSubTimer6.CTimer : delete Perm. ACE 2 builtin\administrators
SSubTimer6.CTimer : new ace for builtin\administrators
SSubTimer6.CTimer : delete Perm. ACE 2 nt authority\system
SSubTimer6.CTimer : new ace for nt authority\system
SSubTimer6.CTimer : delete Perm. ACE 1 nt authority\restricted
SSubTimer6.CTimer : new ace for nt authority\restricted
SSubTimer6.CTimer : delete Perm. ACE 5 laptop-ari\ari
SSubTimer6.CTimer : new ace for laptop-ari\ari
SSubTimer6.CTimer : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.CTimer : 9 change(s)
SSubTimer6.CTimer\Clsid : delete Perm. ACE 2 builtin\administrators
SSubTimer6.CTimer\Clsid : new ace for builtin\administrators
SSubTimer6.CTimer\Clsid : delete Perm. ACE 2 nt authority\system
SSubTimer6.CTimer\Clsid : new ace for nt authority\system
SSubTimer6.CTimer\Clsid : delete Perm. ACE 1 nt authority\restricted
SSubTimer6.CTimer\Clsid : new ace for nt authority\restricted
SSubTimer6.CTimer\Clsid : delete Perm. ACE 5 laptop-ari\ari
SSubTimer6.CTimer\Clsid : new ace for laptop-ari\ari
SSubTimer6.CTimer\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.CTimer\Clsid : 9 change(s)

SSubTimer6.GSubclass : delete Perm. ACE 2 builtin\administrators
SSubTimer6.GSubclass : new ace for builtin\administrators
SSubTimer6.GSubclass : delete Perm. ACE 2 nt authority\system
SSubTimer6.GSubclass : new ace for nt authority\system
SSubTimer6.GSubclass : delete Perm. ACE 1 nt authority\restricted
SSubTimer6.GSubclass : new ace for nt authority\restricted
SSubTimer6.GSubclass : delete Perm. ACE 5 laptop-ari\ari
SSubTimer6.GSubclass : new ace for laptop-ari\ari
SSubTimer6.GSubclass : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.GSubclass : 9 change(s)
SSubTimer6.GSubclass\Clsid : delete Perm. ACE 2 builtin\administrators
SSubTimer6.GSubclass\Clsid : new ace for builtin\administrators
SSubTimer6.GSubclass\Clsid : delete Perm. ACE 2 nt authority\system
SSubTimer6.GSubclass\Clsid : new ace for nt authority\system
SSubTimer6.GSubclass\Clsid : delete Perm. ACE 1 nt authority\restricted
SSubTimer6.GSubclass\Clsid : new ace for nt authority\restricted
SSubTimer6.GSubclass\Clsid : delete Perm. ACE 5 laptop-ari\ari
SSubTimer6.GSubclass\Clsid : new ace for laptop-ari\ari
SSubTimer6.GSubclass\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.GSubclass\Clsid : 9 change(s)

SSubTimer6.ISubclass : delete Perm. ACE 2 builtin\administrators
SSubTimer6.ISubclass : new ace for builtin\administrators
SSubTimer6.ISubclass : delete Perm. ACE 2 nt authority\system
SSubTimer6.ISubclass : new ace for nt authority\system
SSubTimer6.ISubclass : delete Perm. ACE 1 nt authority\restricted
SSubTimer6.ISubclass : new ace for nt authority\restricted
SSubTimer6.ISubclass : delete Perm. ACE 5 laptop-ari\ari
SSubTimer6.ISubclass : new ace for laptop-ari\ari
SSubTimer6.ISubclass : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.ISubclass : 9 change(s)
SSubTimer6.ISubclass\Clsid : delete Perm. ACE 2 builtin\administrators
SSubTimer6.ISubclass\Clsid : new ace for builtin\administrators
SSubTimer6.ISubclass\Clsid : delete Perm. ACE 2 nt authority\system
SSubTimer6.ISubclass\Clsid : new ace for nt authority\system
SSubTimer6.ISubclass\Clsid : delete Perm. ACE 1 nt authority\restricted
SSubTimer6.ISubclass\Clsid : new ace for nt authority\restricted
SSubTimer6.ISubclass\Clsid : delete Perm. ACE 5 laptop-ari\ari
SSubTimer6.ISubclass\Clsid : new ace for laptop-ari\ari
SSubTimer6.ISubclass\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.ISubclass\Clsid : 9 change(s)

vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.cGridCell : new ace for builtin\administrators
vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.cGridCell : new ace for nt authority\system
vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.cGridCell : new ace for nt authority\restricted
vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.cGridCell : new ace for laptop-ari\ari
vbAcceleratorSGrid6.cGridCell : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell : 9 change(s)
vbAcceleratorSGrid6.cGridCell\Clsid : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.cGridCell\Clsid : new ace for builtin\administrators
vbAcceleratorSGrid6.cGridCell\Clsid : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.cGridCell\Clsid : new ace for nt authority\system
vbAcceleratorSGrid6.cGridCell\Clsid : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.cGridCell\Clsid : new ace for nt authority\restricted
vbAcceleratorSGrid6.cGridCell\Clsid : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.cGridCell\Clsid : new ace for laptop-ari\ari
vbAcceleratorSGrid6.cGridCell\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell\Clsid : 9 change(s)

vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.cGridSortObject : new ace for builtin\administrators
vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.cGridSortObject : new ace for nt authority\system
vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.cGridSortObject : new ace for nt authority\restricted
vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.cGridSortObject : new ace for laptop-ari\ari
vbAcceleratorSGrid6.cGridSortObject : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject : 9 change(s)
vbAcceleratorSGrid6.cGridSortObject\Clsid : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.cGridSortObject\Clsid : new ace for builtin\administrators
vbAcceleratorSGrid6.cGridSortObject\Clsid : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.cGridSortObject\Clsid : new ace for nt authority\system
vbAcceleratorSGrid6.cGridSortObject\Clsid : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.cGridSortObject\Clsid : new ace for nt authority\restricted
vbAcceleratorSGrid6.cGridSortObject\Clsid : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.cGridSortObject\Clsid : new ace for laptop-ari\ari
vbAcceleratorSGrid6.cGridSortObject\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject\Clsid : 9 change(s)

vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for builtin\administrators
vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for nt authority\system
vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for nt authority\restricted
vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for laptop-ari\ari
vbAcceleratorSGrid6.IGridCellOwnerDraw : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw : 9 change(s)
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : new ace for builtin\administrators
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : new ace for nt authority\system
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : new ace for nt authority\restricted
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : new ace for laptop-ari\ari
vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid : 9 change(s)

vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.vbalGrid : new ace for builtin\administrators
vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.vbalGrid : new ace for nt authority\system
vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.vbalGrid : new ace for nt authority\restricted
vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.vbalGrid : new ace for laptop-ari\ari
vbAcceleratorSGrid6.vbalGrid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid : 9 change(s)
vbAcceleratorSGrid6.vbalGrid\Clsid : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.vbalGrid\Clsid : new ace for builtin\administrators
vbAcceleratorSGrid6.vbalGrid\Clsid : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.vbalGrid\Clsid : new ace for nt authority\system
vbAcceleratorSGrid6.vbalGrid\Clsid : delete Perm. ACE 1 nt authority\restricted
vbAcceleratorSGrid6.vbalGrid\Clsid : new ace for nt authority\restricted
vbAcceleratorSGrid6.vbalGrid\Clsid : delete Perm. ACE 5 laptop-ari\ari
vbAcceleratorSGrid6.vbalGrid\Clsid : new ace for laptop-ari\ari
vbAcceleratorSGrid6.vbalGrid\Clsid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid\Clsid : 9 change(s)

MBAMExt.MBAMShlExt : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt : new ace for builtin\administrators
MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt : new ace for nt authority\system
MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\restricted
MBAMExt.MBAMShlExt : new ace for nt authority\restricted
MBAMExt.MBAMShlExt : delete Perm. ACE 2 laptop-ari\ari
MBAMExt.MBAMShlExt : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt : 9 change(s)

MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 builtin\administrators
MBAMExt.MBAMShlExt.1 : new ace for builtin\administrators
MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\system
MBAMExt.MBAMShlExt.1 : new ace for nt authority\system
MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\restricted
MBAMExt.MBAMShlExt.1 : new ace for nt authority\restricted
MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 laptop-ari\ari
MBAMExt.MBAMShlExt.1 : new ace for laptop-ari\ari
MBAMExt.MBAMShlExt.1 : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 : 9 change(s)

SSubTimer6.CTimer : delete Perm. ACE 2 builtin\administrators
SSubTimer6.CTimer : new ace for builtin\administrators
SSubTimer6.CTimer : delete Perm. ACE 2 nt authority\system
SSubTimer6.CTimer : new ace for nt authority\system
SSubTimer6.CTimer : delete Perm. ACE 2 nt authority\restricted
SSubTimer6.CTimer : new ace for nt authority\restricted
SSubTimer6.CTimer : delete Perm. ACE 2 laptop-ari\ari
SSubTimer6.CTimer : new ace for laptop-ari\ari
SSubTimer6.CTimer : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.CTimer : 9 change(s)

SSubTimer6.GSubclass : delete Perm. ACE 2 builtin\administrators
SSubTimer6.GSubclass : new ace for builtin\administrators
SSubTimer6.GSubclass : delete Perm. ACE 2 nt authority\system
SSubTimer6.GSubclass : new ace for nt authority\system
SSubTimer6.GSubclass : delete Perm. ACE 2 nt authority\restricted
SSubTimer6.GSubclass : new ace for nt authority\restricted
SSubTimer6.GSubclass : delete Perm. ACE 2 laptop-ari\ari
SSubTimer6.GSubclass : new ace for laptop-ari\ari
SSubTimer6.GSubclass : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.GSubclass : 9 change(s)

SSubTimer6.ISubclass : delete Perm. ACE 2 builtin\administrators
SSubTimer6.ISubclass : new ace for builtin\administrators
SSubTimer6.ISubclass : delete Perm. ACE 2 nt authority\system
SSubTimer6.ISubclass : new ace for nt authority\system
SSubTimer6.ISubclass : delete Perm. ACE 2 nt authority\restricted
SSubTimer6.ISubclass : new ace for nt authority\restricted
SSubTimer6.ISubclass : delete Perm. ACE 2 laptop-ari\ari
SSubTimer6.ISubclass : new ace for laptop-ari\ari
SSubTimer6.ISubclass : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\SSubTimer6.ISubclass : 9 change(s)

vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.cGridCell : new ace for builtin\administrators
vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.cGridCell : new ace for nt authority\system
vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 2 nt authority\restricted
vbAcceleratorSGrid6.cGridCell : new ace for nt authority\restricted
vbAcceleratorSGrid6.cGridCell : delete Perm. ACE 2 laptop-ari\ari
vbAcceleratorSGrid6.cGridCell : new ace for laptop-ari\ari
vbAcceleratorSGrid6.cGridCell : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell : 9 change(s)

vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.cGridSortObject : new ace for builtin\administrators
vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.cGridSortObject : new ace for nt authority\system
vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 2 nt authority\restricted
vbAcceleratorSGrid6.cGridSortObject : new ace for nt authority\restricted
vbAcceleratorSGrid6.cGridSortObject : delete Perm. ACE 2 laptop-ari\ari
vbAcceleratorSGrid6.cGridSortObject : new ace for laptop-ari\ari
vbAcceleratorSGrid6.cGridSortObject : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject : 9 change(s)

vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for builtin\administrators
vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for nt authority\system
vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 2 nt authority\restricted
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for nt authority\restricted
vbAcceleratorSGrid6.IGridCellOwnerDraw : delete Perm. ACE 2 laptop-ari\ari
vbAcceleratorSGrid6.IGridCellOwnerDraw : new ace for laptop-ari\ari
vbAcceleratorSGrid6.IGridCellOwnerDraw : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw : 9 change(s)

vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 2 builtin\administrators
vbAcceleratorSGrid6.vbalGrid : new ace for builtin\administrators
vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 2 nt authority\system
vbAcceleratorSGrid6.vbalGrid : new ace for nt authority\system
vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 2 nt authority\restricted
vbAcceleratorSGrid6.vbalGrid : new ace for nt authority\restricted
vbAcceleratorSGrid6.vbalGrid : delete Perm. ACE 2 laptop-ari\ari
vbAcceleratorSGrid6.vbalGrid : new ace for laptop-ari\ari
vbAcceleratorSGrid6.vbalGrid : builtin\administrators is the new owner
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid : 9 change(s)

JavaRa:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jan 04 15:53:11 2009

Found and removed: C:\Program Files\Java\jre1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_06

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_06

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150060}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_06

Found and removed: Software\Classes\JavaPlugin.160_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

------------------------------------

Finished reporting.



HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:41 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\java.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78F1D43D-466D-434C-908F-C5F291133715} - C:\WINDOWS\system32\ljJDTLEt.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1876057954-2297916726-2049805388-1006\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-1876057954-2297916726-2049805388-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: urqPhgeb - urqPhgeb.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9329 bytes

[AdvancedSetup]

Start HJT and do a Scan Only and place a check mark on the following items.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78F1D43D-466D-434C-908F-C5F291133715} - C:\WINDOWS\system32\ljJDTLEt.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O20 - Winlogon Notify: urqPhgeb - urqPhgeb.dll (file missing)
Then click on Fix checked and quit HJT

Open My Computer and browse to the following locations and delete the JAVA folder if it exists.
C:\Program Files\Java
C:\Program Files\Common Files\Sun\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java


Download and install this Service Pack 6 for Visual Basic 6.0

Then RESTART the computer.
After the restart run this

Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer again and run a new HJT Scan and Save log.

Post back NEW MBAM and HJT logs and let me know how the computer is running and if there are still any signs of an infection.

[soccerari18]

I did everything just as you said in the last post, and still cannot get MBAM to open. I get the same error message that I have gotten all along (run-time error 372). Since this was the only step I couldn't do, I still ran hijackthis again and will post the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:14 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1876057954-2297916726-2049805388-1006\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-1876057954-2297916726-2049805388-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8560 bytes

[AdvancedSetup]

Well I have to believe that McAfee or some other security tool has to be interfering with the install, or some as yet unknown Malware that is hiding.

It's up to you but if you have time and or the inclination I would download NEW copies of MBAM to install, then take the computer off the network, just unplug the cable or shut down the wireless.

Then remove all Antivirus and similar Security software that may be interfering.

That is completely up to you though and it would strictly be for a discovery / learning purpose.

I'm unable to duplicate your issue otherwise I'd hopefully offer another solution.
Using monitoring tools is often not easy even for some more advanced users so it's not easy to tell you how to use such tools in forum.

There are a couple of other scanner tools we could try, but they could also potentially break your system.

Please let me know what if anything more you'd like or be willing to try. Thanks.

[soccerari18]

Thank you so much for all your time and efforts.

I decided that I would try and salvage anything I could and wipe the hard drive. It was quite tedious, but over the last 6 or so hours, I was able to save all my word documents to an external hard drive by opening each file and then using "save as" to put it on the external. Using the same method I was also able to open most of my photos and save them one at a time. By accessing the file transfer wizard via C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools I think I might have even been able to save some of my music and other files, but that remains to be seen.

Obviously this wasn't ideal, but rather than waste more time and risk losing everything, I thought it would be best to give it a shot and it ended up working pretty well. I wasn't able to copy any videos over and lost some other files, but nothing that I can't live without.

I already reformatted the hard drive, and right now I'm just waiting for windows to re-install. All I can do now is cross my fingers and hope that windows will install without too many obstacles and by tomorrow morning I should have a functional pc and the most precious of my files on the external.

Again, I can't tell you how much I appreciate all your help with this. As I said in my original post, this was my first time using a forum to get computer help. I was always thought it seemed too good to be true that experts like yourself would go out of their way to help people they don't even know, but I stand corrected. I am extremely impressed with all your knowledgeable advice, patience and quick response times.

I will post one more time once my pc is fully functional (knock on wood), just to let you know how the install went.

Thank you,

Ari

[AdvancedSetup]

Thank you for the kind words.

Well make sure you have an Anti-Virus installed pretty soon once Windows is up and running and a firewall in place as Malware can easily infect a box pretty quickly now days once they're connected to the Internet with no protection and out of date Microsoft updates.

Then get Service Pack 3 for Windows XP and all the Critical Updates. If you need further assistance let us know.

[soccerari18]

I got mcaffee on the PC before I even connected to the internet and updated it first thing. I also got a firewall up and updated windows including SP 3. Thankfully so far everything seems to be working. It's like a brand new computer, no remnants of the old problems and I was actually able to salvage the most important of my files from before.

Thanks again for your help,

Ari

[AdvancedSetup]

Well not that you are infected now but take a look at this in case you might want to use any of it.


So how did I get infected in the first place?


[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]