infected with rootkit.zeroacess

I originally had google redirect and got rid of that or so i thought. Than i kept getting viruses and trojans and could not get rid of them no mater what i threw at it i tried malwarebytes,superantispyware,avg,and microsoft security essentials. so i ran combofix because i was pretty sure i had a rootkit it found rootkit.zeroaccess and it and got rid of it it rebooted my computer and when it restarted and the log was about to be posted it crashed and now I can't connect to the internet and aoltsmon.exe is taking up alot of memory when i boot up. heres the logs and thanks alot for the help

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by r at 15:04:20 on 2012-04-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.126 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdeserv.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\IoCtlSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [wmlmbd] rundll32.exe "c:\windows\temp\wmlmbd.dll",HostAlloc
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [piavs] rundll32.exe "c:\windows\temp\piavs.dll",LoadMemory
mRun: [PC Health Status] c:\documents and settings\r\application data\gqkcqdpe.exe
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HostManager] c:\program files\common files\aol\1131163763\ee\AOLSoftware.exe
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
StartupFolder: c:\docume~1\r\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ez-dub~1.lnk - c:\program files\ez-dub\EZ-DUB.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AA2DEFF2-AD0F-4D8E-86C9-794C108C03C5} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DA394622-918C-40A2-8C2E-25A058DCAC8E} : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\r\application data\mozilla\firefox\profiles\djp77js8.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2010-11-9 99248]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S?2 avgtdi;Hcmon;c:\windows\system32\svchost.exe -k netsvcs [2005-11-4 39936]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-3 271792]
.
=============== Created Last 30 ================
.
2012-04-24 18:59:03 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9861713c-2367-4795-b97c-0151d659386e}\offreg.dll
2012-04-24 00:29:51 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9861713c-2367-4795-b97c-0151d659386e}\mpengine.dll
2012-04-23 16:05:50 -------- d-----w- C:\ComboFix
2012-04-14 21:10:23 -------- d-----w- c:\documents and settings\r\application data\Hensense.com
2012-04-14 21:09:23 -------- d-----w- c:\program files\Hensence.com
2012-04-14 10:10:12 -------- d-----w- c:\program files\DsNET Corp
2012-04-14 10:09:00 -------- d-----w- c:\documents and settings\all users\application data\Ask
2012-04-09 22:21:23 -------- d-----w- c:\program files\GetFLV2
2012-04-09 21:14:19 -------- d-----w- C:\76d4a1b3876ec83e2eceb4b31f97c0
2012-04-07 07:47:34 -------- d-----w- c:\documents and settings\r\local settings\application data\{9D8B1860-8081-11E1-826D-B8AC6F996F26}
2012-04-06 14:34:04 98816 ----a-w- c:\windows\sed.exe
2012-04-06 14:34:04 518144 ----a-w- c:\windows\SWREG.exe
2012-04-06 14:34:04 256000 ----a-w- c:\windows\PEV.exe
2012-04-06 14:34:04 208896 ----a-w- c:\windows\MBR.exe
2012-04-06 03:32:53 0 ----a-w- c:\windows\system32\sho12.tmp
2012-04-05 17:18:54 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-04-04 13:47:04 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-04 13:12:04 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-03 16:06:30 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-04-03 16:06:30 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-04-03 09:36:38 -------- d-----w- c:\documents and settings\r\application data\Malwarebytes
2012-04-03 09:36:25 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 02:43:51 -------- d-----w- c:\documents and settings\r\local settings\application data\SoftGrid Client
2012-03-29 02:43:08 -------- d-----w- c:\documents and settings\r\application data\SoftGrid Client
.
==================== Find3M ====================
.
2012-04-23 06:35:59 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2012-04-23 06:02:24 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2012-04-23 06:02:23 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2012-01-28 23:33:54 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2012-01-28 23:33:54 256 ----a-w- c:\windows\system32\MSIevent.bat
.
============= FINISH: 15:10:21.40 ===============

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

• Download Security Check by screen317 from here.
• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

i had trouble running combofix in regular mode it just kept crashing so i had to run it in safe mode. thank you for the help.




Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
Java™ 6 Update 20
Java version out of date!
Adobe Flash Player 10.3.181.34 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of date!
Adobe Reader X 10.1.0 Adobe Reader out of Date!
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````




ComboFix 12-04-26.01 - r 04/26/2012 13:54:39.31.1 - x86 NETWORK
Running from: c:\documents and settings\r\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\r\Application Data\ntos.exe
.
c:\windows\system32\drivers\ipsec.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))
.
.
2012-04-26 17:48 . 2012-04-26 18:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\offreg.dll
2012-04-24 19:10 . 2012-04-24 19:10 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\MpKslbb165094.sys
2012-04-24 00:29 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\mpengine.dll
2012-04-23 06:03 . 2012-04-23 06:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-04-14 21:10 . 2012-04-14 21:10 -------- d-----w- c:\documents and settings\r\Application Data\Hensense.com
2012-04-14 21:09 . 2012-04-14 21:33 -------- d-----w- c:\program files\Hensence.com
2012-04-14 10:10 . 2012-04-14 10:16 -------- d-----w- c:\program files\DsNET Corp
2012-04-14 10:09 . 2012-04-14 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask
2012-04-09 22:21 . 2012-04-25 09:52 -------- d-----w- c:\program files\GetFLV2
2012-04-09 21:14 . 2012-04-09 21:14 -------- d-----w- C:\76d4a1b3876ec83e2eceb4b31f97c0
2012-04-08 19:27 . 2012-04-08 19:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-04-07 07:47 . 2012-04-07 07:47 -------- d-----w- c:\documents and settings\r\Local Settings\Application Data\{9D8B1860-8081-11E1-826D-B8AC6F996F26}
2012-04-07 07:42 . 2012-04-07 07:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-06 03:32 . 2012-04-06 03:32 0 ----a-w- c:\windows\system32\sho12.tmp
2012-04-05 17:18 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 13:47 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-04 13:12 . 2012-04-04 13:12 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-03 16:06 . 2012-04-03 16:06 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-03 16:06 . 2012-04-03 16:06 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-04-03 09:36 . 2012-04-03 09:36 -------- d-----w- c:\documents and settings\r\Application Data\Malwarebytes
2012-04-03 09:36 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 19:04 . 2012-04-02 19:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-02 19:01 . 2012-04-02 19:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-29 02:43 . 2012-03-29 02:44 -------- d-----w- c:\documents and settings\r\Local Settings\Application Data\SoftGrid Client
2012-03-29 02:43 . 2012-04-24 03:24 -------- d-----w- c:\documents and settings\r\Application Data\SoftGrid Client
2012-03-28 14:55 . 2012-03-28 14:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-23 06:35 . 2009-08-21 18:44 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2012-04-23 06:02 . 2009-08-21 18:47 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2012-04-23 06:02 . 2009-08-21 18:47 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2012-01-28 23:33 . 2011-11-14 21:16 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2012-01-28 23:33 . 2011-11-14 21:16 256 ----a-w- c:\windows\system32\MSIevent.bat
2012-04-03 16:06 . 2011-07-07 23:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 15473664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"HostManager"="c:\program files\Common Files\AOL\1131163763\ee\AOLSoftware.exe" [2006-09-26 50736]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 316336]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2011-02-03 233936]
.
c:\documents and settings\r\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EZ-DUB Finder.lnk - c:\program files\EZ-DUB\EZ-DUB.exe [2006-3-1 266240]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\StreamTransport\\StreamTransport.exe"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\lxdecfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
S2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [11/9/2010 9:27 PM 99248]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/29/2012 8:50 AM 158856]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SrvcEKIOMngr
raysatxsi5_0server
iAimTV6
PolarUSB
eskerlicensecontrol
sscdbus
filemon701
BVRPMPR5
zppinger
avgtdi
bwsvc
itchfltr
.
Contents of the 'Scheduled Tasks' folder
.
2006-03-18 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-05 00:12]
.
2006-03-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-05 00:12]
.
2012-04-26 c:\windows\Tasks\User_Feed_Synchronization-{C0C6FD7C-7D56-4F24-96B5-527492FAB07E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\r\Application Data\Mozilla\Firefox\Profiles\djp77js8.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-26 14:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,11,cf,08,29,ac,b2,69,4a,be,f3,0d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,11,cf,08,29,ac,b2,69,4a,be,f3,0d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2012-04-26 14:22:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-26 18:22
.
Pre-Run: 51,250,528,256 bytes free
Post-Run: 51,251,302,400 bytes free
.
- - End Of File - - 18773A35295C08A84BB599DB9161D8B2

Hello


you have some key files that are infected and we are going to have to replace them


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
explorer.exe
svchost.exe
winlogon.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

heres the log. thanks again


SystemLook 30.07.11 by jpshortstuff
Log created at 17:40 on 26/04/2012 by r
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [00:52 05/11/2005] [00:12 14/04/2008] 9A5BEC3EF331D6F79717F34404A46D9E
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1033216 bytes [09:39 02/01/2009] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [07:02 15/08/2007] [12:00 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [09:17 23/05/2010] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [08:58 18/12/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 182856 bytes [09:36 03/04/2012] [18:53 13/01/2012] 63EEC8A8B221AB79045E776E5F592868
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c- 14336 bytes [09:39 02/01/2009] [12:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [09:17 23/05/2010] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [09:01 18/12/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [00:53 05/11/2005] [00:12 14/04/2008] 29EFA4DFFF4BA6587C65A8260B3351F2

Searching for "winlogon.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 182856 bytes [09:36 03/04/2012] [18:53 13/01/2012] 63EEC8A8B221AB79045E776E5F592868
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [09:38 02/01/2009] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 507904 bytes [09:17 23/05/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [09:01 18/12/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [00:53 05/11/2005] [00:12 14/04/2008] 84A84F5183410B4AE206927E63EA8D93

-= EOF =-

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

• Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  
• Click the Script tab and copy/paste the following text there:

CopyFile:
C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\WINDOWS\explorer.exe 
C:\WINDOWS\ServicePackFiles\i386\svchost.exe C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\winlogon.exe

• Click Execute Now. Your computer will need to reboot in order to replace the files.
  
• When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

heres the log and thank you again.


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\svchost.exe", destinationFile = "\??\c:\windows\system32\svchost.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
  
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?

Gringo

heres the log. the computers running ok but, its still not completely working normally and I still can not connect to the internet.



ComboFix 12-04-26.01 - r 04/27/2012 0:57.32.1 - x86 NETWORK
Running from: c:\documents and settings\r\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\r\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{01420aa4-a91d-409d-bbde-9420528d3eb0}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{01420aa4-a91d-409d-bbde-9420528d3eb0}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{01420aa4-a91d-409d-bbde-9420528d3eb0}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{01420aa4-a91d-409d-bbde-9420528d3eb0}\install.rdf
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{233b097f-b4d3-4b88-b202-c0fcca760afc}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{233b097f-b4d3-4b88-b202-c0fcca760afc}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{233b097f-b4d3-4b88-b202-c0fcca760afc}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{233b097f-b4d3-4b88-b202-c0fcca760afc}\install.rdf
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{2f591f17-5b96-4214-95c8-06e9032163fa}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{2f591f17-5b96-4214-95c8-06e9032163fa}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{2f591f17-5b96-4214-95c8-06e9032163fa}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{2f591f17-5b96-4214-95c8-06e9032163fa}\install.rdf
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{73cd9df3-73a0-45a6-bc6c-36679aef16a1}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{73cd9df3-73a0-45a6-bc6c-36679aef16a1}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{73cd9df3-73a0-45a6-bc6c-36679aef16a1}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{73cd9df3-73a0-45a6-bc6c-36679aef16a1}\install.rdf
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{a47138b9-13e5-41f9-ab20-8f6cbfcdf64a}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{a47138b9-13e5-41f9-ab20-8f6cbfcdf64a}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{a47138b9-13e5-41f9-ab20-8f6cbfcdf64a}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{a47138b9-13e5-41f9-ab20-8f6cbfcdf64a}\install.rdf
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{bab9dede-090e-4c53-833e-1aac9e336f63}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{bab9dede-090e-4c53-833e-1aac9e336f63}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{bab9dede-090e-4c53-833e-1aac9e336f63}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{bab9dede-090e-4c53-833e-1aac9e336f63}\install.rdf
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{f661cf98-6322-4fb0-909a-53878f3483c7}
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{f661cf98-6322-4fb0-909a-53878f3483c7}\chrome.manifest
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{f661cf98-6322-4fb0-909a-53878f3483c7}\chrome\xulcache.jar
c:\documents and settings\CHRISTY\Application Data\Mozilla\Firefox\Profiles\lucqwg5b.default\extensions\{f661cf98-6322-4fb0-909a-53878f3483c7}\install.rdf
c:\documents and settings\CHRISTY\Local Settings\Application Data\{163EBFC6-36C0-4F78-BC93-8951B26552D5}
c:\documents and settings\CHRISTY\Local Settings\Application Data\{163EBFC6-36C0-4F78-BC93-8951B26552D5}\chrome.manifest
c:\documents and settings\CHRISTY\Local Settings\Application Data\{163EBFC6-36C0-4F78-BC93-8951B26552D5}\chrome\content\overlay.xul
c:\documents and settings\CHRISTY\Local Settings\Application Data\{163EBFC6-36C0-4F78-BC93-8951B26552D5}\install.rdf
.
c:\windows\system32\drivers\ipsec.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 04:51 . 2012-04-27 04:51 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\offreg.dll
2012-04-24 19:10 . 2012-04-24 19:10 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\MpKslbb165094.sys
2012-04-24 00:29 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\mpengine.dll
2012-04-23 06:03 . 2012-04-23 06:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-04-14 21:10 . 2012-04-14 21:10 -------- d-----w- c:\documents and settings\r\Application Data\Hensense.com
2012-04-14 21:09 . 2012-04-14 21:33 -------- d-----w- c:\program files\Hensence.com
2012-04-14 10:10 . 2012-04-14 10:16 -------- d-----w- c:\program files\DsNET Corp
2012-04-14 10:09 . 2012-04-14 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask
2012-04-09 22:21 . 2012-04-25 09:52 -------- d-----w- c:\program files\GetFLV2
2012-04-09 21:14 . 2012-04-09 21:14 -------- d-----w- C:\76d4a1b3876ec83e2eceb4b31f97c0
2012-04-08 19:27 . 2012-04-08 19:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-04-07 07:47 . 2012-04-07 07:47 -------- d-----w- c:\documents and settings\r\Local Settings\Application Data\{9D8B1860-8081-11E1-826D-B8AC6F996F26}
2012-04-07 07:42 . 2012-04-07 07:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-06 03:32 . 2012-04-06 03:32 0 ----a-w- c:\windows\system32\sho12.tmp
2012-04-05 17:18 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 13:47 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-04 13:12 . 2012-04-04 13:12 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-03 16:06 . 2012-04-03 16:06 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-03 16:06 . 2012-04-03 16:06 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-04-03 09:36 . 2012-04-03 09:36 -------- d-----w- c:\documents and settings\r\Application Data\Malwarebytes
2012-04-03 09:36 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 19:04 . 2012-04-02 19:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-02 19:01 . 2012-04-02 19:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-29 02:43 . 2012-03-29 02:44 -------- d-----w- c:\documents and settings\r\Local Settings\Application Data\SoftGrid Client
2012-03-29 02:43 . 2012-04-24 03:24 -------- d-----w- c:\documents and settings\r\Application Data\SoftGrid Client
2012-03-28 14:55 . 2012-03-28 14:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-27 03:14 . 2005-11-05 00:53 507904 ----a-w- c:\windows\system32\winlogon.exe
2012-04-27 03:14 . 2005-11-05 00:53 14336 ----a-w- c:\windows\system32\svchost.exe
2012-04-27 03:14 . 2005-11-05 00:52 1033728 ----a-w- c:\windows\explorer.exe
2012-04-23 06:35 . 2009-08-21 18:44 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2012-04-23 06:02 . 2009-08-21 18:47 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2012-04-23 06:02 . 2009-08-21 18:47 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2012-01-28 23:33 . 2011-11-14 21:16 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2012-01-28 23:33 . 2011-11-14 21:16 256 ----a-w- c:\windows\system32\MSIevent.bat
2012-04-03 16:06 . 2011-07-07 23:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ipsec.sys
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . FF20C1524BF8B2AD3E8420C09F5F82B9 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ipsec.sys
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . FF20C1524BF8B2AD3E8420C09F5F82B9 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 15473664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"HostManager"="c:\program files\Common Files\AOL\1131163763\ee\AOLSoftware.exe" [2006-09-26 50736]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 316336]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2011-02-03 233936]
.
c:\documents and settings\CHRISTY\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\r\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EZ-DUB Finder.lnk - c:\program files\EZ-DUB\EZ-DUB.exe [2006-3-1 266240]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\StreamTransport\\StreamTransport.exe"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\lxdecfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
S2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [11/9/2010 9:27 PM 99248]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/29/2012 8:50 AM 158856]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SrvcEKIOMngr
raysatxsi5_0server
iAimTV6
PolarUSB
eskerlicensecontrol
sscdbus
filemon701
BVRPMPR5
zppinger
avgtdi
bwsvc
itchfltr
.
Contents of the 'Scheduled Tasks' folder
.
2006-03-18 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-05 00:12]
.
2006-03-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-05 00:12]
.
2012-04-27 c:\windows\Tasks\User_Feed_Synchronization-{C0C6FD7C-7D56-4F24-96B5-527492FAB07E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\r\Application Data\Mozilla\Firefox\Profiles\djp77js8.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 01:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,11,cf,08,29,ac,b2,69,4a,be,f3,0d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,11,cf,08,29,ac,b2,69,4a,be,f3,0d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-04-27 01:17:41
ComboFix-quarantined-files.txt 2012-04-27 05:17
ComboFix2.txt 2012-04-26 18:22
.
Pre-Run: 51,226,173,440 bytes free
Post-Run: 51,241,066,496 bytes free
.
- - End Of File - - 1554175E268C968A35DDD1C06E972E86

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the boxes are checked
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

Gringo

heres the log and thanks again for all your help.

Farbar Service Scanner Version: 24-04-2012
Ran by r (administrator) on 27-04-2012 at 12:16:48
Running from "C:\Documents and Settings\r\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2005-11-04 20:52] - [2008-04-13 15:19] - 0075264 ____A () FF20C1524BF8B2AD3E8420C09F5F82B9

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
ipsec.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

heres the log thanks again

SystemLook 30.07.11 by jpshortstuff
Log created at 13:40 on 27/04/2012 by r
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [09:38 02/01/2009] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ERDNT\cache\ipsec.sys --a---- 75264 bytes [07:36 24/02/2012] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [08:59 18/12/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [00:52 05/11/2005] [19:19 13/04/2008] FF20C1524BF8B2AD3E8420C09F5F82B9

-= EOF =-

Hello

After you run this check if you can connect to internet


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sy

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
  
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?

Gringo

ok so so the pc can find the network and connect to it but, none of the browsers will connect to the internet.

heres the log and thanks again



ComboFix 12-04-26.01 - r 04/27/2012 14:32:51.33.1 - x86 NETWORK
Running from: c:\documents and settings\r\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\r\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\CHRISTY\Desktop\Search.lnk
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\drivers\ipsec.sys . . . is infected!! . . . Failed to find a valid replacement.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\ipsec.sys --> c:\windows\system32\drivers\ipsec.sy
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 18:25 . 2012-04-27 18:25 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\offreg.dll
2012-04-27 16:08 . 2012-04-27 16:08 -------- d-----w- c:\documents and settings\r\Application Data\HP
2012-04-24 19:10 . 2012-04-24 19:10 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\MpKslbb165094.sys
2012-04-24 00:29 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9861713C-2367-4795-B97C-0151D659386E}\mpengine.dll
2012-04-23 06:03 . 2012-04-23 06:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-04-14 21:10 . 2012-04-14 21:10 -------- d-----w- c:\documents and settings\r\Application Data\Hensense.com
2012-04-14 21:09 . 2012-04-14 21:33 -------- d-----w- c:\program files\Hensence.com
2012-04-14 10:10 . 2012-04-14 10:16 -------- d-----w- c:\program files\DsNET Corp
2012-04-14 10:09 . 2012-04-14 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask
2012-04-09 22:21 . 2012-04-25 09:52 -------- d-----w- c:\program files\GetFLV2
2012-04-09 21:14 . 2012-04-09 21:14 -------- d-----w- C:\76d4a1b3876ec83e2eceb4b31f97c0
2012-04-08 19:27 . 2012-04-08 19:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-04-07 07:47 . 2012-04-07 07:47 -------- d-----w- c:\documents and settings\r\Local Settings\Application Data\{9D8B1860-8081-11E1-826D-B8AC6F996F26}
2012-04-07 07:42 . 2012-04-07 07:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-06 03:32 . 2012-04-06 03:32 0 ----a-w- c:\windows\system32\sho12.tmp
2012-04-05 17:18 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 13:47 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-04 13:12 . 2012-04-04 13:12 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-03 16:06 . 2012-04-03 16:06 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-03 16:06 . 2012-04-03 16:06 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-04-03 09:36 . 2012-04-03 09:36 -------- d-----w- c:\documents and settings\r\Application Data\Malwarebytes
2012-04-03 09:36 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 19:04 . 2012-04-02 19:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-02 19:01 . 2012-04-02 19:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-29 02:43 . 2012-03-29 02:44 -------- d-----w- c:\documents and settings\r\Local Settings\Application Data\SoftGrid Client
2012-03-29 02:43 . 2012-04-24 03:24 -------- d-----w- c:\documents and settings\r\Application Data\SoftGrid Client
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-27 03:14 . 2005-11-05 00:53 507904 ----a-w- c:\windows\system32\winlogon.exe
2012-04-27 03:14 . 2005-11-05 00:53 14336 ----a-w- c:\windows\system32\svchost.exe
2012-04-27 03:14 . 2005-11-05 00:52 1033728 ----a-w- c:\windows\explorer.exe
2012-04-23 06:35 . 2009-08-21 18:44 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2012-04-23 06:02 . 2009-08-21 18:47 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2012-04-23 06:02 . 2009-08-21 18:47 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2012-01-28 23:33 . 2011-11-14 21:16 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2012-01-28 23:33 . 2011-11-14 21:16 256 ----a-w- c:\windows\system32\MSIevent.bat
2012-04-03 16:06 . 2011-07-07 23:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ipsec.sys
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . FF20C1524BF8B2AD3E8420C09F5F82B9 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ipsec.sys
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . FF20C1524BF8B2AD3E8420C09F5F82B9 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 15473664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"HostManager"="c:\program files\Common Files\AOL\1131163763\ee\AOLSoftware.exe" [2006-09-26 50736]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 316336]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2011-02-03 233936]
.
c:\documents and settings\CHRISTY\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\r\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EZ-DUB Finder.lnk - c:\program files\EZ-DUB\EZ-DUB.exe [2006-3-1 266240]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\StreamTransport\\StreamTransport.exe"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\lxdecfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
S2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [11/9/2010 9:27 PM 99248]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/29/2012 8:50 AM 158856]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SrvcEKIOMngr
raysatxsi5_0server
iAimTV6
PolarUSB
eskerlicensecontrol
sscdbus
filemon701
BVRPMPR5
zppinger
avgtdi
bwsvc
itchfltr
.
Contents of the 'Scheduled Tasks' folder
.
2006-03-18 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-05 00:12]
.
2006-03-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-05 00:12]
.
2012-04-27 c:\windows\Tasks\User_Feed_Synchronization-{C0C6FD7C-7D56-4F24-96B5-527492FAB07E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\r\Application Data\Mozilla\Firefox\Profiles\djp77js8.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 14:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,11,cf,08,29,ac,b2,69,4a,be,f3,0d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,11,cf,08,29,ac,b2,69,4a,be,f3,0d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-04-27 14:52:29
ComboFix-quarantined-files.txt 2012-04-27 18:52
ComboFix2.txt 2012-04-27 05:17
ComboFix3.txt 2012-04-26 18:22
.
Pre-Run: 51,256,176,640 bytes free
Post-Run: 51,249,487,872 bytes free
.
- - End Of File - - C5235B62AD8CB6539AB0763BB9C42999