Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 JeffQS

JeffQS

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 14 June 2008 - 01:14 PM

My anti-virus picks up Termddd.sys and I get annoying popups and laptop doesn't run as well as it could.

Here is my HijackThis log...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:46 AM, on 6/14/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: McAfee Application Installer Cleanup (0130601200595183) (0130601200595183mcinstcleanup) - Unknown owner - C:\Users\Jeff\AppData\Local\Temp\013060~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

--
End of file - 7889 bytes

BC AdBot (Login to Remove)

 


m

#2 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 15 June 2008 - 12:02 PM

:thumbsup:

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 15 June 2008 - 01:18 PM

Hello JeffQS and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 15 June 2008 - 05:29 PM

ComboFix 08-06-15.2 - Jeff 2008-06-15 15:17:18.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1138 [GMT -7:00]
Running from: C:\Users\Jeff\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 16:00 . 2008-06-14 16:00 <DIR> d-------- C:\Program Files\Sun
2008-06-14 11:10 . 2008-06-14 11:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-14 10:41 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 10:41 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 10:41 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 10:41 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-10 12:11 . 2008-05-09 20:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-10 12:11 . 2008-05-09 15:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-10 12:11 . 2008-05-09 15:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-10 12:09 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-10 12:09 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-10 12:08 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-10 12:08 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-05 12:10 . 2008-06-15 09:48 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-06-05 12:10 . 2008-06-05 12:10 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-06-05 12:10 . 2008-06-05 12:10 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-06-05 12:10 . 2008-06-05 12:10 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Users\All Users\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\ProgramData\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Program Files\AVG
2008-05-29 18:52 . 2008-05-29 18:52 <DIR> d-------- C:\PerfLogs
2008-05-29 17:42 . 2008-01-19 00:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-05-29 17:41 . 2008-01-19 00:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-05-29 17:40 . 2008-01-18 23:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-05-29 17:39 . 2008-01-19 00:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-05-29 17:39 . 2008-01-19 00:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-05-29 17:39 . 2008-01-19 00:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-05-29 17:39 . 2008-01-19 00:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-05-29 17:39 . 2008-01-19 00:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-05-29 17:39 . 2008-01-19 00:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-05-29 17:39 . 2008-01-19 00:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-05-29 17:39 . 2008-01-19 00:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-05-29 17:39 . 2008-01-19 00:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-05-27 15:38 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 15:38 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-05-18 14:56 . 2008-05-18 14:57 <DIR> d-------- C:\Users\Jeff\.SunDownloadManager
2008-05-17 02:17 . 2008-05-17 02:17 <DIR> d-------- C:\Users\Jeff\AppData\Roaming\DivX
2008-05-17 02:16 . 2008-05-17 02:16 <DIR> d-------- C:\Program Files\DivX
2008-05-17 02:16 . 2008-05-17 02:16 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 22:20 47,104 ----a-w C:\Windows\System32\rpcnet.dll
2008-06-15 22:20 17,408 ----a-w C:\Windows\System32\rpcnetp.exe
2008-06-15 22:07 17,408 ----a-w C:\Windows\System32\rpcnetp.dll
2008-06-15 22:04 --------- d-----w C:\Users\Jeff\AppData\Roaming\.purple
2008-06-14 23:00 --------- d-----w C:\Program Files\Java
2008-06-12 22:54 27,240 ----a-w C:\Users\Jeff\AppData\Roaming\nvModes.dat
2008-06-11 14:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 17:20 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-06-10 17:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 06:29 174 --sha-w C:\Program Files\desktop.ini
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Journal
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Defender
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Calendar
2008-05-30 00:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-30 00:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-28 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-22 19:14 --------- d-----w C:\Users\Jeff\AppData\Roaming\OpenOffice.org2
2008-05-17 09:13 --------- d-----w C:\Users\Jeff\AppData\Roaming\Toshiba
2008-05-15 04:48 --------- d-----w C:\ProgramData\LogiShrd
2008-05-15 04:47 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-15 04:45 --------- d-----w C:\ProgramData\Logitech
2008-05-14 03:07 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-14 00:31 --------- d-----w C:\Users\Jeff\AppData\Roaming\Download Manager
2008-05-13 23:19 --------- d-----w C:\Program Files\World of Warcraft
2008-05-13 22:47 47,104 ----a-w C:\Windows\System32\rpcnet.exe
2008-05-13 01:53 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-13 01:53 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-13 01:51 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-13 01:51 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-04-26 23:27 --------- d-----w C:\Program Files\Steam
2008-04-22 03:50 --------- d-----w C:\Users\Jeff\AppData\Roaming\BitTorrent
2008-04-16 18:48 --------- d-----w C:\Program Files\Apple Software Update
2008-04-06 05:38 886,784 ----a-w C:\Windows\ebook_library.dll
2008-03-15 17:07 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2007-05-31 04:40 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-16 19:42 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@={F2F31467-B1AC-4df0-AE79-FD5FA085E22B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@={A3E208F7-0E3A-4182-A7A6-B169D5D691AA}

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 08:59 417792]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2008-01-19 00:33 227840]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 07:32 898344]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 01:29 4472832 C:\Windows\RtHDVCpl.exe]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 11:46 448632]
"NDSTray.exe"="NDSTray.exe" []
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]
"Skytel"="Skytel.exe" [2007-05-28 05:39 1826816 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-06 01:07 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-06 01:07 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-06 01:07 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 12:10 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 2006-12-03 17:50 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\Windows\pss\Registration Heroes of Might & Magic 5.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-01-26 13:04 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-01-21 17:24 290112 C:\Users\Jeff\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-04-10 17:40 413696 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 01:30 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-30 21:52 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
--a------ 2006-12-03 17:29 49168 C:\Program Files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-03 10:15 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6B074BD-6FF1-4D1D-924D-06BA35F59D1F}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{02B851C0-B67E-4B34-9C4A-03767CED8289}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4D6FF50C-CC68-4104-B533-4819EF0BA269}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1073FC7B-AF0F-4263-BF63-32D363B90469}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{615C1CAB-5993-486B-9C0B-01F4A1AB46AA}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{B384F58E-B161-4188-B79C-16BF93DA51F3}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{BC0D3764-B4BE-4FAD-BED2-A8C29121EA17}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{F6C3A478-C898-41F8-B0C6-9FD18780E66A}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{4FFD7A75-79BB-4831-B57C-02537B6C10DB}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{F3E8ECF4-B09D-460E-9CF2-351445E0AAB2}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{423DE931-DD85-450D-A0EB-FB9CB3CF984B}C:\\users\\jeff\\program files\\dna\\btdna.exe"= UDP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"UDP Query User{29276765-ECDF-4B36-B2A6-9A13F81BE848}C:\\users\\jeff\\program files\\dna\\btdna.exe"= TCP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"TCP Query User{A5E50147-A13E-46D9-90AD-0C3BE3F70EB4}C:\\program files\\frostwire\\frostwire.exe"= UDP:C:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{95A0C47D-58BD-4D6D-844B-F7725ED68FA2}C:\\program files\\frostwire\\frostwire.exe"= TCP:C:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{71C5B77B-615C-4199-9A39-E05459125793}C:\\program files\\pidgin\\pidgin.exe"= UDP:C:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{1F2C16CC-8531-464B-8A57-D15FCD37AAB3}C:\\program files\\pidgin\\pidgin.exe"= TCP:C:\program files\pidgin\pidgin.exe:Pidgin
"TCP Query User{6E7B5BE7-9800-4F6C-A907-57E9FDA408FA}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{730F399F-F641-4324-8B56-94994ED7B221}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{63307E93-2CC9-46E9-B898-5B50C687A084}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"UDP Query User{66DDC797-0395-4F4D-9C95-E96FFB711029}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"TCP Query User{16ACA39D-D46F-47DD-ACCC-E4A3442C3B91}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{EA353A24-1FAD-48AB-BF0A-A9B13E333C92}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{5055FD15-7069-409F-884D-68E823DEDFB6}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= UDP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{DBF608EB-A778-47C8-82CE-EFB0D7C45475}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= TCP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"{D85251C4-2E51-4F6B-9986-FB3242363802}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0E9F7832-1FBD-4AC7-936A-F1FCB46D781D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A7C236AB-DAF0-4AC4-B009-CD911BCD6A45}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{500FC541-A9EA-4879-8A71-5C214CD9B3D6}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 16:25]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-04-27 21:13]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-05 12:10]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 12:10]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 12:10]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-05 12:10]
R3 TcUsb;TC USB Kernel Driver;C:\Windows\system32\Drivers\tcusb.sys [2006-12-03 17:21]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 11:19]
S2 0130601200595183mcinstcleanup;McAfee Application Installer Cleanup (0130601200595183);C:\Users\Jeff\AppData\Local\Temp\013060~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-03 10:16]
S3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 11:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2005-09-27 16:57]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 20:06]
S4 pinger;pinger;C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 17:47]
S4 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-04-27 21:15]
S4 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 21:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{add6612c-e725-11dc-9669-001b38aece2a}]
\shell\AutoRun\command - E:\Installer.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 15:21:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> ?:\Program Files\Adobe\Reader 8.0\Reader\viewerps.dll
-> ?:\Program Files\Adobe\Reader 8.0\Reader\viewerps.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-15 15:27:29 - machine was rebooted [Jeff]
ComboFix-quarantined-files.txt 2008-06-15 22:27:12

Pre-Run: 178,249,375,744 bytes free
Post-Run: 178,110,840,832 bytes free

286 --- E O F --- 2008-06-14 18:19:02

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 16 June 2008 - 03:07 AM

Hello Jeff,

Can you elaborate a little more on this :

My anti-virus picks up Termddd.sys and I get annoying popups


Where does it find Termddd.sys and what action was taken ?
What kind of popups do you get, and when does this happen ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 16 June 2008 - 03:33 AM

Well i know most of my popups occur within 5+ minutes after restarting my computer.

zudo, primosearch, knockoutdebt, too name a few of the site popups i get.

As for finding Termddd.sys i just know that my anti-virus picks it up and i can heal, ignore, move to vault as options.

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 16 June 2008 - 03:50 AM

Hello Jeff,

Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.
[/list]Navigate, using Windows Explorer, to and delete the content of the following folders (NOT the folders themselves !!!):C:\WINDOWS\Temp <== folder
C:\Documents and Settings\Jeff\Local Settings\Temp <== folder
C:\Documents and Settings\All Users\Local Settings\Temp <== folder
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5 <== folder
Next go to Start > Run, and type cmd and hit OK
In the command window that opens : type ipconfig /flushdns (that space between g and / is needed)
then hit Enter, type Exit and hit Enter to close the window.

As for that Termddd.sys, I hope you choose to "Move to vault" ?
Any idea on the exact location this file is found on your system ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 16 June 2008 - 01:06 PM

Alright I deleted all that was in the folders. as for the Termddd.sys i took a screenshot of what the virus scan pops up with.

Posted Image

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 16 June 2008 - 03:59 PM

Hello Jeff,

Please boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Then, from safe mode, run ComboFix again and post the new log in your next reply please.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 16 June 2008 - 07:54 PM

ComboFix 08-06-15.2 - Jeff 2008-06-16 17:41:23.3 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1584 [GMT -7:00]
Running from: C:\Users\Jeff\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-14 16:00 . 2008-06-14 16:00 <DIR> d-------- C:\Program Files\Sun
2008-06-14 11:10 . 2008-06-14 11:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-14 10:41 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 10:41 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 10:41 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 10:41 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-10 12:11 . 2008-05-09 20:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-10 12:11 . 2008-05-09 15:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-10 12:11 . 2008-05-09 15:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-10 12:09 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-10 12:09 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-10 12:08 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-10 12:08 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-05 12:10 . 2008-06-16 10:55 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-06-05 12:10 . 2008-06-05 12:10 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-06-05 12:10 . 2008-06-05 12:10 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-06-05 12:10 . 2008-06-05 12:10 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Users\All Users\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\ProgramData\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Program Files\AVG
2008-05-29 18:52 . 2008-05-29 18:52 <DIR> d-------- C:\PerfLogs
2008-05-29 17:42 . 2008-01-19 00:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-05-29 17:41 . 2008-01-19 00:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-05-29 17:40 . 2008-01-18 23:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-05-29 17:39 . 2008-01-19 00:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-05-29 17:39 . 2008-01-19 00:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-05-29 17:39 . 2008-01-19 00:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-05-29 17:39 . 2008-01-19 00:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-05-29 17:39 . 2008-01-19 00:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-05-29 17:39 . 2008-01-19 00:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-05-29 17:39 . 2008-01-19 00:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-05-29 17:39 . 2008-01-19 00:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-05-29 17:39 . 2008-01-19 00:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-05-27 15:38 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 15:38 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-05-18 14:56 . 2008-05-18 14:57 <DIR> d-------- C:\Users\Jeff\.SunDownloadManager
2008-05-17 02:17 . 2008-05-17 02:17 <DIR> d-------- C:\Users\Jeff\AppData\Roaming\DivX
2008-05-17 02:16 . 2008-05-17 02:16 <DIR> d-------- C:\Program Files\DivX
2008-05-17 02:16 . 2008-05-17 02:16 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 23:19 --------- d-----w C:\Users\Jeff\AppData\Roaming\.purple
2008-06-16 03:24 --------- d-----w C:\Users\Jeff\AppData\Roaming\BitTorrent
2008-06-14 23:00 --------- d-----w C:\Program Files\Java
2008-06-12 22:54 27,240 ----a-w C:\Users\Jeff\AppData\Roaming\nvModes.dat
2008-06-11 14:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 17:20 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-06-10 17:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 06:29 174 --sha-w C:\Program Files\desktop.ini
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Journal
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Defender
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Calendar
2008-05-28 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-22 19:14 --------- d-----w C:\Users\Jeff\AppData\Roaming\OpenOffice.org2
2008-05-17 09:13 --------- d-----w C:\Users\Jeff\AppData\Roaming\Toshiba
2008-05-15 04:48 --------- d-----w C:\ProgramData\LogiShrd
2008-05-15 04:47 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-15 04:45 --------- d-----w C:\ProgramData\Logitech
2008-05-14 03:07 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-14 00:31 --------- d-----w C:\Users\Jeff\AppData\Roaming\Download Manager
2008-05-13 23:19 --------- d-----w C:\Program Files\World of Warcraft
2008-04-26 23:27 --------- d-----w C:\Program Files\Steam
2008-04-06 05:38 886,784 ----a-w C:\Windows\ebook_library.dll
2007-05-31 04:40 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-16 19:42 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_15.26.37.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 22:20:34 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-17 00:43:31 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-15 22:19:35 884,176 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-06-17 00:30:43 884,176 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-06-17 00:43:35 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-17 00:43:35 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-15 22:21:05 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-17 00:44:31 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-15 22:21:07 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-17 00:44:32 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-15 16:48:02 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-16 03:23:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-15 16:48:02 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-16 03:23:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-15 16:48:02 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-16 03:23:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 06:24:07 325,720 ----a-w C:\Windows\System32\FNTCACHE.DAT
+ 2008-06-17 00:43:57 325,720 ----a-w C:\Windows\System32\FNTCACHE.DAT
- 2008-06-15 22:20:43 47,104 ----a-w C:\Windows\System32\rpcnet.dll
+ 2008-06-17 00:44:01 47,104 ----a-w C:\Windows\System32\rpcnet.dll
- 2008-06-15 22:07:49 17,408 ----a-w C:\Windows\System32\rpcnetp.dll
+ 2008-06-17 00:44:01 17,408 ----a-w C:\Windows\System32\rpcnetp.dll
- 2008-06-15 22:20:45 17,408 ----a-w C:\Windows\System32\rpcnetp.exe
+ 2008-06-17 00:44:14 17,408 ----a-w C:\Windows\System32\rpcnetp.exe
- 2008-06-15 22:22:36 8,366 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-262811666-679625267-132531852-1000_UserData.bin
+ 2008-06-17 00:46:09 8,628 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-262811666-679625267-132531852-1000_UserData.bin
- 2008-06-15 22:22:36 77,776 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-17 00:46:09 78,126 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-05 19:13:57 6,234 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-06-16 23:21:11 6,234 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-06-15 22:22:28 55,650 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-17 00:45:51 55,970 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-06-15 21:47:28 339,782 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-06-17 00:29:29 342,616 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-06-15 16:47:39 343,894 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-06-16 17:54:37 345,682 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@={F2F31467-B1AC-4df0-AE79-FD5FA085E22B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@={A3E208F7-0E3A-4182-A7A6-B169D5D691AA}

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 08:59 417792]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2008-01-19 00:33 227840]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 07:32 898344]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 01:29 4472832 C:\Windows\RtHDVCpl.exe]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 11:46 448632]
"NDSTray.exe"="NDSTray.exe" []
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]
"Skytel"="Skytel.exe" [2007-05-28 05:39 1826816 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-06 01:07 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-06 01:07 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-06 01:07 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 12:10 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 2006-12-03 17:50 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\Windows\pss\Registration Heroes of Might & Magic 5.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-01-26 13:04 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-01-21 17:24 290112 C:\Users\Jeff\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-04-10 17:40 413696 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 01:30 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-30 21:52 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
--a------ 2006-12-03 17:29 49168 C:\Program Files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-03 10:15 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6B074BD-6FF1-4D1D-924D-06BA35F59D1F}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{02B851C0-B67E-4B34-9C4A-03767CED8289}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4D6FF50C-CC68-4104-B533-4819EF0BA269}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1073FC7B-AF0F-4263-BF63-32D363B90469}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{615C1CAB-5993-486B-9C0B-01F4A1AB46AA}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{B384F58E-B161-4188-B79C-16BF93DA51F3}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{BC0D3764-B4BE-4FAD-BED2-A8C29121EA17}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{F6C3A478-C898-41F8-B0C6-9FD18780E66A}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{4FFD7A75-79BB-4831-B57C-02537B6C10DB}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{F3E8ECF4-B09D-460E-9CF2-351445E0AAB2}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{423DE931-DD85-450D-A0EB-FB9CB3CF984B}C:\\users\\jeff\\program files\\dna\\btdna.exe"= UDP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"UDP Query User{29276765-ECDF-4B36-B2A6-9A13F81BE848}C:\\users\\jeff\\program files\\dna\\btdna.exe"= TCP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"TCP Query User{A5E50147-A13E-46D9-90AD-0C3BE3F70EB4}C:\\program files\\frostwire\\frostwire.exe"= UDP:C:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{95A0C47D-58BD-4D6D-844B-F7725ED68FA2}C:\\program files\\frostwire\\frostwire.exe"= TCP:C:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{71C5B77B-615C-4199-9A39-E05459125793}C:\\program files\\pidgin\\pidgin.exe"= UDP:C:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{1F2C16CC-8531-464B-8A57-D15FCD37AAB3}C:\\program files\\pidgin\\pidgin.exe"= TCP:C:\program files\pidgin\pidgin.exe:Pidgin
"TCP Query User{6E7B5BE7-9800-4F6C-A907-57E9FDA408FA}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{730F399F-F641-4324-8B56-94994ED7B221}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{63307E93-2CC9-46E9-B898-5B50C687A084}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"UDP Query User{66DDC797-0395-4F4D-9C95-E96FFB711029}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"TCP Query User{16ACA39D-D46F-47DD-ACCC-E4A3442C3B91}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{EA353A24-1FAD-48AB-BF0A-A9B13E333C92}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{5055FD15-7069-409F-884D-68E823DEDFB6}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= UDP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{DBF608EB-A778-47C8-82CE-EFB0D7C45475}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= TCP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"{D85251C4-2E51-4F6B-9986-FB3242363802}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0E9F7832-1FBD-4AC7-936A-F1FCB46D781D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A7C236AB-DAF0-4AC4-B009-CD911BCD6A45}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{500FC541-A9EA-4879-8A71-5C214CD9B3D6}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 16:25]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-04-27 21:13]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-05 12:10]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 12:10]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 12:10]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-05 12:10]
R3 TcUsb;TC USB Kernel Driver;C:\Windows\system32\Drivers\tcusb.sys [2006-12-03 17:21]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 11:19]
S2 0130601200595183mcinstcleanup;McAfee Application Installer Cleanup (0130601200595183);C:\Users\Jeff\AppData\Local\Temp\013060~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-03 10:16]
S3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 11:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2005-09-27 16:57]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 20:06]
S4 pinger;pinger;C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 17:47]
S4 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-04-27 21:15]
S4 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 21:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{add6612c-e725-11dc-9669-001b38aece2a}]
\shell\AutoRun\command - E:\Installer.exe

.

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 17 June 2008 - 04:51 AM

Hello Jeff,

Open Notepad and copy and paste the bold, blue text below in it:@echo off
Swxcacls C:\Windows\system32\drivers\core.cache.dsk >check.txt

Save this as check.bat Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick to run it and post the content of the log in your next reply please (if it's empty just let me know).

Then let's find out if that file is still present :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Driver::
termddd
Collect::
C:\Windows\System32\drivers\termddd.sys

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log may open along with a message box, --do not be alarmed. With the above script, ComboFix may capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [4]-Submit_Date_Time.zip.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 17 June 2008 - 07:14 PM

Alright, here are the contents of my "check" log.

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: C:\Windows\system32\drivers\core.cache.dsk

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Full Control This Folder/File Only
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only (Inherited)
JEFF-PC\Administrators
Allowed Full Control This Folder/File Only (Inherited)
JEFF-PC\Users
Allowed Read and Execute This Folder/File Only (Inherited)

No Auditing set

Owner: Administrators (JEFF-PC\Administrators)






COMBO FIX LOG

ComboFix 08-06-15.2 - Jeff 2008-06-17 16:50:32.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1089 [GMT -7:00]
Running from: C:\Users\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Users\Jeff\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete
C:\Windows\System32\drivers\termddd.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TERMDDD
-------\Service_termddd


((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-14 16:00 . 2008-06-14 16:00 <DIR> d-------- C:\Program Files\Sun
2008-06-14 11:10 . 2008-06-14 11:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-14 10:41 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 10:41 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 10:41 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 10:41 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-10 12:11 . 2008-05-09 20:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-10 12:11 . 2008-05-09 15:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-10 12:11 . 2008-05-09 15:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-10 12:09 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-10 12:09 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-10 12:08 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-10 12:08 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-05 12:10 . 2008-06-17 16:39 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-06-05 12:10 . 2008-06-05 12:10 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-06-05 12:10 . 2008-06-05 12:10 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-06-05 12:10 . 2008-06-05 12:10 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Users\All Users\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\ProgramData\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Program Files\AVG
2008-05-29 18:52 . 2008-05-29 18:52 <DIR> d-------- C:\PerfLogs
2008-05-29 17:42 . 2008-01-19 00:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-05-29 17:41 . 2008-01-19 00:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-05-29 17:40 . 2008-01-18 23:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-05-29 17:39 . 2008-01-19 00:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-05-29 17:39 . 2008-01-19 00:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-05-29 17:39 . 2008-01-19 00:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-05-29 17:39 . 2008-01-19 00:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-05-29 17:39 . 2008-01-19 00:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-05-29 17:39 . 2008-01-19 00:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-05-29 17:39 . 2008-01-19 00:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-05-29 17:39 . 2008-01-19 00:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-05-29 17:39 . 2008-01-19 00:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-05-27 15:38 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 15:38 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-05-18 14:56 . 2008-05-18 14:57 <DIR> d-------- C:\Users\Jeff\.SunDownloadManager
2008-05-17 02:17 . 2008-05-17 02:17 <DIR> d-------- C:\Users\Jeff\AppData\Roaming\DivX
2008-05-17 02:16 . 2008-05-17 02:16 <DIR> d-------- C:\Program Files\DivX
2008-05-17 02:16 . 2008-05-17 02:16 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 23:57 47,104 ----a-w C:\Windows\System32\rpcnet.dll
2008-06-17 23:57 17,408 ----a-w C:\Windows\System32\rpcnetp.exe
2008-06-17 23:57 17,408 ----a-w C:\Windows\System32\rpcnetp.dll
2008-06-17 23:55 --------- d-----w C:\Users\Jeff\AppData\Roaming\.purple
2008-06-17 23:50 86,144 ------w C:\Windows\system32\drivers\termddd.sys
2008-06-16 03:24 --------- d-----w C:\Users\Jeff\AppData\Roaming\BitTorrent
2008-06-14 23:00 --------- d-----w C:\Program Files\Java
2008-06-12 22:54 27,240 ----a-w C:\Users\Jeff\AppData\Roaming\nvModes.dat
2008-06-11 14:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 17:20 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-06-10 17:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 06:29 174 --sha-w C:\Program Files\desktop.ini
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Journal
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Defender
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Calendar
2008-05-30 00:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-30 00:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-28 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-22 19:14 --------- d-----w C:\Users\Jeff\AppData\Roaming\OpenOffice.org2
2008-05-17 09:13 --------- d-----w C:\Users\Jeff\AppData\Roaming\Toshiba
2008-05-15 04:48 --------- d-----w C:\ProgramData\LogiShrd
2008-05-15 04:47 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-15 04:45 --------- d-----w C:\ProgramData\Logitech
2008-05-14 03:07 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-14 00:31 --------- d-----w C:\Users\Jeff\AppData\Roaming\Download Manager
2008-05-13 23:19 --------- d-----w C:\Program Files\World of Warcraft
2008-05-13 22:47 47,104 ----a-w C:\Windows\System32\rpcnet.exe
2008-05-13 01:53 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-13 01:53 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-13 01:51 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-13 01:51 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-04-26 23:27 --------- d-----w C:\Program Files\Steam
2008-04-06 05:38 886,784 ----a-w C:\Windows\ebook_library.dll
2007-05-31 04:40 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-16 19:42 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-16_17.50.41.63 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 00:43:31 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-17 23:56:59 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-17 00:30:43 884,176 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-06-17 23:55:56 884,176 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-06-17 00:44:31 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-17 23:57:31 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-17 00:44:32 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-17 23:57:30 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-17 00:46:09 8,628 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-262811666-679625267-132531852-1000_UserData.bin
+ 2008-06-17 23:59:03 8,796 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-262811666-679625267-132531852-1000_UserData.bin
- 2008-06-17 00:46:09 78,126 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-17 23:59:03 78,396 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-16 17:54:37 345,682 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-06-17 23:38:22 346,560 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@={F2F31467-B1AC-4df0-AE79-FD5FA085E22B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@={A3E208F7-0E3A-4182-A7A6-B169D5D691AA}

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 08:59 417792]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2008-01-19 00:33 227840]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 07:32 898344]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 01:29 4472832 C:\Windows\RtHDVCpl.exe]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 11:46 448632]
"NDSTray.exe"="NDSTray.exe" []
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]
"Skytel"="Skytel.exe" [2007-05-28 05:39 1826816 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-06 01:07 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-06 01:07 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-06 01:07 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 12:10 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 2006-12-03 17:50 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\Windows\pss\Registration Heroes of Might & Magic 5.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-01-26 13:04 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-01-21 17:24 290112 C:\Users\Jeff\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-04-10 17:40 413696 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 01:30 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-30 21:52 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
--a------ 2006-12-03 17:29 49168 C:\Program Files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-03 10:15 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6B074BD-6FF1-4D1D-924D-06BA35F59D1F}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{02B851C0-B67E-4B34-9C4A-03767CED8289}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4D6FF50C-CC68-4104-B533-4819EF0BA269}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1073FC7B-AF0F-4263-BF63-32D363B90469}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{615C1CAB-5993-486B-9C0B-01F4A1AB46AA}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{B384F58E-B161-4188-B79C-16BF93DA51F3}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{BC0D3764-B4BE-4FAD-BED2-A8C29121EA17}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{F6C3A478-C898-41F8-B0C6-9FD18780E66A}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{4FFD7A75-79BB-4831-B57C-02537B6C10DB}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{F3E8ECF4-B09D-460E-9CF2-351445E0AAB2}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{423DE931-DD85-450D-A0EB-FB9CB3CF984B}C:\\users\\jeff\\program files\\dna\\btdna.exe"= UDP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"UDP Query User{29276765-ECDF-4B36-B2A6-9A13F81BE848}C:\\users\\jeff\\program files\\dna\\btdna.exe"= TCP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"TCP Query User{A5E50147-A13E-46D9-90AD-0C3BE3F70EB4}C:\\program files\\frostwire\\frostwire.exe"= UDP:C:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{95A0C47D-58BD-4D6D-844B-F7725ED68FA2}C:\\program files\\frostwire\\frostwire.exe"= TCP:C:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{71C5B77B-615C-4199-9A39-E05459125793}C:\\program files\\pidgin\\pidgin.exe"= UDP:C:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{1F2C16CC-8531-464B-8A57-D15FCD37AAB3}C:\\program files\\pidgin\\pidgin.exe"= TCP:C:\program files\pidgin\pidgin.exe:Pidgin
"TCP Query User{6E7B5BE7-9800-4F6C-A907-57E9FDA408FA}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{730F399F-F641-4324-8B56-94994ED7B221}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{63307E93-2CC9-46E9-B898-5B50C687A084}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"UDP Query User{66DDC797-0395-4F4D-9C95-E96FFB711029}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"TCP Query User{16ACA39D-D46F-47DD-ACCC-E4A3442C3B91}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{EA353A24-1FAD-48AB-BF0A-A9B13E333C92}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{5055FD15-7069-409F-884D-68E823DEDFB6}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= UDP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{DBF608EB-A778-47C8-82CE-EFB0D7C45475}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= TCP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"{D85251C4-2E51-4F6B-9986-FB3242363802}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0E9F7832-1FBD-4AC7-936A-F1FCB46D781D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A7C236AB-DAF0-4AC4-B009-CD911BCD6A45}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{500FC541-A9EA-4879-8A71-5C214CD9B3D6}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 16:25]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-04-27 21:13]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-05 12:10]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 12:10]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 12:10]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-05 12:10]
R3 TcUsb;TC USB Kernel Driver;C:\Windows\system32\Drivers\tcusb.sys [2006-12-03 17:21]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 11:19]
S2 0130601200595183mcinstcleanup;McAfee Application Installer Cleanup (0130601200595183);C:\Users\Jeff\AppData\Local\Temp\013060~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-03 10:16]
S3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 11:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2005-09-27 16:57]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 20:06]
S4 pinger;pinger;C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 17:47]
S4 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-04-27 21:15]
S4 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 21:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{add6612c-e725-11dc-9669-001b38aece2a}]
\shell\AutoRun\command - E:\Installer.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 16:57:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-17 17:04:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 22:27:12
ComboFix2.txt 2008-06-17 00:51:33
ComboFix3.txt 2008-06-15 22:27:30

Pre-Run: 174,919,819,264 bytes free
Post-Run: 174,932,451,328 bytes free

300 --- E O F --- 2008-06-17 23:41:30


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:44 PM, on 6/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\Explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: McAfee Application Installer Cleanup (0130601200595183) (0130601200595183mcinstcleanup) - Unknown owner - C:\Users\Jeff\AppData\Local\Temp\013060~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

--
End of file - 7282 bytes

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 18 June 2008 - 01:37 PM

Hello Jeff,

It looks like your security programs are preventing ComboFix from running properly.

Please copy CFScript once more to a text file and save to your Desktop.

Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.
Login to your usual account.

Then drag the CFScript on ComboFix and let it run.
Post the new ComboFix log in your next reply please. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#14 JeffQS

JeffQS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 18 June 2008 - 06:22 PM

Alright, heres my combofix log when done in safe mode.




ComboFix 08-06-15.2 - Jeff 2008-06-18 16:08:30.4 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1657 [GMT -7:00]
Running from: C:\Users\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Users\Jeff\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete
C:\Windows\System32\drivers\termddd.sys . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-14 16:00 . 2008-06-14 16:00 <DIR> d-------- C:\Program Files\Sun
2008-06-14 11:10 . 2008-06-14 11:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-14 10:41 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 10:41 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 10:41 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 10:41 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-10 12:11 . 2008-05-09 20:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-10 12:11 . 2008-05-09 15:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-10 12:11 . 2008-05-09 15:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-10 12:09 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-10 12:09 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-10 12:08 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-10 12:08 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-05 12:10 . 2008-06-18 10:04 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-06-05 12:10 . 2008-06-05 12:10 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-06-05 12:10 . 2008-06-05 12:10 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-06-05 12:10 . 2008-06-05 12:10 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Users\All Users\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\ProgramData\avg8
2008-06-05 12:09 . 2008-06-05 12:09 <DIR> d-------- C:\Program Files\AVG
2008-05-29 18:52 . 2008-05-29 18:52 <DIR> d-------- C:\PerfLogs
2008-05-29 17:42 . 2008-01-19 00:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-05-29 17:41 . 2008-01-19 00:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-05-29 17:40 . 2008-01-18 23:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-05-29 17:39 . 2008-01-19 00:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-05-29 17:39 . 2008-01-19 00:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-05-29 17:39 . 2008-01-19 00:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-05-29 17:39 . 2008-01-19 00:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-05-29 17:39 . 2008-01-19 00:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-05-29 17:39 . 2008-01-19 00:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-05-29 17:39 . 2008-01-19 00:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-05-29 17:39 . 2008-01-19 00:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-05-29 17:39 . 2008-01-19 00:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-05-27 15:38 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 15:38 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-05-22 11:24 . 2008-05-22 11:24 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-05-18 14:56 . 2008-05-18 14:57 <DIR> d-------- C:\Users\Jeff\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 23:13 17,408 ----a-w C:\Windows\System32\rpcnetp.exe
2008-06-18 23:12 47,104 ----a-w C:\Windows\System32\rpcnet.dll
2008-06-18 23:12 17,408 ----a-w C:\Windows\System32\rpcnetp.dll
2008-06-18 23:01 --------- d-----w C:\Users\Jeff\AppData\Roaming\.purple
2008-06-17 23:50 86,144 ------w C:\Windows\system32\drivers\termddd.sys
2008-06-16 03:24 --------- d-----w C:\Users\Jeff\AppData\Roaming\BitTorrent
2008-06-14 23:00 --------- d-----w C:\Program Files\Java
2008-06-12 22:54 27,240 ----a-w C:\Users\Jeff\AppData\Roaming\nvModes.dat
2008-06-11 14:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 17:20 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-06-10 17:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 06:29 174 --sha-w C:\Program Files\desktop.ini
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Journal
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Defender
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-30 01:56 --------- d-----w C:\Program Files\Windows Calendar
2008-05-30 00:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-30 00:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-28 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-22 19:14 --------- d-----w C:\Users\Jeff\AppData\Roaming\OpenOffice.org2
2008-05-17 09:17 --------- d-----w C:\Users\Jeff\AppData\Roaming\DivX
2008-05-17 09:16 --------- d-----w C:\Program Files\DivX
2008-05-17 09:16 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-05-17 09:13 --------- d-----w C:\Users\Jeff\AppData\Roaming\Toshiba
2008-05-15 04:48 --------- d-----w C:\ProgramData\LogiShrd
2008-05-15 04:47 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-15 04:45 --------- d-----w C:\ProgramData\Logitech
2008-05-14 03:07 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-14 00:31 --------- d-----w C:\Users\Jeff\AppData\Roaming\Download Manager
2008-05-13 23:19 --------- d-----w C:\Program Files\World of Warcraft
2008-05-13 22:47 47,104 ----a-w C:\Windows\System32\rpcnet.exe
2008-05-13 01:53 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-13 01:53 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-13 01:51 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-13 01:51 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-04-26 23:27 --------- d-----w C:\Program Files\Steam
2008-04-06 05:38 886,784 ----a-w C:\Windows\ebook_library.dll
2007-05-31 04:40 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-16 19:42 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-16 19:42 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-16_17.50.41.63 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 00:43:31 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-18 23:12:49 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-17 00:30:43 884,176 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-06-18 23:04:48 884,176 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-06-17 00:44:31 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-18 23:13:22 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-17 00:44:32 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-18 23:13:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-17 00:46:09 8,628 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-262811666-679625267-132531852-1000_UserData.bin
+ 2008-06-18 00:21:21 8,860 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-262811666-679625267-132531852-1000_UserData.bin
- 2008-06-17 00:46:09 78,126 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-18 00:21:21 78,626 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-17 00:45:51 55,970 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-18 00:21:20 56,130 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-06-17 00:29:29 342,616 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-06-18 22:59:00 343,494 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-06-16 17:54:37 345,682 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-06-18 17:03:37 347,438 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@={F2F31467-B1AC-4df0-AE79-FD5FA085E22B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@={A3E208F7-0E3A-4182-A7A6-B169D5D691AA}

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 18:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 08:59 417792]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2008-01-19 00:33 227840]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 07:32 898344]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 01:29 4472832 C:\Windows\RtHDVCpl.exe]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 11:46 448632]
"NDSTray.exe"="NDSTray.exe" []
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]
"Skytel"="Skytel.exe" [2007-05-28 05:39 1826816 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-06 01:07 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-06 01:07 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-06 01:07 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-05 12:10 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 2006-12-03 17:50 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jeff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\Windows\pss\Registration Heroes of Might & Magic 5.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-01-26 13:04 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-01-21 17:24 290112 C:\Users\Jeff\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-04-10 17:40 413696 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 01:30 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-30 21:52 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
--a------ 2006-12-03 17:29 49168 C:\Program Files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-03 10:15 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6B074BD-6FF1-4D1D-924D-06BA35F59D1F}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{02B851C0-B67E-4B34-9C4A-03767CED8289}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4D6FF50C-CC68-4104-B533-4819EF0BA269}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1073FC7B-AF0F-4263-BF63-32D363B90469}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{615C1CAB-5993-486B-9C0B-01F4A1AB46AA}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{B384F58E-B161-4188-B79C-16BF93DA51F3}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{BC0D3764-B4BE-4FAD-BED2-A8C29121EA17}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{F6C3A478-C898-41F8-B0C6-9FD18780E66A}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{4FFD7A75-79BB-4831-B57C-02537B6C10DB}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{F3E8ECF4-B09D-460E-9CF2-351445E0AAB2}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{423DE931-DD85-450D-A0EB-FB9CB3CF984B}C:\\users\\jeff\\program files\\dna\\btdna.exe"= UDP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"UDP Query User{29276765-ECDF-4B36-B2A6-9A13F81BE848}C:\\users\\jeff\\program files\\dna\\btdna.exe"= TCP:C:\users\jeff\program files\dna\btdna.exe:btdna.exe
"TCP Query User{A5E50147-A13E-46D9-90AD-0C3BE3F70EB4}C:\\program files\\frostwire\\frostwire.exe"= UDP:C:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{95A0C47D-58BD-4D6D-844B-F7725ED68FA2}C:\\program files\\frostwire\\frostwire.exe"= TCP:C:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{71C5B77B-615C-4199-9A39-E05459125793}C:\\program files\\pidgin\\pidgin.exe"= UDP:C:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{1F2C16CC-8531-464B-8A57-D15FCD37AAB3}C:\\program files\\pidgin\\pidgin.exe"= TCP:C:\program files\pidgin\pidgin.exe:Pidgin
"TCP Query User{6E7B5BE7-9800-4F6C-A907-57E9FDA408FA}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{730F399F-F641-4324-8B56-94994ED7B221}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{63307E93-2CC9-46E9-B898-5B50C687A084}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"UDP Query User{66DDC797-0395-4F4D-9C95-E96FFB711029}C:\\users\\jeff\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\users\jeff\program files\bittorrent\bittorrent.exe:bittorrent.exe
"TCP Query User{16ACA39D-D46F-47DD-ACCC-E4A3442C3B91}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{EA353A24-1FAD-48AB-BF0A-A9B13E333C92}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{5055FD15-7069-409F-884D-68E823DEDFB6}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= UDP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{DBF608EB-A778-47C8-82CE-EFB0D7C45475}C:\\program files\\steam\\steamapps\\conceled\\counter-strike\\hl.exe"= TCP:C:\program files\steam\steamapps\conceled\counter-strike\hl.exe:Half-Life Launcher
"{D85251C4-2E51-4F6B-9986-FB3242363802}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0E9F7832-1FBD-4AC7-936A-F1FCB46D781D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A7C236AB-DAF0-4AC4-B009-CD911BCD6A45}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{500FC541-A9EA-4879-8A71-5C214CD9B3D6}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 16:25]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-04-27 21:13]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-05 12:10]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 12:10]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 12:10]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-05 12:10]
R3 TcUsb;TC USB Kernel Driver;C:\Windows\system32\Drivers\tcusb.sys [2006-12-03 17:21]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 11:19]
S2 0130601200595183mcinstcleanup;McAfee Application Installer Cleanup (0130601200595183);C:\Users\Jeff\AppData\Local\Temp\013060~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-03 10:16]
S3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 11:50]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 11:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2005-09-27 16:57]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 20:06]
S4 pinger;pinger;C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 17:47]
S4 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-04-27 21:15]
S4 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 21:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{add6612c-e725-11dc-9669-001b38aece2a}]
\shell\AutoRun\command - E:\Installer.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 16:13:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-18 16:19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 22:27:12
ComboFix2.txt 2008-06-18 00:04:23
ComboFix3.txt 2008-06-17 00:51:33
ComboFix4.txt 2008-06-15 22:27:30

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 174,526,545,920 bytes free

300 --- E O F --- 2008-06-17 23:41:30

#15 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 19 June 2008 - 06:18 AM

Hello Jeff,

Stubborn bugger, isn't it ? :thumbsup:
Btw. did you install something like Computrace Agent by Absolute Software Corp. ?

Print this first or save it as a text file on your Desktop.
Please boot in in safe mode again.

Navigate, using Windows Explorer, to and manually delete the following files if still present:C:\Windows\System32\drivers\termddd.sys <== file
C:\Windows\system32\drivers\core.cache.dsk <== file
If you can't find them or cannot delete them, let's try this script :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:KILLALL::
Rootkit::
C:\Windows\System32\drivers\termddd.sys
Driver::
termddd

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Greetings,
Thunder

Edited by Thunder, 19 June 2008 - 04:01 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users