Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
7 replies to this topic

#1 yellowman388

yellowman388

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 27 April 2009 - 12:39 AM

Hello, recently my computer has been having a problem with the internet...it just acts weird....sometimes it works...sometimes it doesnt.....also, on start up....after login...it almosts finishing loading up...and then an error occurs...and then it starts to load up again....and then it tells me that the system has just recovered from a serious error.

I'm running Windows XP
I have avast Free Antivirus and i have already run a Malware Bytes Scan and nothing was detected.

This is my Hijack This Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:41 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\System\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Toshiba\My Documents\Downloads\Hijack This\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Video Camera Frog] C:\WINDOWS\system32\wcamfrog.exe
O4 - HKLM\..\Run: [Microsoft Security Monitor Process] pe.exe
O4 - HKLM\..\RunServices: [Video Camera Frog] C:\WINDOWS\system32\wcamfrog.exe
O4 - HKLM\..\RunServices: [Microsoft Security Monitor Process] pe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Toshiba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [waultc] C:\Documents and Settings\Toshiba\Application Data\waultc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E22B1E2-ECB6-4BC2-A27D-9D905315254D}: NameServer = 205.214.192.201,205.214.192.202
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Unknown owner - C:\WINDOWS\system32\DVDRAMSV.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update (GoogleUpdate) - Unknown owner - C:\Program Files\Common Files\System\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 12545 bytes


Your help is appreciated....thank you :D

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:21 AM

Posted 28 April 2009 - 11:08 AM

Hi yellowman388

Not very good news i'm afraid.

Some browser hijackers and downloaders such as 'W32.IRCBot ' - have been/are active on your computer. It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

For more information read ....Here
If you choose to format and reinstall read...... Here

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

Let me know what you decide to do.

Thanks.

BBPP6nz.png


#3 yellowman388

yellowman388
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 28 April 2009 - 05:14 PM

well i never ran any things with money on my computer....the only passwords i ever used are for my email adresses and forums....so i dont think i need to worry about identity theft or fraud......but to reinstall my OS i would need to burn my recovery discs.....if i do that...would the virus be backed up? and also is it the type of virus that is carried by flash drives or external HDs? cause i need to back up some files aswell....

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:21 AM

Posted 28 April 2009 - 06:18 PM

Hi yellowman388

but to reinstall my OS i would need to burn my recovery discs.....if i do that...would the virus be backed up?

If you haven't already burnt them, i wouldn't advise doing it now.
I take it you didn't have a separate installation disc with your system?

and also is it the type of virus that is carried by flash drives or external HDs?

as it has the ability to open 'backdoors' on your system, there's no telling what it's done.... it may have infected your usb drives. we would need to look at this.

As you say:

well i never ran any things with money on my computer

If you want me to run a couple of programs and have a look for you, that's fine.
We can take it from there then.
I would still recommend you change any email passwords though, just to be sure.

Here's some instructions if you want to carry on for the time being:

Step 1
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply.
Step 2
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please submit:
SDFix report
ComboFix.txt


Thanks.

BBPP6nz.png


#5 yellowman388

yellowman388
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 29 April 2009 - 03:38 AM

ok...this is my SDfix log


SDFix: Version 1.240
Run by Toshiba on Wed 04/29/2009 at 03:35 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 03:44:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:6a7594fa
"s1"=dword:da0979d3
"s2"=dword:a4e8ad4f
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:f7,be,8e,67,10,ae,99,23,3e,ea,5b,0a,4c,31,bf,27,fd,2d,2c,b3,9c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:f7,be,8e,67,10,ae,99,23,3e,ea,5b,0a,4c,31,bf,27,fd,2d,2c,b3,9c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:f7,be,8e,67,10,ae,99,23,3e,ea,5b,0a,4c,31,bf,27,fd,2d,2c,b3,9c,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1133907811\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1133907811\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\Toshiba\\Desktop\\Age Of Empires II\\age2_x1.exe"="C:\\Documents and Settings\\Toshiba\\Desktop\\Age Of Empires II\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Documents and Settings\\Toshiba\\My Documents\\Games\\Age Of Empires II\\age2_x1.exe"="C:\\Documents and Settings\\Toshiba\\My Documents\\Games\\Age Of Empires II\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"c:\\xpp.exe"="c:\\xpp.exe:*:Enabled:virx"
"C:\\Documents and Settings\\Toshiba\\aupdate.exe"="C:\\Documents and Settings\\Toshiba\\aupdate.exe:*:Enabled:test"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\Common Files\\System\\GoogleUpdate.exe"="C:\\Program Files\\Common Files\\System\\GoogleUpdate.exe:*:Enabled:Google Update"
"C:\\WINDOWS\\system32\\wcamfrog.exe"="C:\\WINDOWS\\system32\\wcamfrog.exe:*:Enabled:Video Camera Frog"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Mon 2 Feb 2009 36,864 A.SHR --- "C:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe"
Tue 6 Jan 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 24 Apr 2009 75,264 ..SHR --- "C:\Program Files\Common Files\System\GoogleUpdate.exe"
Wed 18 Feb 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Toshiba\Application Data\U3\temp\Launchpad Removal.exe"

Finished!



This is my combofix log


ComboFix 09-04-28.02 - Toshiba 04/29/2009 3:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2555 [GMT -4:00]
Running from: c:\documents and settings\Toshiba\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Toshiba\3.exe
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 07:33 . 2009-04-29 07:33 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-29 07:26 . 2009-04-29 07:27 -------- d-----w c:\windows\ERUNT
2009-04-29 07:13 . 2009-04-29 07:49 -------- d-----w C:\SDFix
2009-04-25 07:51 . 2009-04-25 07:51 65577 ----a-w C:\konjusina.exe
2009-04-25 07:26 . 2009-04-25 07:26 65577 ----a-w C:\dsdsasaaTTTsak444.exe
2009-04-25 07:26 . 2009-04-25 07:26 65577 ----a-w C:\dsdsasaasak444.exe
2009-04-25 04:56 . 2009-04-25 04:56 143401 ----a-w C:\sa.exe
2009-04-25 03:48 . 2009-04-25 03:48 75264 ----a-w C:\supek.exe
2009-04-25 03:16 . 2009-04-25 03:16 75264 ----a-w C:\grokafdd.exe
2009-04-25 02:01 . 2009-04-25 02:01 75264 ----a-w C:\phase54t.exe
2009-04-25 01:32 . 2009-04-25 02:00 75264 ----a-w C:\hahsasasasa.exe
2009-04-25 01:18 . 2009-04-25 01:18 32813 ----a-w C:\supdssdddko.exe
2009-04-22 08:35 . 2009-04-22 08:36 90153 ----a-w c:\documents and settings\Toshiba\raja365.EXE
2009-04-17 22:30 . 2009-04-17 22:30 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-17 04:35 . 2009-04-17 04:35 -------- d-sh--r C:\BIN
2009-04-17 04:29 . 2009-04-17 04:29 328 ----a-w c:\documents and settings\Toshiba\cDxFDF.EXE
2009-04-15 20:12 . 2009-04-15 20:12 -------- d-sh--w c:\documents and settings\Toshiba\PrivacIE
2009-04-15 20:07 . 2009-04-15 20:07 -------- d-sh--w c:\documents and settings\Toshiba\IETldCache
2009-04-15 20:05 . 2009-04-15 20:05 -------- d-----w c:\windows\ie8updates
2009-04-15 20:02 . 2009-04-15 20:04 -------- dc-h--w c:\windows\ie8
2009-04-15 20:01 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-15 17:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:32 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 17:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 17:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:26 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:25 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 20:50 . 2009-04-13 13:38 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 19:15 . 2009-04-11 19:15 -------- d-sh--r C:\Driver
2009-04-09 21:43 . 2009-04-09 21:43 61440 ----a-w c:\documents and settings\Toshiba\hehe.exe
2009-04-08 23:47 . 2009-04-08 23:47 -------- d-----w c:\documents and settings\Toshiba\Application Data\Malwarebytes
2009-04-08 23:46 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 23:46 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 23:46 . 2009-04-08 23:46 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-08 23:46 . 2009-04-08 23:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-08 21:18 . 2009-04-08 21:18 7833 ----a-w C:\GLAME.exe
2009-04-08 20:55 . 2009-04-08 21:22 8870 ----a-w C:\gagg.exe
2009-04-08 20:30 . 2009-04-08 20:30 61440 ----a-w c:\documents and settings\Toshiba\mhfds.exe
2009-04-08 19:16 . 2009-04-24 23:04 90153 ----a-w c:\documents and settings\Toshiba\update.exe
2009-04-08 18:27 . 2009-04-08 18:27 7833 ----a-w C:\gdssddsatgg.exe
2009-04-08 18:27 . 2009-04-08 18:27 7833 ----a-w C:\ergergfer.exe
2009-04-08 18:12 . 2009-04-08 18:12 7833 ----a-w C:\fdbdfd.exe
2009-04-08 02:21 . 2009-04-08 02:25 943449 ----a-w C:\warggtt.exe
2009-04-08 02:17 . 2009-04-08 02:17 9264 ----a-w C:\evervrever.exe
2009-04-08 02:13 . 2009-04-08 02:13 9264 ----a-w C:\WarGT.exe
2009-04-08 01:44 . 2009-04-08 01:44 9264 ----a-w C:\gfdgg.exe
2009-04-08 01:42 . 2009-04-08 01:47 9264 ----a-w C:\ggffggg.exe
2009-04-08 01:41 . 2009-04-08 01:41 9264 ----a-w C:\ggg.exe
2009-04-07 20:09 . 2009-04-07 21:34 -------- d-----w c:\windows\system32\drivere
2009-04-07 20:07 . 2009-04-07 21:34 899785 ----a-w C:\tfgnffg.exe
2009-04-05 20:11 . 2009-04-05 20:11 61440 ----a-w c:\documents and settings\Toshiba\rew54fds5a.exe
2009-04-05 19:07 . 2009-04-05 19:07 61440 ----a-w c:\documents and settings\Toshiba\4dae4ra4re3sdsx.exe
2009-04-05 18:25 . 2009-04-05 18:25 61440 ----a-w c:\documents and settings\Toshiba\4fds5da6q954as.exe
2009-04-04 22:41 . 2009-04-04 22:52 61440 ----a-w c:\documents and settings\Toshiba\jdrew3ds3.exe
2009-04-04 22:35 . 2009-04-04 22:37 61440 ----a-w c:\documents and settings\Toshiba\jurk3.exe
2009-04-04 22:26 . 2009-04-04 22:26 61440 ----a-w c:\documents and settings\Toshiba\saaw.exe
2009-04-04 22:22 . 2009-04-04 22:22 61440 ----a-w c:\documents and settings\Toshiba\4564.exe
2009-04-04 22:21 . 2009-04-04 22:21 61440 ----a-w c:\documents and settings\Toshiba\gdg.exe
2009-04-04 20:36 . 2009-04-04 20:36 61440 ----a-w c:\documents and settings\Toshiba\gfdgf.exe
2009-04-04 19:44 . 2009-04-04 19:44 61440 ----a-w c:\documents and settings\Toshiba\lol.exe
2009-04-04 19:37 . 2009-04-04 19:37 61440 ----a-w c:\documents and settings\Toshiba\jdfsi.exe
2009-04-02 07:38 . 2009-04-02 08:07 61440 ----a-w c:\documents and settings\Toshiba\haha.exe
2009-04-01 20:37 . 2009-04-01 21:09 61440 ----a-w c:\documents and settings\Toshiba\dasda.exe
2009-04-01 08:11 . 2009-04-01 08:11 61440 ----a-w c:\documents and settings\Toshiba\dadada.exe
2009-04-01 05:45 . 2009-04-01 05:45 61440 ----a-w c:\documents and settings\Toshiba\dadaye.exe
2009-03-31 19:25 . 2009-04-29 07:56 -------- d-sh--r C:\RESTORE
2009-03-31 19:25 . 2009-03-31 21:19 61440 ----a-w c:\documents and settings\Toshiba\explorers.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 07:02 . 2009-04-15 07:02 106496 ----a-w c:\documents and settings\Toshiba\RCX305.tmp
2009-04-14 20:14 . 2009-04-14 20:14 106496 ----a-w c:\documents and settings\Toshiba\RCX237.tmp
2009-04-14 20:14 . 2009-04-14 20:14 106496 ----a-w c:\documents and settings\Toshiba\RCX236.tmp
2009-04-14 19:35 . 2009-04-14 19:35 106496 ----a-w c:\documents and settings\Toshiba\RCX235.tmp
2009-04-14 18:51 . 2009-04-14 18:51 106496 ----a-w c:\documents and settings\Toshiba\RCX233.tmp
2009-04-14 18:50 . 2009-04-14 18:50 106496 ----a-w c:\documents and settings\Toshiba\RCX232.tmp
2009-04-14 17:41 . 2009-04-14 17:41 106496 ----a-w c:\documents and settings\Toshiba\RCX22A.tmp
2009-04-14 17:41 . 2009-04-14 17:41 106496 ----a-w c:\documents and settings\Toshiba\RCX229.tmp
2009-04-13 21:05 . 2009-04-13 21:05 106496 ----a-w c:\documents and settings\Toshiba\RCX224.tmp
2009-04-13 21:05 . 2009-04-13 21:05 106496 ----a-w c:\documents and settings\Toshiba\RCX223.tmp
2009-04-13 20:57 . 2009-04-13 20:57 106496 ----a-w c:\documents and settings\Toshiba\RCX215.tmp
2009-04-13 20:56 . 2009-04-13 20:56 106496 ----a-w c:\documents and settings\Toshiba\RCX202.tmp
2009-04-13 19:17 . 2009-04-13 19:17 106496 ----a-w c:\documents and settings\Toshiba\RCX216.tmp
2009-04-13 18:43 . 2009-04-13 18:43 106496 ----a-w c:\documents and settings\Toshiba\RCX214.tmp
2009-04-13 18:40 . 2009-04-13 18:40 106496 ----a-w c:\documents and settings\Toshiba\RCX208.tmp
2009-04-13 18:29 . 2009-04-13 18:29 106496 ----a-w c:\documents and settings\Toshiba\RCX207.tmp
2009-04-13 17:53 . 2009-04-13 17:53 106496 ----a-w c:\documents and settings\Toshiba\RCX206.tmp
2009-04-13 17:44 . 2009-04-13 17:44 106496 ----a-w c:\documents and settings\Toshiba\RCX205.tmp
2009-04-13 17:41 . 2009-04-13 17:41 106496 ----a-w c:\documents and settings\Toshiba\RCX204.tmp
2009-04-13 08:11 . 2008-10-23 21:44 27848 ----a-w c:\documents and settings\Toshiba\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 21:03 . 2009-04-12 21:03 106496 ----a-w c:\documents and settings\Toshiba\RCX213.tmp
2009-04-12 21:02 . 2009-04-12 21:02 106496 ----a-w c:\documents and settings\Toshiba\RCX212.tmp
2009-04-12 20:55 . 2009-04-12 20:55 106496 ----a-w c:\documents and settings\Toshiba\RCX211.tmp
2009-04-12 20:49 . 2009-04-12 20:49 106496 ----a-w c:\documents and settings\Toshiba\RCX210.tmp
2009-04-12 20:03 . 2009-04-12 20:03 106496 ----a-w c:\documents and settings\Toshiba\RCX20F.tmp
2009-04-12 20:03 . 2009-04-12 20:03 106496 ----a-w c:\documents and settings\Toshiba\RCX20E.tmp
2009-04-12 18:32 . 2009-04-12 18:32 106496 ----a-w c:\documents and settings\Toshiba\RCX20D.tmp
2009-04-12 18:32 . 2009-04-12 18:32 106496 ----a-w c:\documents and settings\Toshiba\RCX20C.tmp
2009-04-12 18:09 . 2009-04-12 18:09 106496 ----a-w c:\documents and settings\Toshiba\RCX20B.tmp
2009-04-12 18:06 . 2009-04-12 18:06 106496 ----a-w c:\documents and settings\Toshiba\RCX20A.tmp
2009-04-12 17:51 . 2009-04-12 17:51 106496 ----a-w c:\documents and settings\Toshiba\RCX209.tmp
2009-04-12 17:32 . 2009-04-12 17:32 106496 ----a-w c:\documents and settings\Toshiba\RCX203.tmp
2009-04-12 17:20 . 2009-04-12 17:20 106496 ----a-w c:\documents and settings\Toshiba\RCX1F6.tmp
2009-04-12 17:19 . 2009-04-12 17:19 106496 ----a-w c:\documents and settings\Toshiba\RCX1F4.tmp
2009-04-11 22:48 . 2009-04-11 22:48 106496 ----a-w c:\documents and settings\Toshiba\RCX27C.tmp
2009-04-11 22:48 . 2009-04-11 22:48 106496 ----a-w c:\documents and settings\Toshiba\RCX27B.tmp
2009-04-11 22:46 . 2009-04-11 22:46 106496 ----a-w c:\documents and settings\Toshiba\RCX278.tmp
2009-04-11 22:46 . 2009-04-11 22:46 106496 ----a-w c:\documents and settings\Toshiba\RCX277.tmp
2009-04-11 22:13 . 2009-04-11 22:13 106496 ----a-w c:\documents and settings\Toshiba\RCX272.tmp
2009-04-11 22:12 . 2009-04-11 22:12 106496 ----a-w c:\documents and settings\Toshiba\RCX271.tmp
2009-04-11 21:40 . 2009-04-11 21:40 106496 ----a-w c:\documents and settings\Toshiba\RCX26C.tmp
2009-04-11 21:40 . 2009-04-11 21:40 106496 ----a-w c:\documents and settings\Toshiba\RCX26B.tmp
2009-04-11 21:02 . 2009-04-11 21:02 106496 ----a-w c:\documents and settings\Toshiba\RCX246.tmp
2009-04-11 21:01 . 2009-04-11 21:01 106496 ----a-w c:\documents and settings\Toshiba\RCX245.tmp
2009-04-11 19:31 . 2009-04-11 19:31 106496 ----a-w c:\documents and settings\Toshiba\RCX1FD.tmp
2009-04-11 19:29 . 2009-04-11 19:29 106496 ----a-w c:\documents and settings\Toshiba\RCX1FA.tmp
2009-04-11 19:15 . 2009-04-11 19:15 106496 ----a-w c:\documents and settings\Toshiba\RCX1EE.tmp
2009-04-11 19:15 . 2009-04-11 19:15 106496 ----a-w c:\documents and settings\Toshiba\RCX1ED.tmp
2009-04-04 23:53 . 2008-08-16 01:29 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-01 19:33 . 2005-12-06 22:14 -------- d-----w c:\program files\Java
2009-03-30 03:58 . 2008-08-17 07:54 -------- d-----w c:\program files\LimeWire
2009-03-27 16:03 . 2008-08-17 02:07 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-24 00:11 . 2009-03-24 00:11 -------- d-----w c:\program files\CFS-Technologies
2009-03-23 21:42 . 2005-12-06 21:23 27848 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 21:41 . 2009-03-23 21:41 -------- d-----w c:\program files\Microsoft
2009-03-23 21:40 . 2008-08-16 22:47 -------- d-----w c:\program files\Windows Live
2009-03-23 21:40 . 2009-03-23 21:40 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-23 21:38 . 2009-03-23 21:38 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-22 19:23 . 2009-03-22 19:23 -------- d-----w c:\program files\Alwil Software
2009-03-09 09:19 . 2009-03-30 03:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 08:34 . 2005-12-06 00:41 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-12-06 00:40 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-12-06 00:40 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-12-06 00:41 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-12-06 00:40 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-12-06 00:40 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-12-06 00:40 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-12-06 00:40 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-12-06 00:40 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-12-06 00:40 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-12-06 00:40 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2005-12-06 00:40 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-12-06 00:41 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-12-06 00:40 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-12-06 00:40 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-12-06 00:41 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2005-12-06 00:41 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-12-06 00:40 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-12-06 00:41 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-12-06 00:41 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Toshiba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7557120]
"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2006-05-01 49152]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-17 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-01-18 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2005-03-18 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-19 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-06 98304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-01 1519616]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Common Files\\System\\GoogleUpdate.exe"=

R3 XDva190;XDva190; [x]
R3 XDva195;XDva195; [x]
R3 XDva201;XDva201; [x]
R3 XDva212;XDva212; [x]
R3 XDva219;XDva219; [x]
R3 XDva224;XDva224; [x]
R3 XDva259;XDva259; [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2004-11-13 6144]
S1 aswSP;avast! Self Protection; [x]
S1 TMEI3E;TMEI3E;c:\windows\system32\Drivers\TMEI3E.SYS [2004-06-16 5888]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-06 13568]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-06 33024]
S2 GoogleUpdate;Google Update;c:\program files\Common Files\System\GoogleUpdate.exe [2009-04-25 75264]
S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2006-05-06 3456]
S2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\Tmesrv31.exe [2005-01-18 126976]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8d5f6d-a1cc-11dd-acc0-001302c8e8f1}]
\Shell\AutoRun\command - f:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
\Shell\open\command - f:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b66b4a7-8293-11dd-ac92-001302c8e8f1}]
\shell\verb1\command - desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a6b5fce-c956-11dd-acf7-001302c8e8f1}]
\Shell\AutoRun\command - f:\bin\RECYCLE\Bin.exe
\Shell\open\command - f:\bin\RECYCLE\Bin.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46269984-c08a-11dd-ace9-001302c8e8f1}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46269989-c08a-11dd-ace9-001302c8e8f1}]
\Shell\AutoRun\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
\Shell\open\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46c9d3b2-22f5-11de-83e3-001302c8e8f1}]
\Shell\AutoRun\command - f:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
\Shell\open\command - f:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{627ab6c9-ebc2-11dd-ad31-001302c8e8f1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{627ab6cb-ebc2-11dd-ad31-001302c8e8f1}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b98f23-cadf-11dd-acf9-001302c8e8f1}]
\Shell\AutoRun\command - F:\wdsync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82e03d56-ea7b-11dd-ad2f-001302c8e8f1}]
\Shell\Auto\command - dllhosts.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dllhosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82e03d57-ea7b-11dd-ad2f-001302c8e8f1}]
\Shell\Auto\command - dllhosts.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dllhosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82e03d58-ea7b-11dd-ad2f-001302c8e8f1}]
\Shell\Auto\command - dllhosts.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dllhosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84028595-989a-11dd-acb1-001302c8e8f1}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84028641-989a-11dd-acb1-001302c8e8f1}]
\Shell\AutoRun\command - ekugb3.bat
\Shell\explore\Command - ekugb3.bat
\Shell\open\Command - ekugb3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbf9fe02-165c-11de-83d1-001302c8e8f1}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL _AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca4eabd1-7d60-11dd-ac89-001302c8e8f1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca4eabd2-7d60-11dd-ac89-001302c8e8f1}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfc5298e-7b98-11dd-ac87-001302c8e8f1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8310d1b-6f05-11dd-ac70-001302c8e8f1}]
\Shell\AutoRun\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
\Shell\open\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e96d5544-7786-11dd-ac80-001302c8e8f1}]
\Shell\AutoRun\command - h:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
\Shell\open\command - h:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-74CC2A322142}]
c:\driver\Files\Drago.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D157322}]
c:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3685193945-1867296615-1152736362-1005.job
- c:\documents and settings\Toshiba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 05:40]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-waultc - c:\documents and settings\Toshiba\Application Data\waultc.exe
HKLM-Run-DockMsgFrom - c:\program files\Toshiba\Toshiba Applet\DockMsgFrom.exe
HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
HKLM-Run-AGRSMMSG - AGRSMMSG.exe
HKLM-Run-TPSMain - TPSMain.exe
HKLM-Run-RTHDCPL - RTHDCPL.EXE


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: {6E22B1E2-ECB6-4BC2-A27D-9D905315254D} = 205.214.192.201,205.214.192.202
FF - ProfilePath - c:\documents and settings\Toshiba\Application Data\Mozilla\Firefox\Profiles\3t3brafm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Toshiba\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 04:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1044)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(744)
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\TME3\TMEEJME.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-29 4:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 08:04

Pre-Run: 13,503,193,088 bytes free
Post-Run: 13,876,539,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

428 --- E O F --- 2009-04-29 07:09




Thanks for the help...i appreciate it.

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:21 AM

Posted 30 April 2009 - 05:04 PM

Hi yellowman388

After looking through your report, i'm glad you decided to reinstall.
This is one nasty report.
But on saying that, it gives us the opportunity to grab some files for examination.
I certainly wouldn't try to back anything up at the moment.

Let's see what we can do:

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
http://www.bleepingcomputer.com/forums/t/222599/hijackthis-log-please-help-diagnose/

Collect::
C:\konjusina.exe
C:\dsdsasaaTTTsak444.exe
C:\dsdsasaasak444.exe
C:\supek.exe
C:\grokafdd.exe
C:\phase54t.exe
C:\hahsasasasa.exe
C:\supdssdddko.exe
c:\documents and settings\Toshiba\raja365.EXE
c:\documents and settings\Toshiba\cDxFDF.EXE
c:\documents and settings\Toshiba\hehe.exe
C:\GLAME.exe
C:\gagg.exe
C:\gdssddsatgg.exe
C:\ergergfer.exe
C:\fdbdfd.exe
C:\warggtt.exe
C:\evervrever.exe
C:\WarGT.exe
C:\gfdgg.exe
C:\ggffggg.exe
C:\ggg.exe
C:\tfgnffg.exe

File::
c:\documents and settings\Toshiba\RCX305.tmp
c:\documents and settings\Toshiba\RCX237.tmp
c:\documents and settings\Toshiba\RCX236.tmp
c:\documents and settings\Toshiba\RCX235.tmp
c:\documents and settings\Toshiba\RCX233.tmp
c:\documents and settings\Toshiba\RCX232.tmp
c:\documents and settings\Toshiba\RCX22A.tmp
c:\documents and settings\Toshiba\RCX229.tmp
c:\documents and settings\Toshiba\RCX224.tmp
c:\documents and settings\Toshiba\RCX223.tmp
c:\documents and settings\Toshiba\RCX215.tmp
c:\documents and settings\Toshiba\RCX202.tmp
c:\documents and settings\Toshiba\RCX216.tmp
c:\documents and settings\Toshiba\RCX214.tmp
c:\documents and settings\Toshiba\RCX208.tmp
c:\documents and settings\Toshiba\RCX207.tmp
c:\documents and settings\Toshiba\RCX206.tmp
c:\documents and settings\Toshiba\RCX205.tmp
c:\documents and settings\Toshiba\RCX204.tmp
c:\documents and settings\Toshiba\RCX213.tmp
c:\documents and settings\Toshiba\RCX212.tmp
c:\documents and settings\Toshiba\RCX211.tmp
c:\documents and settings\Toshiba\RCX210.tmp
c:\documents and settings\Toshiba\RCX20F.tmp
c:\documents and settings\Toshiba\RCX20E.tmp
c:\documents and settings\Toshiba\RCX20D.tmp
c:\documents and settings\Toshiba\RCX20C.tmp
c:\documents and settings\Toshiba\RCX20B.tmp
c:\documents and settings\Toshiba\RCX20A.tmp
c:\documents and settings\Toshiba\RCX209.tmp
c:\documents and settings\Toshiba\RCX203.tmp
c:\documents and settings\Toshiba\RCX1F6.tmp
c:\documents and settings\Toshiba\RCX1F4.tmp
c:\documents and settings\Toshiba\RCX27C.tmp
c:\documents and settings\Toshiba\RCX27B.tmp
c:\documents and settings\Toshiba\RCX278.tmp
c:\documents and settings\Toshiba\RCX277.tmp
c:\documents and settings\Toshiba\RCX272.tmp
c:\documents and settings\Toshiba\RCX271.tmp
c:\documents and settings\Toshiba\RCX26C.tmp
c:\documents and settings\Toshiba\RCX26B.tmp
c:\documents and settings\Toshiba\RCX246.tmp
c:\documents and settings\Toshiba\RCX245.tmp
c:\documents and settings\Toshiba\RCX1FD.tmp
c:\documents and settings\Toshiba\RCX1FA.tmp
c:\documents and settings\Toshiba\RCX1EE.tmp
c:\documents and settings\Toshiba\RCX1ED.tmp
c:\documents and settings\Toshiba\rew54fds5a.exe
c:\documents and settings\Toshiba\4dae4ra4re3sdsx.exe
c:\documents and settings\Toshiba\4fds5da6q954as.exe
c:\documents and settings\Toshiba\jdrew3ds3.exe
c:\documents and settings\Toshiba\jurk3.exe
c:\documents and settings\Toshiba\saaw.exe
c:\documents and settings\Toshiba\4564.exe
c:\documents and settings\Toshiba\gdg.exe
c:\documents and settings\Toshiba\gfdgf.exe
c:\documents and settings\Toshiba\lol.exe
c:\documents and settings\Toshiba\jdfsi.exe
c:\documents and settings\Toshiba\haha.exe
c:\documents and settings\Toshiba\dasda.exe
c:\documents and settings\Toshiba\dadada.exe
c:\documents and settings\Toshiba\dadaye.exe
c:\documents and settings\Toshiba\explorers.exe
h:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
f:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
f:\bin\RECYCLE\Bin.exe

Folder::
C:\Driver

Driver::
XDva190
XDva195
XDva201
XDva212
XDva219
XDva224
XDva259

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8d5f6d-a1cc-11dd-acc0-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b66b4a7-8293-11dd-ac92-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a6b5fce-c956-11dd-acf7-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46269984-c08a-11dd-ace9-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46269989-c08a-11dd-ace9-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46c9d3b2-22f5-11de-83e3-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{627ab6c9-ebc2-11dd-ad31-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{627ab6cb-ebc2-11dd-ad31-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84028595-989a-11dd-acb1-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84028641-989a-11dd-acb1-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbf9fe02-165c-11de-83d1-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca4eabd1-7d60-11dd-ac89-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca4eabd2-7d60-11dd-ac89-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8310d1b-6f05-11dd-ac70-001302c8e8f1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e96d5544-7786-11dd-ac80-001302c8e8f1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-74CC2A322142}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D157322}]
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

When CF finishes running, the ComboFix log will open along with a message box.... do not be alarmed.
With the above script, ComboFix will capture files to submit for analysis
.

Ensure you are connected to the internet and click OK on the message box.


Step 2
Temporarily disable your anti-virus, script blocking and any real time protection programs before downloading this tool as it can be falsely flagged as malware.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Step 3
Please do an online scan with Kaspersky WebScanner.
Notes
Java must be installed and enabled for the scan to work.
Disable your computer's antivirus program as leaving it active will cause conflicts
  • Close ALL programs and windows except for your browser
    Please go to Online Kaspersky Scan and perform an online antivirus scan.
  • Read through the Requirements and limitations statement and click on the Accept button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, the scrolling window will show 'Database is updated. Ready to scan'. Click on the Settings button at the bottom left.
  • Make sure these boxes are checked/ticked. If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan on the left. OK any warnings from your protection programs.
  • Go for a long walk. Please be patient and let the scanner finish. It is better that you do NOT use the computer while the scan is running. Keep all other programs/windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan-ddmmyy before clicking on the Save button. Save the report to a convenient place - for example the Desktop.
  • Please post this log in your next reply.
Note - enable your antivirus program before browsing away from the Kaspersky site.

Go to the Desktop and double-click on the Kaspersky report KAVScan-ddmmyy.txt, it will open in Notepad
Click Edit > Select all then Edit > Copy
Reply to this thread and paste (Ctrl+V) the report.

In your next reply, please submit:
new combofix.txt
Kaspersky scan results


Thanks.

Edited by Starbuck, 30 April 2009 - 06:06 PM.

BBPP6nz.png


#7 yellowman388

yellowman388
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 01 May 2009 - 01:17 AM

well i have good news....a friend of mine loaded it up with linux and got the virus off for me...so my computer is good to go now....thanks alot for your help...i appreciate it...

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:21 AM

Posted 01 May 2009 - 02:18 PM

Hi yellowman388

Ok no problem.

As this topic has been resolved this thread will now be closed.

If you need this topic reopened, please contact one of the moderating team by PM and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users