Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virtumonde & antivirus 360 problems


  • This topic is locked This topic is locked
12 replies to this topic

#1 Horizontal Kipper

Horizontal Kipper

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 09 May 2009 - 05:36 AM

Firstly, many thanks for all help offered.
Computer = Toshiba NB100 netbook with XP Home SP3

Computer infected with virtumonde, antivirus360 and possibly others.
Having deleted over 3000 .exe files in various hidden / temp folders I'm getting close, but still can't get the thing running OK.
Keep getting disconnected from the network, IE shows "google recommends you install Antivirus 360" message.
I can't run or re-install Norton InternetSecurity 2008
Can't download windows updates.
I have run Malwarebytes anti-malware which removed another 300+ files & now reports no problems.
Have run Spybot Search & Destroy which reports no problems.
basically, I'm out of ideas. If this had a CD Drive I would just Format the HD & re-install XP but it has no drive :-(

Any help or suggestion greatly received

DDS Log

DDS (Ver_09-03-16.01) - NTFSx86
Run by janson littlejohn at 11:11:27.50 on 09/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.688 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Atheros\ACU.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\HiYo\bin\HiYo.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\janson littlejohn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [NDSTray.exe] NDSTray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [Google EULA Launcher] c:\program files\google\google eula\\GoogleEULALauncher.exe IE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [Hiyo] c:\program files\hiyo\bin\HiYo.exe /RunFromStartup
mRun: [KernelCheck] "c:\documents and settings\all users\application data\microsoft\win.exe" /h
dRun: [TOSHIBA Online Product Information] c:\program files\toshiba\toshiba online product information\topi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {44990301-3c9d-426d-81df-aab636fa4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39848.61125
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: {0774732F-12B9-4099-B31F-B3E4D001FC32} = 194.168.4.100,194.168.8.100
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = cli

============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-18 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-19 5888]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-9-19 157696]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-12-26 57408]
S2 buextp;BuexTp;c:\windows\system32\svchost.exe -k netsvcs [2008-9-19 14336]
S2 euznia;EuzniA;c:\windows\system32\svchost.exe -k netsvcs [2008-9-19 14336]
S2 fbyijoac;FByijoac;c:\windows\system32\svchost.exe -k netsvcs [2008-9-19 14336]
S2 khibyo;Khibyo;c:\windows\system32\svchost.exe -k netsvcs [2008-9-19 14336]
S2 uacuiqysaez;Uacuiqysaez;c:\windows\system32\svchost.exe -k netsvcs [2008-9-19 14336]
S2 yzdaetsoe;YzdaEtsoe;c:\windows\system32\svchost.exe -k netsvcs [2008-9-19 14336]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2009-05-08 18:41 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-08 18:41 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-07 22:24 269 a------- c:\windows\wininit.ini
2009-05-07 19:56 <DIR> --d----- c:\docume~1\janson~1\applic~1\Malwarebytes
2009-05-07 19:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-07 19:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 19:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-07 19:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-06 22:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-06 22:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-05-09 11:11 114,924 a------- c:\windows\system32\drivers\a673dbd3.sys
2009-05-09 11:11 102,126 a------- c:\windows\system32\drivers\207a8fb3.sys
2009-05-09 11:11 92,398 a------- c:\windows\system32\drivers\27b20939.sys
2009-04-11 17:41 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-20 16:44 141,824 a---h--- c:\windows\system32\xlihje.dll
2009-03-18 22:37 142,848 a--sh--- c:\windows\system32\ywxxop.dll
2009-03-18 22:37 105,984 a--sh--- c:\windows\system32\figepevo.dll
2009-03-18 22:20 142,848 a--sh--- c:\windows\system32\sahuik.dll
2009-03-18 22:20 142,848 a--sh--- c:\windows\system32\muwuhare.dll
2009-03-18 22:20 105,984 a--sh--- c:\windows\system32\lizofeje.dll
2009-03-18 21:57 142,848 a--sh--- c:\windows\system32\wwunqx.dll
2009-03-18 21:57 142,848 a--sh--- c:\windows\system32\tubakile.dll
2009-03-18 09:38 140,800 a--sh--- c:\windows\system32\lxsfqq.dll
2009-03-17 16:42 142,848 a--sh--- c:\windows\system32\qmrfcl.dll
2009-03-17 16:42 108,032 a--sh--- c:\windows\system32\pawehuhe.dll
2009-03-16 16:43 105,984 a--sh--- c:\windows\system32\bataduka.dll
2009-03-15 23:25 142,848 a--sh--- c:\windows\system32\qwihuz.dll
2009-03-15 11:25 106,496 a--sh--- c:\windows\system32\nuzeroto.dll
2009-03-15 11:25 141,312 a--sh--- c:\windows\system32\lujibv.dll
2009-03-14 23:24 107,008 a--sh--- c:\windows\system32\bavovayo.dll
2009-03-14 23:24 140,288 a--sh--- c:\windows\system32\yvhcie.dll
2009-03-14 23:24 140,288 a--sh--- c:\windows\system32\genakoso.dll
2009-03-14 11:28 142,848 a--sh--- c:\windows\system32\teruvobi.dll
2009-03-14 11:28 142,848 a--sh--- c:\windows\system32\aymkbe.dll
2009-03-13 17:05 108,544 a--sh--- c:\windows\system32\kozodobe.dll
2009-03-13 17:05 141,312 a--sh--- c:\windows\system32\qqhtko.dll
2009-03-07 10:14 107,008 a--sh--- c:\windows\system32\zifisehe.dll
2009-03-06 17:30 106,496 a--sh--- c:\windows\system32\jifakade.dll
2009-02-16 00:36 1,536,000 a------- c:\windows\system32\egivikab.tmp
2008-12-26 21:31 172 a------- c:\docume~1\janson~1\applic~1\wklnhst.dat
1601-01-01 01:12 64,281 a--sh--- c:\windows\system32\huyowoza.dll
1601-01-01 01:12 64,281 a--sh--- c:\windows\system32\lamukepa.dll
1601-01-01 01:12 64,281 a--sh--- c:\windows\system32\zavidegu.dll

============= FINISH: 11:11:53.42 ===============

Any help or suggestion greatly received

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 10 May 2009 - 11:52 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Horizontal Kipper

Horizontal Kipper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 15 May 2009 - 04:22 PM

Hi Sam, thank you for taking the time to help.
I ran the 2 programs as reuested...log below.

OTListIt logfile created on: 15/05/2009 06:53:57 - Run 2
OTListIt2 by OldTimer - Version 2.0.15.7 Folder = C:\Documents and Settings\janson littlejohn\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.88 Mb Total Physical Memory | 686.85 Mb Available Physical Memory | 67.74% Memory free
2.39 Gb Paging File | 2.12 Gb Available in Paging File | 89.01% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 102.13 Gb Free Space | 91.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JANSON
Current User Name: janson littlejohn
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/04/14 02:10:52 | 00,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2005/01/17 15:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/01/14 18:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/08/29 10:33:20 | 00,033,792 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
PRC - [2008/08/26 21:55:54 | 00,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2007/11/21 18:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2008/05/22 22:54:42 | 00,120,168 | ---- | M] (TOSHIBA CORPORATION) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2004/08/11 01:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2008/04/14 13:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/14 13:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/08/12 15:22:20 | 00,135,168 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/08/12 15:18:30 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/08/12 15:19:42 | 00,131,072 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/09/11 07:45:34 | 16,851,456 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/08/12 15:22:14 | 00,249,856 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/04/14 02:11:12 | 00,450,648 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Atheros\ACU.exe
PRC - [2008/09/14 11:15:14 | 00,921,600 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2008/09/05 11:19:28 | 00,393,216 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
PRC - [2007/04/09 18:07:02 | 00,159,744 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2007/04/26 11:49:34 | 00,495,616 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
PRC - [2008/08/19 16:00:00 | 00,417,792 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PRC - [2009/01/11 18:30:57 | 00,300,336 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\HiYo\bin\HiYo.exe
PRC - [2009/02/06 19:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
PRC - [2009/03/08 12:47:41 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2001/11/27 08:10:00 | 00,106,560 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/02/06 19:21:00 | 00,224,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Toolbar\wltuser.exe
PRC - [2009/05/14 23:52:01 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\janson littlejohn\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/14 13:00:00 | 00,100,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\6to4svc.dll -- (6to4 [Auto | Running])
SRV - [2008/04/14 02:10:52 | 00,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe -- (ACS [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/01/17 15:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/02/06 19:08:58 | 00,533,360 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc [On_Demand | Stopped])
SRV - [2009/05/14 22:23:55 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/14 13:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/01/14 18:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])
SRV - File not found -- -- (symantec remoteassist [On_Demand | Stopped])
SRV - [2008/08/29 10:33:20 | 00,033,792 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV [Auto | Running])
SRV - [2008/08/26 21:55:54 | 00,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv [Auto | Running])
SRV - [2007/11/21 18:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv [Auto | Running])
SRV - [2008/05/22 22:54:42 | 00,120,168 | ---- | M] (TOSHIBA CORPORATION) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service [Auto | Running])
SRV - [2004/08/11 01:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2008/04/08 19:45:42 | 01,309,504 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\DRIVERS\athw.sys -- (AR5416 [On_Demand | Running])
DRV - [2009/02/06 19:08:42 | 00,055,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys -- (fssfltr [Auto | Running])
DRV - [2007/04/04 08:56:48 | 00,005,888 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\FwLnk.sys -- (FwLnk [On_Demand | Running])
DRV - [2008/04/14 13:00:00 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2008/08/12 15:24:28 | 05,854,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2008/07/20 17:44:44 | 00,324,120 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2008/09/11 07:46:46 | 04,813,312 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2003/01/29 13:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\system32\DRIVERS\netdevio.sys -- (Netdevio [Auto | Running])
DRV - [2008/04/14 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/04/08 00:16:45 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2008/09/04 09:23:52 | 00,157,696 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\Drivers\RTS5121.sys -- (RSUSBSTOR [On_Demand | Running])
DRV - [2008/08/13 07:51:22 | 00,106,368 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2008/04/14 13:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/08/13 09:43:46 | 00,220,032 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2008/06/20 12:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\tcpip6.sys -- (tcpip6 [System | Running])
DRV - [2006/10/18 12:50:04 | 00,016,128 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys -- (tdcmdpst [On_Demand | Stopped])
DRV - [2007/03/26 12:22:18 | 00,105,856 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\tdudf.sys -- (tdudf [Auto | Running])
DRV - [2006/10/23 16:32:20 | 00,009,216 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\tosrfec.sys -- (tosrfec [On_Demand | Stopped])
DRV - [2008/08/26 21:20:42 | 00,279,376 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\tos_sps32.sys -- (tos_sps32 [Boot | Running])
DRV - [2007/02/19 12:15:32 | 00,134,016 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\trudf.sys -- (trudf [Auto | Running])
DRV - [2008/07/15 20:59:06 | 00,017,960 | ---- | M] (Chicony Electronics Co., Ltd.) -- C:\WINDOWS\System32\Drivers\UVCFTR_S.SYS -- (UVCFTR [On_Demand | Running])
DRV - [2008/02/08 10:46:36 | 00,057,408 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\DRIVERS\wsimd.sys -- (WSIMD [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.default\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.default\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.default\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.default\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
IE - HKU\.default\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\s-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
IE - HKU\s-1-5-18\s-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\s-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

IE - HKU\s-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\s-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
IE - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\s-1-5-21-4231769466-4130284174-918188779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - Reg Error: Key error. File not found
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Reg Error: Key error. File not found
O3 - HKU\.default\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\.default\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\.default\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\s-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\s-1-5-18\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui (Atheros Communications, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start (Chicony)
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Google EULA Launcher] C:\Program Files\Google\Google EULA\\GoogleEULALauncher.exe IE (Google)
O4 - HKLM..\Run: [Hiyo] C:\Program Files\HiYo\bin\HiYo.exe /RunFromStartup (IncrediMail, Ltd.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KernelCheck] "C:\Documents and Settings\All Users\Application Data\Microsoft\win.exe" /h File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe (TOSHIBA)
O4 - HKU\.default..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe ()
O4 - HKU\s-1-5-18..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe ()
O4 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-21-4231769466-4130284174-918188779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {44990301-3c9d-426d-81df-aab636fa4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...CAB?39848.61125 (Update Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab (CBreakshotControl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - Unable to read "AutoRun" value or value not present!
O32 - AutoRun File - [2008/09/19 07:27:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/05/15 00:00:20 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\janson littlejohn\Desktop\8gw1b1df.exe
[2009/05/14 23:51:53 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\janson littlejohn\Desktop\OTListIt2.exe
[2009/05/09 11:34:48 | 00,002,973 | ---- | C] () -- C:\Documents and Settings\janson littlejohn\Desktop\Attach.zip
[2009/05/09 09:18:19 | 00,001,518 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2009/05/09 09:18:19 | 00,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2009/05/09 09:17:57 | 00,000,000 | ---D | C] -- C:\Program Files\WinZip
[2009/05/09 09:00:27 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\janson littlejohn\Desktop\dds.scr
[2009/05/08 20:11:24 | 04,396,544 | ---- | C] () -- C:\Documents and Settings\janson littlejohn\Desktop\SymADataWeb.msi
[2009/05/08 18:41:53 | 00,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/05/08 18:41:53 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/05/08 17:17:22 | 71,665,576 | ---- | C] () -- C:\Documents and Settings\janson littlejohn\Desktop\NIS081550.exe
[2009/05/08 17:17:18 | 02,428,928 | ---- | C] () -- C:\Documents and Settings\janson littlejohn\Desktop\Norton_Removal_Tool.exe
[2009/05/07 22:24:21 | 00,000,269 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/07 19:56:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\janson littlejohn\Application Data\Malwarebytes
[2009/05/07 19:56:47 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/07 19:56:43 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/07 19:56:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/07 19:56:39 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/06 22:12:19 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/05/06 22:12:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/05/06 21:12:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\janson littlejohn\Desktop\Unused Desktop Shortcuts
[2009/03/20 16:58:09 | 00,114,924 | ---- | C] () -- C:\WINDOWS\System32\drivers\a673dbd3.sys
[2009/03/19 22:33:37 | 00,102,126 | ---- | C] () -- C:\WINDOWS\System32\drivers\207a8fb3.sys
[2009/03/18 21:58:43 | 00,092,398 | ---- | C] () -- C:\WINDOWS\System32\drivers\27b20939.sys
[2009/02/13 22:03:33 | 00,000,120 | -HS- | C] () -- C:\WINDOWS\System32\obunogok.ini
[2009/02/10 22:37:19 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/02/10 22:37:19 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/08 22:28:03 | 00,000,120 | -HS- | C] () -- C:\WINDOWS\System32\emofamaz.ini
[2009/01/12 19:40:19 | 01,229,274 | -HS- | C] () -- C:\WINDOWS\System32\emolusov.ini
[2009/01/11 13:19:49 | 01,229,274 | -HS- | C] () -- C:\WINDOWS\System32\obeteyus.ini
[2009/01/10 15:06:26 | 01,299,787 | -HS- | C] () -- C:\WINDOWS\System32\udopapog.ini
[2009/01/09 20:24:05 | 01,292,180 | -HS- | C] () -- C:\WINDOWS\System32\imohenup.ini
[2009/01/08 19:02:22 | 01,292,180 | -HS- | C] () -- C:\WINDOWS\System32\ufilitil.ini
[2009/01/07 22:19:49 | 01,279,243 | -HS- | C] () -- C:\WINDOWS\System32\ibosahom.ini
[2009/01/07 08:58:19 | 01,279,243 | -HS- | C] () -- C:\WINDOWS\System32\ulomohuh.ini
[2009/01/06 13:58:48 | 01,272,073 | -HS- | C] () -- C:\WINDOWS\System32\orabovas.ini
[2009/01/05 20:41:10 | 01,266,245 | -HS- | C] () -- C:\WINDOWS\System32\ozirusat.ini
[2009/01/04 11:41:14 | 01,266,218 | -HS- | C] () -- C:\WINDOWS\System32\irejudam.ini
[2009/01/03 11:13:55 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\asiwebap.ini
[2009/01/02 07:38:58 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\ipujadoh.ini
[2009/01/01 18:04:00 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\imuwivop.ini
[2008/12/31 17:43:30 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\okebonef.ini
[2008/12/31 11:38:15 | 01,266,774 | -HS- | C] () -- C:\WINDOWS\System32\enululul.ini
[2008/12/29 15:17:52 | 01,266,824 | -HS- | C] () -- C:\WINDOWS\System32\orasorep.ini
[2008/12/28 23:25:45 | 01,265,847 | -HS- | C] () -- C:\WINDOWS\System32\ebasalit.ini
[2008/09/19 09:16:16 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/09/19 08:57:08 | 00,000,563 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2008/09/19 08:26:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2008/09/19 08:26:21 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2008/09/19 08:10:02 | 00,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2008/09/19 08:05:05 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/09/19 07:52:08 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2008/09/19 07:51:47 | 00,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/09/19 06:15:17 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/09/19 06:15:16 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2007/12/21 16:46:32 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:18 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[1601/01/01 01:12:31 | 00,107,008 | -HS- | C] () -- C:\WINDOWS\System32\zifisehe.dll
[1601/01/01 01:12:31 | 00,106,496 | -HS- | C] () -- C:\WINDOWS\System32\jifakade.dll

========== Files - Modified Within 30 Days ==========

[9 C:\WINDOWS\System32\*.tmp files]
[2009/05/15 06:55:23 | 00,114,924 | ---- | M] () -- C:\WINDOWS\System32\drivers\a673dbd3.sys
[2009/05/15 06:55:23 | 00,102,126 | ---- | M] () -- C:\WINDOWS\System32\drivers\207a8fb3.sys
[2009/05/15 06:55:22 | 00,092,398 | ---- | M] () -- C:\WINDOWS\System32\drivers\27b20939.sys
[2009/05/15 06:47:31 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\janson littlejohn\Local Settings\desktop.ini
[2009/05/15 06:41:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/15 06:41:26 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/15 06:41:19 | 10,632,02816 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/15 00:00:22 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\janson littlejohn\Desktop\8gw1b1df.exe
[2009/05/14 23:52:01 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\janson littlejohn\Desktop\OTListIt2.exe
[2009/05/14 21:10:27 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/09 11:34:48 | 00,002,973 | ---- | M] () -- C:\Documents and Settings\janson littlejohn\Desktop\Attach.zip
[2009/05/09 09:18:19 | 00,001,518 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2009/05/09 09:18:19 | 00,000,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2009/05/09 09:00:30 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\janson littlejohn\Desktop\dds.scr
[2009/05/08 22:07:24 | 00,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/05/08 22:07:24 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/05/08 20:11:38 | 04,396,544 | ---- | M] () -- C:\Documents and Settings\janson littlejohn\Desktop\SymADataWeb.msi
[2009/05/07 22:24:21 | 00,000,269 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/05/07 21:51:12 | 00,476,408 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/07 21:51:12 | 00,407,244 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/07 21:51:12 | 00,064,736 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
< End of report >


When I ran the GMER program it gave the following warning..."WARNING!!! GMER has found system modifications which might have been caused by ROOTKIT activity. Do you want to scan?"

After the scan had finished a similar message appeared
"WARNING GMER has found system modifications caused by ROOTKIT activity"

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-15 19:08:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\207a8fb3.sys ZwCreateEvent [0xAA2AC6AD]
SSDT \SystemRoot\System32\drivers\207a8fb3.sys ZwCreateKey [0xAA2AA785]
SSDT \SystemRoot\System32\drivers\207a8fb3.sys ZwOpenKey [0xAA2AA845]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\drivers\a673dbd3.sys The system cannot find the file specified.
? C:\WINDOWS\System32\drivers\27b20939.sys The system cannot find the file specified.
? C:\WINDOWS\System32\drivers\207a8fb3.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!LoadResource 7C80A045 7 Bytes JMP 10048D30 C:\Program Files\HiYo\bin\HiYo.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!FindResourceExW 7C80AD18 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!FindResourceW 7C80BC5E 7 Bytes JMP 10048AD0 C:\Program Files\HiYo\bin\HiYo.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!SizeofResource 7C80BCF9 7 Bytes JMP 100491B0 C:\Program Files\HiYo\bin\HiYo.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!FindResourceA 7C80BF19 7 Bytes JMP 10048C00 C:\Program Files\HiYo\bin\HiYo.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!LockResource 7C80CD27 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!CreateEventA 7C83089D 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] kernel32.dll!FindResourceExA 7C835F90 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!GetWindowLongW 7E4188A6 7 Bytes JMP 28006A20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 280045E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!SetWindowPlacement 7E41DE46 5 Bytes JMP 28005DC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 28006040 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!LoadImageW 7E427B97 5 Bytes JMP 28006690 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 28003CA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!SetWindowRgn 7E42E528 7 Bytes JMP 28005F00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!LoadIconW 7E42E8BC 5 Bytes JMP 28006880 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 28006230 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] USER32.dll!TrackPopupMenuEx 7E46CF62 5 Bytes JMP 28004EC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 1005E210 C:\Program Files\HiYo\bin\HiYo.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WS2_32.dll!send 71AB4C27 5 Bytes JMP 1005DFE0 C:\Program Files\HiYo\bin\HiYo.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2800B5E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2800B440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2800B9E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 5 Bytes JMP 28003400 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] ole32.dll!CoInitializeEx 774FEF7B 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] ole32.dll!CoRegisterClassObject 77517E90 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WININET.dll!InternetCloseHandle 7805DA59 5 Bytes JMP 2800A600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WININET.dll!HttpOpenRequestA 78064341 5 Bytes JMP 2800A2C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 2800A450 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3488] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 2800A530 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 207a8fb3.sys
Device \Driver\Tcpip \Device\Ip 207a8fb3.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp 207a8fb3.sys
Device \Driver\Tcpip \Device\Udp 207a8fb3.sys
Device \Driver\Tcpip \Device\RawIp 207a8fb3.sys
Device \Driver\Tcpip \Device\IPMULTICAST 207a8fb3.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\207a8fb3.sys (*** hidden *** ) [SYSTEM] 207a8fb3 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\drivers\27b20939.sys (*** hidden *** ) [SYSTEM] 27b20939 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\drivers\a673dbd3.sys (*** hidden *** ) [SYSTEM] a673dbd3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\207a8fb3@ImagePath \SystemRoot\System32\drivers\207a8fb3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\207a8fb3@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\207a8fb3@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\207a8fb3@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\207a8fb3@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SYSTEM\CurrentControlSet\Services\27b20939@ImagePath \SystemRoot\System32\drivers\27b20939.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\27b20939@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\27b20939@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\27b20939@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\27b20939@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SYSTEM\CurrentControlSet\Services\a673dbd3@ImagePath \SystemRoot\System32\drivers\a673dbd3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\a673dbd3@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\a673dbd3@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\a673dbd3@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\a673dbd3@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SYSTEM\ControlSet003\Services\207a8fb3@ImagePath \SystemRoot\System32\drivers\207a8fb3.sys
Reg HKLM\SYSTEM\ControlSet003\Services\207a8fb3@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\207a8fb3@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\207a8fb3@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\207a8fb3@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SYSTEM\ControlSet003\Services\27b20939@ImagePath \SystemRoot\System32\drivers\27b20939.sys
Reg HKLM\SYSTEM\ControlSet003\Services\27b20939@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\27b20939@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\27b20939@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\27b20939@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SYSTEM\ControlSet003\Services\a673dbd3@ImagePath \SystemRoot\System32\drivers\a673dbd3.sys
Reg HKLM\SYSTEM\ControlSet003\Services\a673dbd3@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\a673dbd3@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\a673dbd3@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\a673dbd3@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==

---- EOF - GMER 1.0.15 ----


Thanks, hope this helps.....Stuart

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 16 May 2009 - 01:56 PM

We need to run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Horizontal Kipper

Horizontal Kipper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 17 May 2009 - 06:28 AM

I downloaded & ran the Combofix.
It installed the M/S Recovery Consol & continued with its scan.
Only re-booted once.
Log below...
ComboFix 09-05-16.05 - janson littlejohn 17/05/2009 12:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.701 [GMT 1:00]
Running from: c:\documents and settings\janson littlejohn\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common Files\System\Uninstall
c:\windows\system32\asiwebap.ini
c:\windows\system32\aymkbe.dll
c:\windows\system32\bataduka.dll
c:\windows\system32\bavovayo.dll
c:\windows\system32\dz1.txt
c:\windows\system32\ebasalit.ini
c:\windows\system32\emofamaz.ini
c:\windows\system32\emolusov.ini
c:\windows\system32\enululul.ini
c:\windows\system32\figepevo.dll
c:\windows\system32\genakoso.dll
c:\windows\system32\huyowoza.dll
c:\windows\system32\ibosahom.ini
c:\windows\system32\imohenup.ini
c:\windows\system32\imuwivop.ini
c:\windows\system32\ipujadoh.ini
c:\windows\system32\irejudam.ini
c:\windows\system32\jifakade.dll
c:\windows\system32\kozodobe.dll
c:\windows\system32\lamukepa.dll
c:\windows\system32\lizofeje.dll
c:\windows\system32\lujibv.dll
c:\windows\system32\lxsfqq.dll
c:\windows\system32\muwuhare.dll
c:\windows\system32\nuzeroto.dll
c:\windows\system32\obeteyus.ini
c:\windows\system32\obunogok.ini
c:\windows\system32\okebonef.ini
c:\windows\system32\orabovas.ini
c:\windows\system32\orasorep.ini
c:\windows\system32\ozirusat.ini
c:\windows\system32\p1.txt
c:\windows\system32\pawehuhe.dll
c:\windows\system32\qmrfcl.dll
c:\windows\system32\qqhtko.dll
c:\windows\system32\qwihuz.dll
c:\windows\system32\r24.txt
c:\windows\system32\sahuik.dll
c:\windows\system32\sdd.txt
c:\windows\system32\teruvobi.dll
c:\windows\system32\tubakile.dll
c:\windows\system32\udopapog.ini
c:\windows\system32\ufilitil.ini
c:\windows\system32\ulomohuh.ini
c:\windows\system32\wwunqx.dll
c:\windows\system32\yvhcie.dll
c:\windows\system32\ywxxop.dll
c:\windows\system32\zavidegu.dll
c:\windows\system32\zifisehe.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\documents and settings\janson littlejohn\Application Data\Malwarebytes
2009-05-07 18:56 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-07 18:56 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 21:12 . 2009-05-06 21:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-06 21:12 . 2009-05-06 21:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 11:11 . 2009-03-20 15:58 114924 ----a-w c:\windows\system32\drivers\a673dbd3.sys
2009-05-17 11:11 . 2009-03-19 21:33 102126 ----a-w c:\windows\system32\drivers\207a8fb3.sys
2009-05-17 11:11 . 2009-03-18 20:58 92398 ----a-w c:\windows\system32\drivers\27b20939.sys
2009-05-08 21:21 . 2009-02-03 22:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-08 21:07 . 2009-05-08 17:41 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-08 21:07 . 2009-05-08 17:41 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-07 20:02 . 2008-12-25 19:56 -------- d-----w c:\program files\Angle Interactive
2009-05-06 20:12 . 2008-09-19 07:29 -------- d-----w c:\program files\McAfee
2009-04-11 16:41 . 2008-09-19 05:15 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-20 15:44 . 2009-03-20 15:44 141824 ---ha-w c:\windows\system32\xlihje.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 131072]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-09-05 393216]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 159744]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"Google EULA Launcher"="c:\program files\Google\Google EULA\\GoogleEULALauncher.exe" [2008-08-29 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-08-19 417792]
"Hiyo"="c:\program files\HiYo\bin\HiYo.exe" [2009-01-11 300336]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-11 16851456]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2008-09-08 5567800]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-9 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\TODDSrv.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFSvcs.exe"=
"c:\\Program Files\\Toshiba\\TOSHIBA Applet\\TAPPSRV.exe"=
"c:\\WINDOWS\\system32\\acs.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HiYo\\Bin\\HiYo.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [18/02/2009 10:51 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [19/09/2008 08:26 5888]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [19/09/2008 08:09 157696]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [26/12/2008 21:36 57408]
S2 buextp;BuexTp;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 euznia;EuzniA;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 fbyijoac;FByijoac;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 khibyo;Khibyo;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 uacuiqysaez;Uacuiqysaez;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 yzdaetsoe;YzdaEtsoe;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
FByijoac
Uacuiqysaez
BuexTp
EuzniA
Khibyo
YzdaEtsoe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-KernelCheck - c:\documents and settings\All Users\Application Data\Microsoft\win.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 12:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\207a8fb3]
"ImagePath"="\SystemRoot\System32\drivers\207a8fb3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\27b20939]
"ImagePath"="\SystemRoot\System32\drivers\27b20939.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a673dbd3]
"ImagePath"="\SystemRoot\System32\drivers\a673dbd3.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-4231769466-4130284174-918188779-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
.
**************************************************************************
.
Completion time: 2009-05-17 12:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 11:13

Pre-Run: 109,548,339,200 bytes free
Post-Run: 110,096,629,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /forceresetreg

225 --- E O F --- 2009-01-31 23:11



Thanks.....Stuart

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 17 May 2009 - 07:45 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
207a8fb3
27b20939
a673dbd3

NetSvc::
FByijoac
Uacuiqysaez
BuexTp
EuzniA
Khibyo
YzdaEtsoe

File::
c:\windows\system32\drivers\a673dbd3.sys
c:\windows\system32\drivers\207a8fb3.sys
c:\windows\system32\drivers\27b20939.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Horizontal Kipper

Horizontal Kipper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 19 May 2009 - 01:32 PM

Hi Sam. the computer is rnning a lot smoother now, but still can't download M/S updates.
I have created the file & ran ComboFix again

Here is the latest log

ComboFix 09-05-16.05 - janson littlejohn 19/05/2009 19:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.691 [GMT 1:00]
Running from: c:\documents and settings\janson littlejohn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\janson littlejohn\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\207a8fb3.sys
c:\windows\system32\drivers\27b20939.sys
c:\windows\system32\drivers\a673dbd3.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\207a8fb3.sys
c:\windows\system32\drivers\27b20939.sys
c:\windows\system32\drivers\a673dbd3.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_207a8fb3
-------\Service_27b20939
-------\Service_a673dbd3


((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\documents and settings\janson littlejohn\Application Data\Malwarebytes
2009-05-07 18:56 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-07 18:56 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 21:12 . 2009-05-06 21:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-06 21:12 . 2009-05-06 21:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 21:21 . 2009-02-03 22:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-08 21:07 . 2009-05-08 17:41 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-08 21:07 . 2009-05-08 17:41 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-07 20:02 . 2008-12-25 19:56 -------- d-----w c:\program files\Angle Interactive
2009-05-06 20:12 . 2008-09-19 07:29 -------- d-----w c:\program files\McAfee
2009-04-11 16:41 . 2008-09-19 05:15 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-20 15:44 . 2009-03-20 15:44 141824 ---ha-w c:\windows\system32\xlihje.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_11.11.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 13:07 . 2008-10-16 13:07 208744 c:\windows\system32\muweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 131072]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-09-05 393216]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 159744]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"Google EULA Launcher"="c:\program files\Google\Google EULA\\GoogleEULALauncher.exe" [2008-08-29 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-08-19 417792]
"Hiyo"="c:\program files\HiYo\bin\HiYo.exe" [2009-01-11 300336]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-11 16851456]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2008-09-08 5567800]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-9 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\TODDSrv.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFSvcs.exe"=
"c:\\Program Files\\Toshiba\\TOSHIBA Applet\\TAPPSRV.exe"=
"c:\\WINDOWS\\system32\\acs.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HiYo\\Bin\\HiYo.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [18/02/2009 10:51 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [19/09/2008 08:26 5888]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [19/09/2008 08:09 157696]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [26/12/2008 21:36 57408]
S2 buextp;BuexTp;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 euznia;EuzniA;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 fbyijoac;FByijoac;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 khibyo;Khibyo;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 uacuiqysaez;Uacuiqysaez;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 yzdaetsoe;YzdaEtsoe;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 19:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4231769466-4130284174-918188779-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
.
**************************************************************************
.
Completion time: 2009-05-19 19:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 18:23
ComboFix2.txt 2009-05-17 11:13

Pre-Run: 109,916,368,896 bytes free
Post-Run: 110,085,640,192 bytes free

161 --- E O F --- 2009-01-31 23:11

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 19 May 2009 - 02:33 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

NetSvc::
buextp
euznia
fbyijoac
khibyo
uacuiqysaez
yzdaetsoe
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Horizontal Kipper

Horizontal Kipper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 22 May 2009 - 01:15 AM

Hi Sam.
I ran the latest ComboFix script. Here is the log.

ComboFix 09-05-16.05 - janson littlejohn 22/05/2009 7:05.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.694 [GMT 1:00]
Running from: c:\documents and settings\janson littlejohn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\janson littlejohn\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\documents and settings\janson littlejohn\Application Data\Malwarebytes
2009-05-07 18:56 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-07 18:56 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-07 18:56 . 2009-05-07 18:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 21:12 . 2009-05-06 21:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-06 21:12 . 2009-05-06 21:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 21:21 . 2009-02-03 22:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-08 21:07 . 2009-05-08 17:41 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-08 21:07 . 2009-05-08 17:41 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-07 20:02 . 2008-12-25 19:56 -------- d-----w c:\program files\Angle Interactive
2009-05-06 20:12 . 2008-09-19 07:29 -------- d-----w c:\program files\McAfee
2009-04-11 16:41 . 2008-09-19 05:15 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-20 15:44 . 2009-03-20 15:44 141824 ---ha-w c:\windows\system32\xlihje.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_11.11.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 13:07 . 2008-10-16 13:07 208744 c:\windows\system32\muweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 131072]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-09-05 393216]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 159744]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"Google EULA Launcher"="c:\program files\Google\Google EULA\\GoogleEULALauncher.exe" [2008-08-29 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-08-19 417792]
"Hiyo"="c:\program files\HiYo\bin\HiYo.exe" [2009-01-11 300336]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-11 16851456]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2008-09-08 5567800]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-9 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\TODDSrv.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFSvcs.exe"=
"c:\\Program Files\\Toshiba\\TOSHIBA Applet\\TAPPSRV.exe"=
"c:\\WINDOWS\\system32\\acs.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HiYo\\Bin\\HiYo.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [18/02/2009 10:51 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [19/09/2008 08:26 5888]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [19/09/2008 08:09 157696]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [26/12/2008 21:36 57408]
S2 buextp;BuexTp;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 euznia;EuzniA;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 fbyijoac;FByijoac;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 khibyo;Khibyo;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 uacuiqysaez;Uacuiqysaez;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S2 yzdaetsoe;YzdaEtsoe;c:\windows\System32\svchost.exe -k netsvcs [19/09/2008 06:15 14336]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 07:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4231769466-4130284174-918188779-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-05-22 7:08
ComboFix-quarantined-files.txt 2009-05-22 06:08
ComboFix2.txt 2009-05-19 18:23
ComboFix3.txt 2009-05-17 11:13

Pre-Run: 110,030,409,728 bytes free
Post-Run: 110,057,029,632 bytes free

130 --- E O F --- 2009-01-31 23:11

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 22 May 2009 - 03:44 PM

Please download this tool to your desktop.
http://download.bleepingcomputer.com/sUBs/SvcQuery.exe

Double click SvcQuery.exe to run the tool.
One at a time enter these service names.

buextp
euznia
fbyijoac
khibyo
uacuiqysaez
yzdaetsoe



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Horizontal Kipper

Horizontal Kipper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 26 May 2009 - 12:52 PM

Hi Sam.
After the last ComboFix the computer started to download the microsoft updates OK.
I ran the SvcQuery as requested. All except 'euznia' reported "service not found". 'euznia reported this as well at the second try.

The computer is booting & running a lot quicker now & I have not noticed any problems.
It has no Antivius running atm
I think that Norton slowed it down to much & maybe the user dissabled it???
It's only a netbook & doen't have much resources.
Is there any antivirus / antipyware you would recomend?

Thanks for your help.

Stuart

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 27 May 2009 - 02:16 PM

I've heard that Avast is pretty easy on the resources. I'd give it a try.
http://www.avast.com/eng/download-avast-home.html



We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:38 AM

Posted 25 June 2009 - 03:01 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users