Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Toshiba Satellite troubles. Mdefense.exe suspected


  • This topic is locked This topic is locked
44 replies to this topic

#1 Rocky65

Rocky65

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 15 January 2010 - 06:58 PM

My daughter just got slam with what appears to be an installer program called "mdefense.exe" according to the icon and folder. She had a whole bunch of spyware popups and it even change the desktop screen to some big warning graphic. At one point three icons were install on the desktop. All for pornography websites. I deleted them to recycle bin.

When booting in normal mode were are alot of things happening and many popup warnings. Here are most of them.

Win32.Netsky
"" .Hala.a
"" .Gpcode.ak
NetWorm.win32.DipNet.d
"" "" .Mytob.t
Backdoor.win32.Agent.ich
TrojanDownloader.JS.Multi.ca
Chin09.WIN
Rootkit.Win32.Agent.pp (or .pa not sure)

Attempted to boot in Safe Mode logged in as Administrator but could not but the system hangs.

Also ran AdvancedSystemCare and it clean many items.
Attempted to run Malwarebytes Anti-Malware but it would not install.

Normal boot comes up with the Worm.Win32.NetSkey first thing and it says to download the latest Anti-spyware. When you "ok" that, the normal icons show up and the Active Desktop Recovery screen comes on.

Currently logged in under user in Safe Mode. I don't want to shut it down for fear it might not come back to life.
The computer is NOT on the web, the antennae is off.

Logs as follow:


DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by savannah at 15:07:10.18 on Fri 01/15/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.787 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1335 [VPS 100112-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
E:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.toshiba.com/search
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [twunk_32x.exe] c:\docume~1\savannah\locals~1\temp\twunk_32x.exe
uRun: [Malware Defense] "c:\program files\malware defense\mdefense.exe" -noscan
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [Hbecawajurijafec] rundll32.exe "c:\windows\ocomibah.dll",Startup
StartupFolder: c:\docume~1\savannah\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229734516453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli iaptrui0.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\savannah\applic~1\mozilla\firefox\profiles\mdghzcba.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en&source=iglk
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {58F6B00D-85B4-4358-A4F8-90226F49DC75} - c:\documents and settings\savannah\local settings\application data\{58F6B00D-85B4-4358-A4F8-90226F49DC75}
FF - HiddenExtension: XULRunner: {7B7D3C8E-9E66-4581-857F-CDFD053723BF} - c:\documents and settings\administrator\local settings\application data\{7B7D3C8E-9E66-4581-857F-CDFD053723BF}

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-18 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-18 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-18 138680]
S2 gupdate1c9a33a9d5ce9b4;Google Update Service (gupdate1c9a33a9d5ce9b4);c:\program files\google\update\GoogleUpdate.exe [2009-3-12 133104]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2009-9-21 98984]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-2-6 126976]
S2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-2-6 221184]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-2-6 122368]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-18 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-18 352920]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-2-6 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-6 114464]

=============== Created Last 30 ================

2010-01-15 02:50:08 0 d-----w- c:\program files\CCleaner
2010-01-15 02:37:37 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-01-15 02:37:37 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-01-15 02:32:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 02:32:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 02:32:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 02:32:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 02:30:57 0 d-----w- c:\docume~1\savannah\applic~1\TrojanHunter
2010-01-14 20:15:37 0 d-----w- c:\program files\IObit
2010-01-14 17:53:41 0 d-----w- c:\program files\TrojanHunter 5.0
2010-01-14 17:50:38 0 d-----w- c:\program files\SpywareBlaster
2010-01-13 08:22:23 0 ----a-w- c:\windows\Wgekamec.bin
2010-01-13 08:22:22 120 ----a-w- c:\windows\Nvehapevafiy.dat
2010-01-13 08:18:41 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-13 08:18:40 0 ----a-w- c:\windows\system32\helper32.dll
2010-01-13 08:18:36 2931 ----a-w- c:\windows\system32\warning.html
2010-01-13 08:18:34 25088 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-13 08:18:34 25088 ----a-w- c:\windows\system32\smss32.exe
2010-01-13 08:08:16 0 d-sh--w- c:\windows\system32\lowsec
2010-01-13 00:41:07 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 18:57:37 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-07 18:57:37 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-01-07 18:46:19 8572 ----a-w- c:\docume~1\savannah\applic~1\wklnhst.dat
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 15:08:33.40 ===============

Attached Files


Why are mice when they spin?


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 15 January 2010 - 07:09 PM

Hi,

please try the following:

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Afterwards please try to download and install Malwarebytes once more.

In addition please try to run gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 15 January 2010 - 10:01 PM

Hi Myrti

I did run the Rkill but I'm not sure anything happened.
Then I reinstalled MalwareBytes. I attempted to run it but again, nothing

All this was in SafeMode

GMER of course did run

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 18:59:11
Windows 5.1.2600 Service Pack 3
Running: ddk51id8.exe; Driver: C:\DOCUME~1\savannah\LOCALS~1\Temp\pglcypoc.sys


---- System - GMER 1.0.15 ----

Code 86EA8870 ZwEnumerateKey
Code 86DE3300 ZwFlushInstructionCache
Code 86EA88A6 IofCallDriver
Code 86DD91E6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86EA88AB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86DD91EB
PAGE ntoskrnl.exe!ZwFlushInstructionCache 8056E42A 5 Bytes JMP 86DE3304
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 5 Bytes JMP 86EA8874

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\lsass.exe[284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35201B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F63 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F9D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352091 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352253 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WININET.dll!HttpAddRequestHeadersA 3D94632F 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WININET.dll!HttpAddRequestHeadersW 3D9AA4C5 5 Bytes JMP 00CE000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTsisuxjddxm.sys (*** hidden *** ) F71B7000-F71D3000 (114688 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [224] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [568] 0x00860000
Library \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [608] 0x00CF0000
Library \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [612] 0x00860000
Library \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [676] 0x00860000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTsisuxjddxm.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTsisuxjddxm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTsisuxjddxm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRThibprfxjou.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTyaqivrokfc.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpystwxnmjx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRThwuulevuke.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTsisuxjddxm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTsisuxjddxm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRThibprfxjou.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTyaqivrokfc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpystwxnmjx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRThwuulevuke.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTsisuxjddxm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTsisuxjddxm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRThibprfxjou.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTyaqivrokfc.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpystwxnmjx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTldvkknrkoy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRThwuulevuke.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\savannah\Local Settings\Temp\H8SRTf9cd.tmp 343040 bytes executable
File C:\Documents and Settings\savannah\Local Settings\Temp\h8srtmainqt.dll 16649 bytes
File C:\WINDOWS\system32\drivers\H8SRTsisuxjddxm.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRThibprfxjou.dll 23040 bytes executable
File C:\WINDOWS\system32\H8SRThwuulevuke.dll 40960 bytes executable
File C:\WINDOWS\system32\h8srtkrl32mainweq.dll 928 bytes
File C:\WINDOWS\system32\H8SRTldvkknrkoy.dll 16896 bytes executable
File C:\WINDOWS\system32\H8SRTpystwxnmjx.dll 36864 bytes executable
File C:\WINDOWS\system32\h8srtshsyst.dll 1048 bytes
File C:\WINDOWS\system32\H8SRTyaqivrokfc.dat 160 bytes
File C:\WINDOWS\Temp\H8SRTb730.tmp 160 bytes
File C:\WINDOWS\Temp\h8srtmainqt.dll 16624 bytes

---- EOF - GMER 1.0.15 ----

Why are mice when they spin?


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 16 January 2010 - 05:56 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 16 January 2010 - 11:12 AM

Myrti,

After several attempts to run ComboFix in Safe Mode, I had to reboot to Normal mode and re-copy the combofix file to the desktop
When it ran I got an error: "The instruction at '0x771248f0' referenced memory at '0x771248f0'. The memory could not be "read" Click on OK to terminate program.
This popped up on top of the combofix "Disclaimer of warranty on software" screen popup.

ComboFix did start running but it wanted Avast! to be shutdown first, I attempted to shut it down in the task manager but combofix still reported it running.

ComboFix detected a rootkit and found these files:

C:\Windows\system32\drivers\H8SRTsisuxjddxm.sys
C:\Windows\system32\H8SRThibprfxjou.dll
C:\Windows\system32\H8SRTyaqivrokfc.dll
C:\Windows\system32\H8SRTpystwxnmjx.dll
C:\Windows\system32\H8SRTldvkknrkoy.dll
C:\Windows\system32\H8SRThwuulevuke.dll

It then rebooted the computer and continued the scan.
McAfee Virus Scan popup found this: C:\windows\temp\_avast4_unp69088630.tmp and said it was potentially unwanted program. I just continued what I was doing.

On the second re-boot the error C:\windows\ocomibah.dll appeared.
The avast! program started. This is the first time I have seen it start. I stopped while combofix was still running.

Here's the log.

ComboFix 10-01-13.07 - savannah 01/16/2010 7:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.480 [GMT -8:00]
Running from: c:\documents and settings\savannah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\savannah\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1335 [VPS 100112-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\savannah\LOCALS~1\Temp\wscsvc32.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{7B7D3C8E-9E66-4581-857F-CDFD053723BF}
c:\documents and settings\Administrator\Local Settings\Application Data\{7B7D3C8E-9E66-4581-857F-CDFD053723BF}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{7B7D3C8E-9E66-4581-857F-CDFD053723BF}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{7B7D3C8E-9E66-4581-857F-CDFD053723BF}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{7B7D3C8E-9E66-4581-857F-CDFD053723BF}\install.rdf
c:\documents and settings\savannah\Local Settings\Application Data\{58F6B00D-85B4-4358-A4F8-90226F49DC75}
c:\documents and settings\savannah\Local Settings\Application Data\{58F6B00D-85B4-4358-A4F8-90226F49DC75}\chrome.manifest
c:\documents and settings\savannah\Local Settings\Application Data\{58F6B00D-85B4-4358-A4F8-90226F49DC75}\chrome\content\_cfg.js
c:\documents and settings\savannah\Local Settings\Application Data\{58F6B00D-85B4-4358-A4F8-90226F49DC75}\chrome\content\overlay.xul
c:\documents and settings\savannah\Local Settings\Application Data\{58F6B00D-85B4-4358-A4F8-90226F49DC75}\install.rdf
c:\recycler\S-1-5-21-3189052832-4293742930-2107519714-1003
c:\windows\ocomibah.dll
c:\windows\system32\drivers\H8SRTsisuxjddxm.sys
c:\windows\system32\H8SRThibprfxjou.dll
c:\windows\system32\H8SRThwuulevuke.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTldvkknrkoy.dll
c:\windows\system32\H8SRTpystwxnmjx.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTyaqivrokfc.dat
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\smss32.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-15 02:50 . 2010-01-15 02:50 -------- d-----w- c:\program files\CCleaner
2010-01-15 02:37 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-01-15 02:37 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-01-15 02:32 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 02:32 . 2010-01-16 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 02:32 . 2010-01-15 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-15 02:32 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 02:30 . 2010-01-15 02:30 -------- d-----w- c:\documents and settings\savannah\Application Data\TrojanHunter
2010-01-14 20:15 . 2010-01-14 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2010-01-14 20:15 . 2010-01-14 20:15 -------- d-----w- c:\program files\IObit
2010-01-14 20:02 . 2010-01-14 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter
2010-01-14 17:53 . 2010-01-14 17:54 -------- d-----w- c:\program files\TrojanHunter 5.0
2010-01-14 17:50 . 2010-01-14 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-14 17:50 . 2010-01-14 17:50 -------- d-----w- c:\program files\SpywareBlaster
2010-01-13 08:22 . 2010-01-16 14:42 0 ----a-w- c:\windows\Wgekamec.bin
2010-01-13 08:22 . 2010-01-13 08:22 120 ----a-w- c:\windows\Nvehapevafiy.dat
2010-01-13 00:41 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 16:02 . 2008-12-26 19:13 -------- d-----w- c:\documents and settings\savannah\Application Data\skypePM
2010-01-16 16:01 . 2008-12-26 19:06 -------- d-----w- c:\documents and settings\savannah\Application Data\Skype
2010-01-16 14:45 . 2008-12-26 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-01-16 14:41 . 2009-03-12 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-09 04:43 . 2009-02-09 21:23 -------- d-----w- c:\documents and settings\savannah\Application Data\uTorrent
2010-01-07 18:46 . 2008-12-20 23:37 8572 ----a-w- c:\documents and settings\savannah\Application Data\wklnhst.dat
2009-12-23 02:02 . 2006-01-19 18:16 -------- d-----w- c:\program files\Google
2009-11-21 15:51 . 2006-01-19 02:01 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2006-01-19 02:02 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-01-19 02:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-01-19 02:01 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-01-19 02:02 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-01-19 02:01 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-12 198160]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2009-05-20 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2009-05-20 107176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\savannah\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-26 66864]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli iaptrui0.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137646052\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/18/2008 11:11 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/18/2008 11:11 PM 20560]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [9/21/2009 4:15 PM 98984]
S2 gupdate1c9a33a9d5ce9b4;Google Update Service (gupdate1c9a33a9d5ce9b4);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2009 9:47 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-05 09:56]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-12 17:47]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-12 17:47]

2008-12-19 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]
.
.
------- Supplementary Scan -------
.
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en&source=iglk
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Malware Defense - c:\program files\Malware Defense\mdefense.exe
HKLM-Run-smss32.exe - c:\windows\system32\smss32.exe
HKLM-Run-Hbecawajurijafec - c:\windows\ocomibah.dll
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 07:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(920)
c:\windows\iaptrui0.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(6248)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\program files\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\mshtml.dll
c:\windows\iaptrui0.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxdncoms.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-01-16 08:05:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 16:05

Pre-Run: 37,315,149,824 bytes free
Post-Run: 37,972,013,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 90AB28858407F0CBD09AE2F0C984B86C

Why are mice when they spin?


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 16 January 2010 - 11:29 AM

Hi,

that looks a lot better already.
Since you now have 2 running anti virus programs I would suggest you remove one:
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. (Which by the way was exactly what happened here: McAfee identified a file from Avast as malicious)
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avast or McAfee.

Please also run the following script to remove the leftovers on the system:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\Wgekamec.bin
c:\windows\Nvehapevafiy.dat

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 16 January 2010 - 01:35 PM

Myrti,

The first time I copied the CFScript text into ComboFix it didn't run, but told me it couldnot run the files or they didn't exist or something to that effect. (happened very fast, I didn't get all the info.) Then the box closed.
The second time it worked. And re-booted Windows.

On another note, I found out that my daughter had an external drive hooked up to this computer when it first got infected. Should I get that drive and have it scanned along with what we are doing here? Tell me what to do.

Here is the latest log.



ComboFix 10-01-13.07 - savannah 01/16/2010 10:18:02.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.650 [GMT -8:00]
Running from: c:\documents and settings\savannah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\savannah\Desktop\CFScript.txt

FILE ::
"c:\windows\Nvehapevafiy.dat"
"c:\windows\Wgekamec.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Nvehapevafiy.dat
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Wgekamec.bin

.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-15 02:50 . 2010-01-15 02:50 -------- d-----w- c:\program files\CCleaner
2010-01-15 02:37 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-01-15 02:37 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-01-15 02:32 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 02:32 . 2010-01-16 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 02:32 . 2010-01-15 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-15 02:32 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 02:30 . 2010-01-15 02:30 -------- d-----w- c:\documents and settings\savannah\Application Data\TrojanHunter
2010-01-14 20:15 . 2010-01-14 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2010-01-14 20:15 . 2010-01-14 20:15 -------- d-----w- c:\program files\IObit
2010-01-14 20:02 . 2010-01-14 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter
2010-01-14 17:53 . 2010-01-14 17:54 -------- d-----w- c:\program files\TrojanHunter 5.0
2010-01-14 17:50 . 2010-01-14 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-14 17:50 . 2010-01-14 17:50 -------- d-----w- c:\program files\SpywareBlaster
2010-01-13 00:41 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 18:27 . 2008-12-26 19:06 -------- d-----w- c:\documents and settings\savannah\Application Data\Skype
2010-01-16 18:09 . 2006-02-07 00:36 -------- d-----w- c:\program files\McAfee.com
2010-01-16 16:02 . 2008-12-26 19:13 -------- d-----w- c:\documents and settings\savannah\Application Data\skypePM
2010-01-16 14:45 . 2008-12-26 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-01-16 14:41 . 2009-03-12 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-09 04:43 . 2009-02-09 21:23 -------- d-----w- c:\documents and settings\savannah\Application Data\uTorrent
2010-01-07 18:46 . 2008-12-20 23:37 8572 ----a-w- c:\documents and settings\savannah\Application Data\wklnhst.dat
2009-12-23 02:02 . 2006-01-19 18:16 -------- d-----w- c:\program files\Google
2009-11-21 15:51 . 2006-01-19 02:01 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2006-01-19 02:02 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-01-19 02:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-01-19 02:01 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-01-19 02:02 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-01-19 02:01 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-12 198160]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2009-05-20 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2009-05-20 107176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\savannah\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-26 66864]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli iaptrui0.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137646052\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [9/21/2009 4:15 PM 98984]
S2 gupdate1c9a33a9d5ce9b4;Google Update Service (gupdate1c9a33a9d5ce9b4);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2009 9:47 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-05 09:56]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-12 17:47]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-12 17:47]

2008-12-19 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]
.
.
------- Supplementary Scan -------
.
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en&source=iglk
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 10:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\windows\iaptrui0.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7048)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\iaptrui0.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxdncoms.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-01-16 10:31:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 18:31
ComboFix2.txt 2010-01-16 16:05

Pre-Run: 38,185,541,632 bytes free
Post-Run: 38,149,902,336 bytes free

- - End Of File - - EE97E87B118A4CD7C42DDA6E84A4BE70

Why are mice when they spin?


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 16 January 2010 - 02:04 PM

Hi,

I don't think the infection propagates over flash drives. But if you want to be sure please do the following:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Please also provide a fresh OTL log.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 16 January 2010 - 02:09 PM

Thanks, I will try to get the drive. In may take sometime and maybe not today. Thanks for the quick reply.

Why are mice when they spin?


#10 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 16 January 2010 - 04:27 PM

Myrti,

Here is the recent OTL log, I didn't run the backup drive yet. Will let you know

OTL logfile created on: 1/16/2010 12:32:51 PM - Run 2
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\savannah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 579.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.28 Gb Total Space | 35.55 Gb Free Space | 47.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 473.48 Mb Total Space | 179.67 Mb Free Space | 37.95% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAVANNAH
Current User Name: savannah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/14 13:42:12 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\savannah\Desktop\OTL.exe
PRC - [2009/09/04 12:16:54 | 00,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/09/04 12:16:54 | 00,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/05/20 07:48:16 | 00,107,176 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 2600 Series\ezprint.exe
PRC - [2009/05/20 07:48:14 | 00,660,136 | ---- | M] () -- C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
PRC - [2009/05/19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/11 21:55:56 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/12/26 10:43:22 | 00,066,864 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2008/04/13 16:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/27 10:07:26 | 00,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdncoms.exe
PRC - [2008/02/27 10:07:14 | 00,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdnserv.exe
PRC - [2008/02/13 13:06:58 | 02,196,240 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
PRC - [2008/02/13 13:02:46 | 00,564,496 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2008/02/13 13:02:24 | 00,405,776 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2008/02/05 18:20:42 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/02/05 18:18:48 | 00,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2006/01/05 14:02:24 | 00,352,256 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
PRC - [2005/12/20 11:22:14 | 00,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005/12/16 16:32:58 | 00,761,945 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2005/12/16 16:21:00 | 00,151,552 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\Toshiba.exe
PRC - [2005/12/05 12:37:40 | 00,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2005/11/30 12:25:22 | 00,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
PRC - [2005/11/28 11:41:50 | 00,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2005/11/28 11:37:52 | 00,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/11/27 21:55:58 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/11/27 21:55:14 | 00,098,304 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2005/11/27 21:52:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/11/02 16:41:04 | 00,978,944 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2005/10/15 06:29:08 | 00,088,203 | ---- | M] (Agere Systems) -- C:\WINDOWS\agrsmmsg.exe
PRC - [2005/10/13 19:56:16 | 00,126,976 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe
PRC - [2005/10/06 05:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/08/24 16:01:04 | 00,122,368 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\McTskshd.exe
PRC - [2005/08/16 11:23:12 | 00,188,416 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
PRC - [2005/07/12 17:14:42 | 00,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/05/31 20:59:58 | 00,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2005/04/26 16:13:20 | 00,122,880 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2005/03/17 17:37:26 | 00,151,552 | ---- | M] (TOSHIBA Corporation) -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2005/01/17 16:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/12/30 00:32:20 | 00,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2004/10/20 05:40:04 | 00,010,328 | R--- | M] (America Online) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2004/10/15 12:54:14 | 00,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PRC - [2004/10/15 12:54:12 | 00,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
PRC - [2004/08/28 00:37:00 | 00,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2010/01/16 10:25:21 | 00,109,080 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\temp\logishrd\LVPrcInj01.dll
MOD - [2010/01/14 13:42:12 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\savannah\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/09/04 12:17:00 | 00,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2009/09/04 12:16:54 | 05,893,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/09/04 12:16:54 | 00,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2009/05/19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/24 01:56:37 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/12 09:47:09 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a33a9d5ce9b4) Google Update Service (gupdate1c9a33a9d5ce9b4)
SRV - [2008/12/01 10:59:52 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/02/27 10:07:26 | 00,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdncoms.exe -- (lxdn_device)
SRV - [2008/02/27 10:07:14 | 00,098,984 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe -- (lxdnCATSCustConnectService)
SRV - [2008/02/05 18:22:36 | 00,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2008/02/05 18:20:42 | 00,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/02/05 18:18:48 | 00,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2005/12/20 11:22:14 | 00,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/10/13 19:56:16 | 00,126,976 | ---- | M] (McAfee, Inc) [Auto | Running] -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe)
SRV - [2005/08/24 16:01:04 | 00,122,368 | ---- | M] (McAfee, Inc) [Auto | Running] -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe)
SRV - [2005/07/12 17:14:42 | 00,040,960 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/07/01 19:22:50 | 00,245,760 | ---- | M] (McAfee, Inc) [On_Demand | Stopped] -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe)
SRV - [2005/01/17 16:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/10/20 05:40:04 | 00,010,328 | R--- | M] (America Online) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2004/10/15 12:54:14 | 00,100,016 | ---- | M] (America Online, Inc) [Auto | Running] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)
SRV - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2009/09/01 23:28:46 | 00,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/12/18 22:03:59 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2008/11/20 11:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 10:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 08:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/05 18:21:25 | 00,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/02/05 18:20:40 | 00,628,760 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/02/05 18:20:08 | 00,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/02/05 18:18:12 | 00,689,176 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2008/02/05 18:17:37 | 02,570,520 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2008/02/05 18:17:26 | 00,013,848 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2006/11/02 07:00:08 | 00,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/12/16 16:15:06 | 00,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/09 16:48:40 | 04,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/04 09:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/11/30 11:01:02 | 00,043,392 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2005/11/30 10:12:00 | 00,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/11/28 12:09:26 | 00,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/11/27 22:20:20 | 01,353,820 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/11/15 09:00:22 | 01,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/10/20 14:03:42 | 00,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/10/09 23:31:42 | 00,163,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2005/10/06 05:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/10/06 05:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/10/06 05:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/10/06 05:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/10/06 05:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/10/06 05:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/10/06 05:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/09/14 02:24:08 | 00,179,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2005/09/12 03:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/09 14:47:10 | 00,009,344 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2005/08/25 12:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 12:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/24 15:20:28 | 00,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/08/12 05:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/06/02 03:33:00 | 00,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2005/01/12 00:05:46 | 00,204,160 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\KR10N.sys -- (KR10N)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/09/19 15:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/09/10 23:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2003/01/29 14:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2003/01/10 12:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true
IE - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\S-1-5-21-264558272-3806330056-3887688337-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?rls=ig&hl=en&source=iglk"
FF - prefs.js..extensions.enabledItems: {d5890af0-d08c-11dd-ad8b-0800200c9a66}:1.0
FF - prefs.js..extensions.enabledItems: {C288E3D6-3588-4b60-BD4A-7413899D269B}:1.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 12:37:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 12:37:08 | 00,000,000 | ---D | M]

[2008/12/20 09:53:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\savannah\Application Data\Mozilla\Extensions
[2010/01/12 19:48:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\extensions
[2009/02/09 11:58:17 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe41}
[2008/12/20 10:04:13 | 00,000,000 | ---D | M] (Xmas) -- C:\Documents and Settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\extensions\{C288E3D6-3588-4b60-BD4A-7413899D269B}
[2009/01/15 10:04:05 | 00,000,000 | ---D | M] (avant.garde.10011 :lilla:) -- C:\Documents and Settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\extensions\{d5890af0-d08c-11dd-ad8b-0800200c9a66}
[2009/09/22 22:01:26 | 00,002,164 | ---- | M] () -- C:\Documents and Settings\savannah\Application Data\Mozilla\Firefox\Profiles\mdghzcba.default\searchplugins\bing.xml
[2010/01/12 19:48:52 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\agrsmmsg.exe (Agere Systems)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2600 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [lxdnmon.exe] C:\Program Files\Lexmark 2600 Series\lxdnmon.exe ()
O4 - HKLM..\Run: [MCAgentExe] c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc)
O4 - HKLM..\Run: [MCUpdateExe] c:\Program Files\McAfee.com\Agent\mcupdate.exe (McAfee, Inc)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TFncKy] File not found
O4 - HKLM..\Run: [THotkey] C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\savannah\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-264558272-3806330056-3887688337-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1229734516453 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\savannah\Desktop\3020060170_5d6c694758.jpg
O24 - Desktop BackupWallPaper: C:\Documents and Settings\savannah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/18 19:23:21 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/16 12:31:54 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/16 12:29:38 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\savannah\Desktop\OTL.exe
[2010/01/16 10:23:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/01/16 10:17:16 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/16 10:17:16 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/16 10:17:16 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/16 10:17:16 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/16 07:27:31 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/16 07:18:42 | 04,614,888 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\savannah\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2010/01/16 07:03:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/16 06:49:53 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/14 18:50:08 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/01/14 18:37:37 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2010/01/14 18:32:57 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/14 18:32:56 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/14 18:32:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/14 18:32:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/14 18:31:50 | 04,045,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\savannah\Desktop\mb.exe
[2010/01/14 18:30:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\savannah\Application Data\TrojanHunter
[2010/01/14 12:15:37 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/01/14 09:53:41 | 00,000,000 | ---D | C] -- C:\Program Files\TrojanHunter 5.0
[2010/01/14 09:50:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/14 09:50:38 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/01/12 16:41:07 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/09/21 16:13:50 | 00,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDNhcp.dll
[2009/09/21 16:13:50 | 00,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdninpa.dll
[2009/09/21 16:13:50 | 00,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdniesc.dll
[2009/09/21 16:13:49 | 01,101,824 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdnserv.dll
[2009/09/21 16:13:49 | 00,843,776 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdnusb1.dll
[2009/09/21 16:13:49 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdnprox.dll
[2009/09/21 16:13:48 | 00,647,168 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdnpmui.dll
[2009/09/21 16:13:48 | 00,569,344 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdnlmpm.dll
[2009/09/21 16:13:47 | 00,663,552 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdnhbn3.dll
[2009/09/21 16:13:45 | 00,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdncomc.dll
[2009/09/21 16:13:45 | 00,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdncomm.dll
[2009/07/31 18:54:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/07/22 08:35:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/07/21 15:24:32 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/06/27 19:46:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/02/09 13:13:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/01/18 19:54:04 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2006/01/18 19:23:13 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/16 11:58:05 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/16 10:35:57 | 00,015,510 | ---- | M] () -- C:\combofix
[2010/01/16 10:25:15 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/16 10:25:02 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/16 10:24:54 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/16 10:24:53 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/16 10:24:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/16 10:24:36 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/16 10:24:34 | 10,633,09312 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/16 10:23:49 | 04,456,448 | -H-- | M] () -- C:\Documents and Settings\savannah\NTUSER.DAT
[2010/01/16 10:23:39 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\savannah\ntuser.ini
[2010/01/16 10:04:23 | 04,859,534 | -H-- | M] () -- C:\Documents and Settings\savannah\Local Settings\Application Data\IconCache.db
[2010/01/16 09:40:40 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/16 07:27:38 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/15 16:47:20 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/15 16:42:24 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\savannah\Desktop\ddk51id8.exe
[2010/01/15 16:41:32 | 00,263,168 | ---- | M] () -- C:\Documents and Settings\savannah\Desktop\rkill.pif
[2010/01/14 18:50:08 | 00,001,559 | ---- | M] () -- C:\Documents and Settings\savannah\Desktop\CCleaner.lnk
[2010/01/14 16:30:46 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/14 16:30:28 | 00,000,216 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/01/14 13:42:12 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\savannah\Desktop\OTL.exe
[2010/01/14 12:15:55 | 00,000,885 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/01/14 09:53:58 | 00,059,392 | R--- | M] () -- C:\WINDOWS\System32\streamhlp.dll
[2010/01/14 09:27:19 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 21:24:48 | 04,614,888 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\savannah\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2010/01/13 19:29:12 | 03,823,934 | R--- | M] () -- C:\Documents and Settings\savannah\Desktop\ComboFix.exe
[2010/01/13 00:08:11 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/07 10:57:37 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/01/07 10:57:37 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/01/07 10:46:19 | 00,010,752 | ---- | M] () -- C:\Documents and Settings\savannah\Desktop\work out history.xlr
[2010/01/07 10:46:19 | 00,008,572 | ---- | M] () -- C:\Documents and Settings\savannah\Application Data\wklnhst.dat
[2010/01/04 21:58:38 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\savannah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/16 10:35:57 | 00,015,510 | ---- | C] () -- C:\combofix
[2010/01/16 10:17:16 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/16 10:17:16 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/16 10:17:16 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/16 10:17:16 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/16 10:17:16 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/16 07:27:38 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2010/01/16 07:27:34 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/16 06:41:18 | 10,633,09312 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/16 06:28:12 | 03,823,934 | R--- | C] () -- C:\Documents and Settings\savannah\Desktop\ComboFix.exe
[2010/01/15 16:42:23 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\savannah\Desktop\ddk51id8.exe
[2010/01/15 16:41:31 | 00,263,168 | ---- | C] () -- C:\Documents and Settings\savannah\Desktop\rkill.pif
[2010/01/14 18:50:08 | 00,001,559 | ---- | C] () -- C:\Documents and Settings\savannah\Desktop\CCleaner.lnk
[2010/01/14 18:33:00 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/14 16:30:28 | 00,000,216 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/01/14 12:15:55 | 00,000,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/01/14 09:53:41 | 00,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2010/01/13 00:08:11 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/07 10:57:37 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/01/07 10:57:37 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/01/04 11:30:31 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\savannah\Desktop\work out history.xlr
[2009/09/21 16:15:31 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdnvs.dll
[2009/09/21 16:15:25 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdncoin.dll
[2009/09/21 16:14:42 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdncaps.dll
[2009/09/21 16:14:41 | 00,782,336 | ---- | C] () -- C:\WINDOWS\System32\lxdndrs.dll
[2009/09/21 16:14:41 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdncnv4.dll
[2009/09/21 16:13:50 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\LXDNinst.dll
[2009/09/21 16:13:46 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdngrd.dll
[2009/01/23 13:48:09 | 00,015,360 | ---- | C] () -- C:\Documents and Settings\savannah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/27 15:22:49 | 00,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/26 10:44:07 | 00,066,482 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/12/20 15:37:12 | 00,008,572 | ---- | C] () -- C:\Documents and Settings\savannah\Application Data\wklnhst.dat
[2008/12/18 22:29:37 | 00,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2008/12/18 21:56:48 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/06 08:37:32 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 08:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 08:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 08:33:02 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/05 18:20:08 | 00,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2006/01/18 20:41:58 | 00,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/01/18 20:31:13 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/01/18 20:31:13 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/01/18 20:31:12 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/01/18 20:31:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/01/18 20:31:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/01/18 20:31:12 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/01/18 20:29:14 | 00,000,166 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/01/18 20:12:09 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll
[2006/01/18 20:04:55 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006/01/18 20:04:55 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006/01/18 20:03:13 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/01/18 19:57:31 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/01/18 19:57:31 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/01/18 19:57:31 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/01/18 19:57:31 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/01/18 19:54:04 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2006/01/18 19:50:48 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/01/18 19:27:27 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/18 19:20:36 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/01/18 18:05:17 | 00,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/01/18 18:02:30 | 00,040,448 | ---- | C] () -- C:\WINDOWS\iaptrui0.dll
[2005/11/28 20:33:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/09/02 14:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/08/24 15:20:28 | 00,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/07/22 21:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/07/20 17:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >

Why are mice when they spin?


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 16 January 2010 - 05:19 PM

Hi,

the log is looking fine. Let me know when you connected the backup drive. How is the PC doing now?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 16 January 2010 - 06:11 PM

Hi, I ran the backup drive and nothing came up, I guess that's what it's suppose to do?

Rocky

Why are mice when they spin?


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 16 January 2010 - 06:14 PM

Hi,

yes, that should be fine. How is the PC doing, the OTL log looks fine.

Please run a scan with Eset to confirm:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Rocky65

Rocky65
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:wash
  • Local time:02:34 PM

Posted 16 January 2010 - 06:16 PM

Oh and the computer seems to be running fine too.
I do have the original disks that say "recovery and applications/drivers for Satellite A100/A105

Rocky

Why are mice when they spin?


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:34 AM

Posted 16 January 2010 - 06:29 PM

Hi,

did you see my previous post?

I hope/believe we won't need the cds to clean the PC, actually I believe that most of the malware should be gone. If you decide to reformat let me know.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users