Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojans - Vundo, gen, dropper


  • This topic is locked This topic is locked
18 replies to this topic

#1 clarkone68

clarkone68

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 02 March 2010 - 12:26 AM

I'm posting from an uninfected computer because my infected computer (laptop) keeps crashing/freezing and it's hard to do anything from it. From the infected computer, I run into a problem on step 7 of the preparation guide. The comp freezes/crashes before I can get the logs from the DDS tool, and I can't seem to be able to save the DDS tool to my desktop (the option never comes up of where to save it to). When I run superantispyware (before my comp crashes) it says it's infected with trojans like trojan.gen, trojan.dropper, vundo and stuff like that. I get a bunch of fake alerts from Dr. Guard, Vista Internet Security and Security Tools. The viruses killed malwarebytes and I'm unable to properly download it again. I can't seem to boot into safe mode anymore, either. Also, my wallpaper is now all black. As I stated, I have no logs to post, so what do I do? I think I could do a HJT log.

BC AdBot (Login to Remove)

 


#2 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 02 March 2010 - 01:32 AM

If it helps, the specific infections that superantispyware picks up before it crashes are:

Adware.Vundo/Variant-Blocker
Trojan.Agent/Gen-CDesc[NewF]
Trojan.Agent/Gen-Backdoor[FakeAlert]
Trojan.Agent/Gen
Trojan.Dropper/ADR.WV
Trojan.Agent/Gen-FSG
Rogue.Agent/Gen
Adware.TrackingCookie
Rogue.SecurityTool
Rogue.AntivirusSoft

When it crashes, the blue screen says STOP: 0x000000F4 (0x00000003, 0x87087D90, 0x87087EDC, 0x8206C650)

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:50 AM

Posted 02 March 2010 - 08:23 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 02 March 2010 - 10:51 AM

Thanks for your speedy response. I'm very grateful.

Update from my last post - I renamed the SecurityTool folder and it no longer causes havoc at startup (my desktop icons show up and no pop ups for SecurityTool) and I was finally able to boot into safe mode. I ran spyware doctor in safe mode and it came back with like 15-16 threats and 560 infections, but didn't fix them due to it being the free version. I was able to get the DDS tool to run all the way through, but the 2 logs never popped up. I just got the pop up about how those 2 files were suppose to pop up and would disappear.

Now, I tried to download combofix (I forgot to turn off my antivirus and antispyware programs) from the first link and got:

!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: You may have been infected with a file patching virus 'virut'

2nd attempt (I turned off the programs):
It goes through the stages and then it says it has deleted a bunch of stuff, but everything in the background has disappeared and no log pops up. Nothing about Recovery Console ever came up. On reboot, a bunch of RunDLL screens pop up with 'Error loading ...' and 'The specified module could not be found.'

3rd attempt:
Same thing, ComboFix runs and during it everything in the background disappears and no log appears after it runs through.

av.exe doesn't show up in processes anymore, which seems to be a bit of a relief. Also, I'm on Vista and I never get a prompt of where to save a program to. I had to move combofix to my desktop from the download folder. Sorry, I guess I just didn't let it run long enough. It seems to be preparing a log report on my 4th attempt. Is that a problem?

Edited by clarkone68, 02 March 2010 - 11:31 AM.


#5 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 02 March 2010 - 11:46 AM

Alright, here's the log that I got after the 4th attempt:

ComboFix 10-03-01.04 - Clint J 03/02/2010 11:04:04.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1967 [GMT -5:00]
Running from: c:\users\Clint J\Downloads\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 16:16 . 2010-03-02 16:27 -------- d-----w- c:\users\Clint J\AppData\Local\temp
2010-03-02 16:16 . 2010-03-02 16:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-02 14:23 . 2010-03-02 14:23 -------- d-----w- C:\found.004
2010-03-02 05:53 . 2010-03-02 05:53 -------- d-----w- C:\found.003
2010-03-02 01:40 . 2010-03-02 01:40 -------- d-----w- C:\found.002
2010-03-02 01:29 . 2010-03-02 13:21 -------- d-----w- c:\programdata\17355223
2010-03-01 19:46 . 2010-03-01 19:46 -------- d-----w- C:\found.001
2010-03-01 16:35 . 2010-03-01 16:35 -------- d-----w- C:\found.000
2010-03-01 13:51 . 2010-02-05 14:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-03-01 13:51 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 13:51 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 13:51 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 13:51 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 13:51 . 2010-03-01 13:51 -------- d-----w- c:\users\Clint J\AppData\Roaming\PC Tools
2010-03-01 12:40 . 2010-03-02 14:47 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 12:40 . 2010-03-01 13:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 12:40 . 2010-03-01 13:51 -------- d-----w- c:\programdata\PC Tools
2010-03-01 12:38 . 2010-03-01 12:40 -------- d-----w- c:\users\Clint J\AppData\Roaming\GetRightToGo
2010-03-01 10:32 . 2010-03-02 13:19 120 ----a-w- c:\users\Clint J\AppData\Local\Wxojumihoyo.dat
2010-03-01 10:32 . 2010-03-02 05:34 0 ----a-w- c:\users\Clint J\AppData\Local\Ncacileyocozo.bin
2010-03-01 10:32 . 2010-03-01 10:34 -------- d-----w- c:\users\Clint J\AppData\Roaming\Dr. Guard
2010-03-01 10:29 . 2010-03-01 10:29 -------- d-----w- c:\programdata\watusero
2010-03-01 10:29 . 2010-03-01 10:29 -------- d-----w- c:\programdata\kirojeke
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\sowimudu
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\kohuhego
2010-03-01 09:38 . 2010-03-01 09:38 -------- d-----w- c:\programdata\sudoroke
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\users\Clint J\AppData\Roaming\Facebook
2010-02-01 23:52 . 2010-02-01 23:52 -------- d-----w- c:\program files\iPod
2010-02-01 23:49 . 2010-02-01 23:49 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 16:01 . 2010-03-01 10:35 7336 ----a-w- c:\programdata\fiosejgfse.dll
2010-03-02 16:01 . 2010-03-01 10:35 7336 ----a-w- c:\programdata\fiosejgfse.dll
2010-03-02 14:02 . 2008-12-25 05:14 113776 ----a-w- c:\users\Clint J\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 13:57 . 2009-06-20 22:55 -------- d-----w- c:\program files\Backgammon Classic
2010-03-02 03:55 . 2009-03-06 14:54 6648 ----a-w- c:\users\Clint J\AppData\Local\d3d9caps.dat
2010-03-02 03:36 . 2009-04-18 03:08 -------- d-----w- c:\programdata\Google Updater
2010-03-02 01:29 . 2010-03-02 01:29 1036800 ----a-w- c:\programdata\17355223\bad.exe.exe
2010-03-02 01:22 . 2010-03-02 01:22 52224 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-02 01:22 . 2009-08-30 05:14 117760 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 14:37 . 2010-03-01 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-01 10:33 . 2010-03-01 10:33 2347008 ----a-w- c:\users\Clint J\AppData\Roaming\Dr. Guard\drguard.exe
2010-03-01 10:33 . 2010-03-01 10:33 57344 ----a-w- c:\users\Clint J\AppData\Roaming\Dr. Guard\uninstall.exe
2010-03-01 10:33 . 2010-03-01 10:33 39424 ----a-w- c:\users\Clint J\AppData\Roaming\Dr. Guard\drgext.dll
2010-03-01 10:33 . 2010-03-01 10:33 20480 ----a-w- c:\users\Clint J\AppData\Roaming\Dr. Guard\drghook.dll
2010-02-26 12:27 . 2009-02-11 12:35 -------- d-----w- c:\users\Clint J\AppData\Roaming\gtk-2.0
2010-02-20 23:45 . 2009-08-30 05:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 01:42 . 2009-07-11 08:10 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-02-11 21:06 . 2010-02-11 21:06 50354 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\uninstall.exe
2010-02-10 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 16:51 . 2008-10-24 21:15 -------- d-----w- c:\programdata\Microsoft Help
2010-02-04 10:20 . 2008-08-14 19:40 -------- d-----w- c:\program files\Google
2010-02-01 23:52 . 2009-11-02 18:17 -------- d-----w- c:\program files\iTunes
2010-02-01 23:52 . 2008-12-25 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-02-01 23:47 . 2010-02-01 23:47 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
2010-01-28 22:59 . 2010-01-28 22:59 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9925.tmp.exe
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWMP\unins000.exe
2010-01-27 08:06 . 2010-01-27 08:05 161 ----a-w- c:\programdata\Last.fm\Client\uninst2.bat
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWA\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 683801 ----a-w- c:\programdata\Last.fm\Client\UninstITW\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\programdata\Last.fm
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\program files\Last.fm
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 22:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 22:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 22:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 22:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 19:38 . 2009-01-13 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-08 22:37 . 2008-12-25 18:16 -------- d-----w- c:\users\Clint J\AppData\Roaming\Apple Computer
2010-01-06 15:39 . 2010-02-23 22:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 22:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30 . 2010-02-23 22:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 20:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 01:11 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 01:11 . 2009-09-26 20:23 144160 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\uninstall.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 16:24 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 16:24 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 16:24 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 16:24 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 16:24 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 16:24 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:30 . 2010-02-10 16:24 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:24 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:24 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:24 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:24 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:24 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:24 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:24 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-04 00:19 . 2009-12-04 00:19 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8AC6.tmp.exe
2009-04-01 02:47 . 2009-03-10 04:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\difoyuro.dll
1601-01-01 00:03 . 1601-01-01 00:03 47104 --sha-w- c:\windows\System32\doyanavo.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\fovisuga.dll
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\System32\gulotema.dll
1601-01-01 00:03 . 1601-01-01 00:03 65024 --sha-w- c:\windows\System32\jelulowa.dll
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\System32\jojejodi.dll
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\System32\lonayemu.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\luhuwuji.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\rawomuba.dll
1601-01-01 00:03 . 1601-01-01 00:03 94720 --sha-w- c:\windows\System32\somotiye.dll
1601-01-01 00:03 . 1601-01-01 00:03 94720 --sha-w- c:\windows\System32\tasurizo.dll
1601-01-01 00:03 . 1601-01-01 00:03 94720 --sha-w- c:\windows\System32\vajafeti.dll
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\System32\vovugesi.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\vunogenu.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\wogugegu.dll
1601-01-01 00:03 . 1601-01-01 00:03 94208 --sha-w- c:\windows\System32\yuzubayi.dll
1601-01-01 00:03 . 1601-01-01 00:03 94720 --sha-w- c:\windows\System32\zanodidu.dll
1601-01-01 00:03 . 1601-01-01 00:03 94720 --sha-w- c:\windows\System32\zozavidi.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\System32\zufasewa.dll
2008-12-25 05:13 . 2008-12-25 05:13 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-25 05:13 . 2008-12-25 05:13 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]
"Dr. Guard"="c:\users\Clint J\AppData\Roaming\Dr. Guard\drguard.exe" [2010-03-01 2347008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-06 515416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 01:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:64,02,2d,14,cc,51,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/6/2009 1:32 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/1/2010 8:51 AM 207280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2/20/2009 5:13 PM 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [7/10/2008 7:58 PM 40960]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 7:37 AM 149352]
R2 TMachInfo;TMachInfo;c:\program files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [8/14/2008 2:15 PM 62776]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 7:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [8/14/2008 2:08 PM 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [4/28/2008 8:29 AM 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 8:35 PM 73728]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S2 gupdate1c9bfd2fc5e2720;Google Update Service (gupdate1c9bfd2fc5e2720);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 10:08 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/12/2008 2:32 PM 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/1/2010 8:51 AM 365280]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [8/20/2008 1:41 PM 9216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:49]

2010-03-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 03:08]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-02-21 c:\windows\Tasks\Norton Security Scan for Clint J.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-16 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: pogo.com
FF - ProfilePath - c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{473daa5b-c18b-4c99-b911-4c2f9e4e2fc9} - c:\programdata\kohuhego\kohuhego.dll
HKCU-Run-Mtazu - c:\users\Clint J\AppData\Local\Sesarte.dll
HKCU-Run-fotasawomu - c:\programdata\sowimudu\sowimudu.dll
HKCU-Run-Hbefuyaxukowoma - c:\users\Clint J\AppData\Local\emivupoq.dll
HKCU-Run-RTHDBPL - c:\users\Clint J\AppData\Roaming\SystemProc\lsass.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-fotasawomu - c:\programdata\sowimudu\sowimudu.dll
MSConfigStartUp-risky - c:\users\Clint J\AppData\Roaming\84372872az.exe
AddRemove-Move Networks Player - IE - c:\users\Clint J\AppData\Roaming\Move Networks\ie_bin\Uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 11:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????
RTHDBPL = c:\users\Clint J\AppData\Roaming\SystemProc\lsass.exe???????????????????????????????#???????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3244)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-03-02 11:35:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 16:35

Pre-Run: 212,935,565,312 bytes free
Post-Run: 213,724,450,816 bytes free

- - End Of File - - 824DEF0B0BB5F4F37291D77D20523600


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:50 AM

Posted 03 March 2010 - 08:12 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
Collect::
c:\users\Clint J\AppData\Roaming\Dr. Guard\drguard.exe
c:\windows\System32\difoyuro.dll
c:\windows\System32\doyanavo.dll
c:\windows\System32\fovisuga.dll
c:\windows\System32\gulotema.dll
c:\windows\System32\jelulowa.dll
c:\windows\System32\jojejodi.dll
c:\windows\System32\lonayemu.dll
c:\windows\System32\luhuwuji.dll
c:\windows\System32\rawomuba.dll
c:\windows\System32\somotiye.dll
c:\windows\System32\tasurizo.dll
c:\windows\System32\vajafeti.dll
c:\windows\System32\vovugesi.dll
c:\windows\System32\vunogenu.dll
c:\windows\System32\wogugegu.dll
c:\windows\System32\yuzubayi.dll
c:\windows\System32\zanodidu.dll
c:\windows\System32\zozavidi.dll
c:\windows\System32\zufasewa.dll
c:\users\Clint J\AppData\Roaming\Dr. Guard\uninstall.exe
c:\users\Clint J\AppData\Roaming\Dr. Guard\drgext.dll
c:\users\Clint J\AppData\Roaming\Dr. Guard\drghook.dll
c:\programdata\17355223\bad.exe.exe
c:\programdata\fiosejgfse.dll
c:\users\Clint J\AppData\Local\Wxojumihoyo.dat
c:\users\Clint J\AppData\Local\Ncacileyocozo.bin
c:\users\Clint J\AppData\Roaming\Dr. Guard
c:\programdata\watusero
c:\programdata\kirojeke
c:\programdata\sowimudu
c:\programdata\kohuhego
c:\programdata\sudoroke

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dr. Guard"=-

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 03 March 2010 - 10:54 AM

At the end, it gave me a popup stating:

ComboFix needs to submit malware files for further analysis.

Please ensure that you're connected to the Internet before clicking OK.


Now, here's the log:

ComboFix 10-03-02.08 - Clint J 03/03/2010 10:36:11.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1718 [GMT -5:00]
Running from: c:\users\Clint J\Downloads\ComboFix.exe
Command switches used :: c:\users\Clint J\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

file zipped: c:\programdata\17355223\bad.exe.exe
file zipped: c:\programdata\fiosejgfse.dll
file zipped: c:\users\Clint J\AppData\Local\Ncacileyocozo.bin
file zipped: c:\users\Clint J\AppData\Local\Wxojumihoyo.dat
file zipped: c:\users\Clint J\AppData\Roaming\Dr. Guard\drgext.dll
file zipped: c:\users\Clint J\AppData\Roaming\Dr. Guard\drghook.dll
file zipped: c:\users\Clint J\AppData\Roaming\Dr. Guard\drguard.exe
file zipped: c:\users\Clint J\AppData\Roaming\Dr. Guard\uninstall.exe
file zipped: c:\windows\System32\difoyuro.dll
file zipped: c:\windows\System32\doyanavo.dll
file zipped: c:\windows\System32\fovisuga.dll
file zipped: c:\windows\System32\gulotema.dll
file zipped: c:\windows\System32\jelulowa.dll
file zipped: c:\windows\System32\jojejodi.dll
file zipped: c:\windows\System32\lonayemu.dll
file zipped: c:\windows\System32\luhuwuji.dll
file zipped: c:\windows\System32\rawomuba.dll
file zipped: c:\windows\System32\somotiye.dll
file zipped: c:\windows\System32\tasurizo.dll
file zipped: c:\windows\System32\vajafeti.dll
file zipped: c:\windows\System32\vovugesi.dll
file zipped: c:\windows\System32\vunogenu.dll
file zipped: c:\windows\System32\wogugegu.dll
file zipped: c:\windows\System32\yuzubayi.dll
file zipped: c:\windows\System32\zanodidu.dll
file zipped: c:\windows\System32\zozavidi.dll
file zipped: c:\windows\System32\zufasewa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\17355223\bad.exe.exe
c:\programdata\fiosejgfse.dll
c:\users\Clint J\AppData\Local\Ncacileyocozo.bin
c:\users\Clint J\AppData\Local\Wxojumihoyo.dat
c:\users\Clint J\AppData\Roaming\Dr. Guard\drgext.dll
c:\users\Clint J\AppData\Roaming\Dr. Guard\drghook.dll
c:\users\Clint J\AppData\Roaming\Dr. Guard\drguard.exe
c:\users\Clint J\AppData\Roaming\Dr. Guard\uninstall.exe
c:\windows\System32\difoyuro.dll
c:\windows\System32\doyanavo.dll
c:\windows\System32\fovisuga.dll
c:\windows\System32\gulotema.dll
c:\windows\System32\jelulowa.dll
c:\windows\System32\jojejodi.dll
c:\windows\System32\lonayemu.dll
c:\windows\System32\luhuwuji.dll
c:\windows\System32\rawomuba.dll
c:\windows\System32\somotiye.dll
c:\windows\System32\tasurizo.dll
c:\windows\System32\vajafeti.dll
c:\windows\System32\vovugesi.dll
c:\windows\System32\vunogenu.dll
c:\windows\System32\wogugegu.dll
c:\windows\System32\yuzubayi.dll
c:\windows\System32\zanodidu.dll
c:\windows\System32\zozavidi.dll
c:\windows\System32\zufasewa.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 15:43 . 2010-03-03 15:43 -------- d-----w- c:\users\Clint J\AppData\Local\temp
2010-03-03 15:43 . 2010-03-03 15:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 15:43 . 2010-03-03 15:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-02 14:23 . 2010-03-02 14:23 -------- d-----w- C:\found.004
2010-03-02 05:53 . 2010-03-02 05:53 -------- d-----w- C:\found.003
2010-03-02 01:40 . 2010-03-02 01:40 -------- d-----w- C:\found.002
2010-03-02 01:29 . 2010-03-03 15:42 -------- d-----w- c:\programdata\17355223
2010-03-02 01:22 . 2010-03-02 01:22 52224 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 19:46 . 2010-03-01 19:46 -------- d-----w- C:\found.001
2010-03-01 16:35 . 2010-03-01 16:35 -------- d-----w- C:\found.000
2010-03-01 13:51 . 2010-02-05 14:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-03-01 13:51 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 13:51 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 13:51 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 13:51 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 13:51 . 2010-03-01 13:51 -------- d-----w- c:\users\Clint J\AppData\Roaming\PC Tools
2010-03-01 12:40 . 2010-03-02 14:47 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 12:40 . 2010-03-01 13:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 12:40 . 2010-03-01 13:51 -------- d-----w- c:\programdata\PC Tools
2010-03-01 12:38 . 2010-03-01 12:40 -------- d-----w- c:\users\Clint J\AppData\Roaming\GetRightToGo
2010-03-01 10:32 . 2010-03-03 15:42 -------- d-----w- c:\users\Clint J\AppData\Roaming\Dr. Guard
2010-03-01 10:29 . 2010-03-01 10:29 -------- d-----w- c:\programdata\watusero
2010-03-01 10:29 . 2010-03-01 10:29 -------- d-----w- c:\programdata\kirojeke
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\sowimudu
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\kohuhego
2010-03-01 09:38 . 2010-03-01 09:38 -------- d-----w- c:\programdata\sudoroke
2010-02-11 21:06 . 2010-02-11 21:06 50354 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\uninstall.exe
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\users\Clint J\AppData\Roaming\Facebook
2010-02-01 23:52 . 2010-02-01 23:52 -------- d-----w- c:\program files\iPod
2010-02-01 23:49 . 2010-02-01 23:49 -------- d-----w- c:\program files\QuickTime
2010-02-01 23:47 . 2010-02-01 23:47 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 15:28 . 2009-04-18 03:08 -------- d-----w- c:\programdata\Google Updater
2010-03-02 14:02 . 2008-12-25 05:14 113776 ----a-w- c:\users\Clint J\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 13:57 . 2009-06-20 22:55 -------- d-----w- c:\program files\Backgammon Classic
2010-03-02 03:55 . 2009-03-06 14:54 6648 ----a-w- c:\users\Clint J\AppData\Local\d3d9caps.dat
2010-03-02 01:22 . 2009-08-30 05:14 117760 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 14:37 . 2010-03-01 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-26 12:27 . 2009-02-11 12:35 -------- d-----w- c:\users\Clint J\AppData\Roaming\gtk-2.0
2010-02-20 23:45 . 2009-08-30 05:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 01:42 . 2009-07-11 08:10 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-02-10 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 16:51 . 2008-10-24 21:15 -------- d-----w- c:\programdata\Microsoft Help
2010-02-04 10:20 . 2008-08-14 19:40 -------- d-----w- c:\program files\Google
2010-02-01 23:52 . 2009-11-02 18:17 -------- d-----w- c:\program files\iTunes
2010-02-01 23:52 . 2008-12-25 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-01-28 22:59 . 2010-01-28 22:59 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9925.tmp.exe
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWMP\unins000.exe
2010-01-27 08:06 . 2010-01-27 08:05 161 ----a-w- c:\programdata\Last.fm\Client\uninst2.bat
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWA\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 683801 ----a-w- c:\programdata\Last.fm\Client\UninstITW\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\programdata\Last.fm
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\program files\Last.fm
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 22:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 22:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 22:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 22:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 19:38 . 2009-01-13 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-08 22:37 . 2008-12-25 18:16 -------- d-----w- c:\users\Clint J\AppData\Roaming\Apple Computer
2010-01-06 15:39 . 2010-02-23 22:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 22:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-23 22:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 22:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 22:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 22:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-23 22:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 20:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 01:11 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 01:11 . 2009-09-26 20:23 144160 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\uninstall.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 16:24 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 16:24 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 16:24 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 16:24 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 16:24 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 16:24 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:30 . 2010-02-10 16:24 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:24 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:24 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:24 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:24 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:24 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:24 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:24 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-04 00:19 . 2009-12-04 00:19 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8AC6.tmp.exe
2009-04-01 02:47 . 2009-03-10 04:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-25 05:13 . 2008-12-25 05:13 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-25 05:13 . 2008-12-25 05:13 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-06 515416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 01:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:64,02,2d,14,cc,51,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/6/2009 1:32 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/1/2010 8:51 AM 207280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2/20/2009 5:13 PM 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [7/10/2008 7:58 PM 40960]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 7:37 AM 149352]
R2 TMachInfo;TMachInfo;c:\program files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [8/14/2008 2:15 PM 62776]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 7:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [8/14/2008 2:08 PM 7168]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [4/28/2008 8:29 AM 3658752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 8:35 PM 73728]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S2 gupdate1c9bfd2fc5e2720;Google Update Service (gupdate1c9bfd2fc5e2720);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 10:08 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/12/2008 2:32 PM 23888]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/1/2010 8:51 AM 365280]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [8/20/2008 1:41 PM 9216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:49]

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 03:08]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-02-21 c:\windows\Tasks\Norton Security Scan for Clint J.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-16 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: pogo.com
FF - ProfilePath - c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 10:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-03-03 10:46:51
ComboFix-quarantined-files.txt 2010-03-03 15:46
ComboFix2.txt 2010-03-02 16:35

Pre-Run: 213,740,134,400 bytes free
Post-Run: 213,704,454,144 bytes free

- - End Of File - - 90BC0AE45ACCEB5F94B5EB58D65BE8EE
Upload was successful


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:50 AM

Posted 03 March 2010 - 11:21 AM

You have a very new infection that Combofix isn't detecting yet. So we submitted those files for analysis and to be added to the database for removal.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
Folder::
c:\users\Clint J\AppData\Roaming\Dr. Guard

Dirlook::
c:\programdata\watusero
c:\programdata\kirojeke
c:\programdata\sowimudu
c:\programdata\kohuhego
c:\programdata\sudoroke
c:\programdata\17355223

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


========================


Now let's try Malwarebytes again.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 03 March 2010 - 12:25 PM

Thanks again, it's much appreciated.

New Combofix log:

ComboFix 10-03-02.08 - Clint J 03/03/2010 11:50:31.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1873 [GMT -5:00]
Running from: c:\users\Clint J\Downloads\ComboFix.exe
Command switches used :: c:\users\Clint J\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Clint J\AppData\Roaming\Dr. Guard
c:\users\Clint J\AppData\Roaming\Dr. Guard\about.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\activate.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\buy.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\drg.db
c:\users\Clint J\AppData\Roaming\Dr. Guard\help.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\scan.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\settings.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\splash.mp3
c:\users\Clint J\AppData\Roaming\Dr. Guard\update.ico
c:\users\Clint J\AppData\Roaming\Dr. Guard\virus.mp3

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 16:58 . 2010-03-03 16:58 -------- d-----w- c:\users\Clint J\AppData\Local\temp
2010-03-03 16:58 . 2010-03-03 16:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 16:58 . 2010-03-03 16:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-02 14:23 . 2010-03-02 14:23 -------- d-----w- C:\found.004
2010-03-02 05:53 . 2010-03-02 05:53 -------- d-----w- C:\found.003
2010-03-02 01:40 . 2010-03-02 01:40 -------- d-----w- C:\found.002
2010-03-02 01:29 . 2010-03-03 15:42 -------- d-----w- c:\programdata\17355223
2010-03-02 01:22 . 2010-03-02 01:22 52224 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 19:46 . 2010-03-01 19:46 -------- d-----w- C:\found.001
2010-03-01 16:35 . 2010-03-01 16:35 -------- d-----w- C:\found.000
2010-03-01 13:51 . 2010-02-05 14:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-03-01 13:51 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 13:51 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 13:51 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 13:51 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 13:51 . 2010-03-01 13:51 -------- d-----w- c:\users\Clint J\AppData\Roaming\PC Tools
2010-03-01 12:40 . 2010-03-02 14:47 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 12:40 . 2010-03-01 13:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 12:40 . 2010-03-01 13:51 -------- d-----w- c:\programdata\PC Tools
2010-03-01 12:38 . 2010-03-01 12:40 -------- d-----w- c:\users\Clint J\AppData\Roaming\GetRightToGo
2010-03-01 10:29 . 2010-03-01 10:29 -------- d-----w- c:\programdata\watusero
2010-03-01 10:29 . 2010-03-01 10:29 -------- d-----w- c:\programdata\kirojeke
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\sowimudu
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\kohuhego
2010-03-01 09:38 . 2010-03-01 09:38 -------- d-----w- c:\programdata\sudoroke
2010-02-11 21:06 . 2010-02-11 21:06 50354 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\uninstall.exe
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\users\Clint J\AppData\Roaming\Facebook
2010-02-01 23:52 . 2010-02-01 23:52 -------- d-----w- c:\program files\iPod
2010-02-01 23:49 . 2010-02-01 23:49 -------- d-----w- c:\program files\QuickTime
2010-02-01 23:47 . 2010-02-01 23:47 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 15:28 . 2009-04-18 03:08 -------- d-----w- c:\programdata\Google Updater
2010-03-02 14:02 . 2008-12-25 05:14 113776 ----a-w- c:\users\Clint J\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 13:57 . 2009-06-20 22:55 -------- d-----w- c:\program files\Backgammon Classic
2010-03-02 03:55 . 2009-03-06 14:54 6648 ----a-w- c:\users\Clint J\AppData\Local\d3d9caps.dat
2010-03-02 01:22 . 2009-08-30 05:14 117760 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 14:37 . 2010-03-01 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-26 12:27 . 2009-02-11 12:35 -------- d-----w- c:\users\Clint J\AppData\Roaming\gtk-2.0
2010-02-20 23:45 . 2009-08-30 05:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 01:42 . 2009-07-11 08:10 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-02-10 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 16:51 . 2008-10-24 21:15 -------- d-----w- c:\programdata\Microsoft Help
2010-02-04 10:20 . 2008-08-14 19:40 -------- d-----w- c:\program files\Google
2010-02-01 23:52 . 2009-11-02 18:17 -------- d-----w- c:\program files\iTunes
2010-02-01 23:52 . 2008-12-25 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-01-28 22:59 . 2010-01-28 22:59 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9925.tmp.exe
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWMP\unins000.exe
2010-01-27 08:06 . 2010-01-27 08:05 161 ----a-w- c:\programdata\Last.fm\Client\uninst2.bat
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWA\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 683801 ----a-w- c:\programdata\Last.fm\Client\UninstITW\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\programdata\Last.fm
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\program files\Last.fm
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 22:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 22:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 22:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 22:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 19:38 . 2009-01-13 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-08 22:37 . 2008-12-25 18:16 -------- d-----w- c:\users\Clint J\AppData\Roaming\Apple Computer
2010-01-06 15:39 . 2010-02-23 22:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 22:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-23 22:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 22:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 22:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 22:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-23 22:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 20:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 01:11 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 01:11 . 2009-09-26 20:23 144160 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\uninstall.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 16:24 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 16:24 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 16:24 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 16:24 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 16:24 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 16:24 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:30 . 2010-02-10 16:24 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:24 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:24 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:24 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:24 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:24 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:24 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:24 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-04 00:19 . 2009-12-04 00:19 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8AC6.tmp.exe
2009-04-01 02:47 . 2009-03-10 04:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-25 05:13 . 2008-12-25 05:13 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-25 05:13 . 2008-12-25 05:13 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\17355223 ----


---- Directory of c:\programdata\kirojeke ----

1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\programdata\kirojeke\kirojeke.dll

---- Directory of c:\programdata\kohuhego ----


---- Directory of c:\programdata\sowimudu ----


---- Directory of c:\programdata\sudoroke ----

1601-01-01 00:00 . 1601-01-01 00:00 64000 --sha-w- c:\programdata\sudoroke\sudoroke.dll

---- Directory of c:\programdata\watusero ----

1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\programdata\watusero\watusero.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-06 515416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 01:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:64,02,2d,14,cc,51,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/6/2009 1:32 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/1/2010 8:51 AM 207280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2/20/2009 5:13 PM 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [7/10/2008 7:58 PM 40960]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 7:37 AM 149352]
R2 TMachInfo;TMachInfo;c:\program files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [8/14/2008 2:15 PM 62776]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 7:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [8/14/2008 2:08 PM 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [4/28/2008 8:29 AM 3658752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 8:35 PM 73728]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S2 gupdate1c9bfd2fc5e2720;Google Update Service (gupdate1c9bfd2fc5e2720);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 10:08 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/12/2008 2:32 PM 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/1/2010 8:51 AM 365280]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [8/20/2008 1:41 PM 9216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:49]

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 03:08]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-02-21 c:\windows\Tasks\Norton Security Scan for Clint J.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-16 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: pogo.com
FF - ProfilePath - c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 11:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-03-03 12:01:24
ComboFix-quarantined-files.txt 2010-03-03 17:01
ComboFix2.txt 2010-03-03 15:51
ComboFix3.txt 2010-03-02 16:35

Pre-Run: 213,725,663,232 bytes free
Post-Run: 213,715,275,776 bytes free

- - End Of File - - 9EE588B4CE4C5410F548BBF28339F9D8


I was able to download malwarebytes properly this time. I had to reboot to complete the removal process, but on the restart windows blocked malwarebytes. I clicked on run blocked program, but I'm not sure if that did anything. Here's the log from malwarebytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3821
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/3/2010 12:17:44 PM
mbam-log-2010-03-03 (12-17-44).txt

Scan type: Quick Scan
Objects scanned: 108151
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\17355223 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Clint J\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Dr. Guard.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:50 AM

Posted 03 March 2010 - 12:39 PM

We need to check out some suspicious files on your computer.

Please visit the online Virustotal Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\programdata\kirojeke\kirojeke.dll


  • The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.


Also submit these two files.

c:\programdata\sudoroke\sudoroke.dll
c:\programdata\watusero\watusero.dll




Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 03 March 2010 - 12:52 PM

I can't find c:\programdata\kirojeke\kirojeke.dll. It says the kirojeke folder is empty. Same for sudoroke.dll and watusero.dll.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:50 AM

Posted 03 March 2010 - 12:56 PM

Let's try this a different way.

Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/ind...p;#entry1656503

Suspect::[52]
c:\programdata\kirojeke\kirojeke.dll
c:\programdata\sudoroke\sudoroke.dll
c:\programdata\watusero\watusero.dll


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 03 March 2010 - 01:25 PM

New log:

ComboFix 10-03-03.02 - Clint J 03/03/2010 13:09:03.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1907 [GMT -5:00]
Running from: c:\users\Clint J\Downloads\ComboFix.exe
Command switches used :: c:\users\Clint J\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

file zipped: c:\programdata\kirojeke\kirojeke.dll
file zipped: c:\programdata\sudoroke\sudoroke.dll
file zipped: c:\programdata\watusero\watusero.dll
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 18:16 . 2010-03-03 18:16 -------- d-----w- c:\users\Clint J\AppData\Local\temp
2010-03-03 18:16 . 2010-03-03 18:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 18:16 . 2010-03-03 18:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-03 17:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 17:05 . 2010-03-03 17:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 17:05 . 2010-03-03 17:05 -------- d-----w- c:\programdata\Malwarebytes
2010-03-03 17:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 14:23 . 2010-03-02 14:23 -------- d-----w- C:\found.004
2010-03-02 05:53 . 2010-03-02 05:53 -------- d-----w- C:\found.003
2010-03-02 01:40 . 2010-03-02 01:40 -------- d-----w- C:\found.002
2010-03-02 01:22 . 2010-03-02 01:22 52224 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 19:46 . 2010-03-01 19:46 -------- d-----w- C:\found.001
2010-03-01 16:35 . 2010-03-01 16:35 -------- d-----w- C:\found.000
2010-03-01 13:51 . 2010-02-05 14:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-03-01 13:51 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 13:51 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 13:51 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 13:51 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 13:51 . 2010-03-01 13:51 -------- d-----w- c:\users\Clint J\AppData\Roaming\PC Tools
2010-03-01 12:40 . 2010-03-02 14:47 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 12:40 . 2010-03-01 13:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 12:40 . 2010-03-01 13:51 -------- d-----w- c:\programdata\PC Tools
2010-03-01 12:38 . 2010-03-01 12:40 -------- d-----w- c:\users\Clint J\AppData\Roaming\GetRightToGo
2010-03-01 10:29 . 2010-03-03 18:08 -------- d-----w- c:\programdata\watusero
2010-03-01 10:29 . 2010-03-03 18:08 -------- d-----w- c:\programdata\kirojeke
2010-03-01 09:38 . 2010-03-03 18:08 -------- d-----w- c:\programdata\sudoroke
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\sowimudu
2010-03-01 09:38 . 2010-03-02 15:01 -------- d-----w- c:\programdata\kohuhego
2010-02-11 21:06 . 2010-02-11 21:06 50354 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\uninstall.exe
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\users\Clint J\AppData\Roaming\Facebook
2010-02-01 23:52 . 2010-02-01 23:52 -------- d-----w- c:\program files\iPod
2010-02-01 23:49 . 2010-02-01 23:49 -------- d-----w- c:\program files\QuickTime
2010-02-01 23:47 . 2010-02-01 23:47 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 15:28 . 2009-04-18 03:08 -------- d-----w- c:\programdata\Google Updater
2010-03-02 14:02 . 2008-12-25 05:14 113776 ----a-w- c:\users\Clint J\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 13:57 . 2009-06-20 22:55 -------- d-----w- c:\program files\Backgammon Classic
2010-03-02 03:55 . 2009-03-06 14:54 6648 ----a-w- c:\users\Clint J\AppData\Local\d3d9caps.dat
2010-03-02 01:22 . 2009-08-30 05:14 117760 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 14:37 . 2010-03-01 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-26 12:27 . 2009-02-11 12:35 -------- d-----w- c:\users\Clint J\AppData\Roaming\gtk-2.0
2010-02-20 23:45 . 2009-08-30 05:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 01:42 . 2009-07-11 08:10 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-02-10 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 16:51 . 2008-10-24 21:15 -------- d-----w- c:\programdata\Microsoft Help
2010-02-04 10:20 . 2008-08-14 19:40 -------- d-----w- c:\program files\Google
2010-02-01 23:52 . 2009-11-02 18:17 -------- d-----w- c:\program files\iTunes
2010-02-01 23:52 . 2008-12-25 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-01-28 22:59 . 2010-01-28 22:59 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9925.tmp.exe
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWMP\unins000.exe
2010-01-27 08:06 . 2010-01-27 08:05 161 ----a-w- c:\programdata\Last.fm\Client\uninst2.bat
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWA\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 683801 ----a-w- c:\programdata\Last.fm\Client\UninstITW\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\programdata\Last.fm
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\program files\Last.fm
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 22:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 22:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 22:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 22:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 19:38 . 2009-01-13 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-08 22:37 . 2008-12-25 18:16 -------- d-----w- c:\users\Clint J\AppData\Roaming\Apple Computer
2010-01-06 15:39 . 2010-02-23 22:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 22:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-23 22:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 22:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 22:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 22:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-23 22:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 20:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 01:11 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 01:11 . 2009-09-26 20:23 144160 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\uninstall.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 16:24 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 16:24 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 16:24 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 16:24 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 16:24 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 16:24 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:30 . 2010-02-10 16:24 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:24 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:24 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:24 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:24 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:24 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:24 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:24 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-04 00:19 . 2009-12-04 00:19 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8AC6.tmp.exe
2009-04-01 02:47 . 2009-03-10 04:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-25 05:13 . 2008-12-25 05:13 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-25 05:13 . 2008-12-25 05:13 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-06 515416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 01:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:64,02,2d,14,cc,51,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/6/2009 1:32 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/1/2010 8:51 AM 207280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2/20/2009 5:13 PM 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [7/10/2008 7:58 PM 40960]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 7:37 AM 149352]
R2 TMachInfo;TMachInfo;c:\program files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [8/14/2008 2:15 PM 62776]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 7:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [8/14/2008 2:08 PM 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [4/28/2008 8:29 AM 3658752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 8:35 PM 73728]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S2 gupdate1c9bfd2fc5e2720;Google Update Service (gupdate1c9bfd2fc5e2720);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 10:08 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/12/2008 2:32 PM 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/1/2010 8:51 AM 365280]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [8/20/2008 1:41 PM 9216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:49]

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 03:08]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-02-21 c:\windows\Tasks\Norton Security Scan for Clint J.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-16 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: pogo.com
FF - ProfilePath - c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 13:16
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(840)
c:\windows\System32\NLSLexicons0009.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Symantec Shared\AppCore\AppMgr32.dll
.
Completion time: 2010-03-03 13:19:26
ComboFix-quarantined-files.txt 2010-03-03 18:19
ComboFix2.txt 2010-03-03 17:01
ComboFix3.txt 2010-03-03 15:51
ComboFix4.txt 2010-03-02 16:35

Pre-Run: 213,731,151,872 bytes free
Post-Run: 213,715,226,624 bytes free

- - End Of File - - 8C06D1B529B615C25021E0B5794A99A3
Upload was successful


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:50 AM

Posted 03 March 2010 - 01:36 PM

Got the files and they are malware.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
Folder::
c:\programdata\watusero
c:\programdata\kirojeke
c:\programdata\sudoroke
c:\programdata\sowimudu
c:\programdata\kohuhego

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


After this step let me know how your computer is behaving and any issues that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 clarkone68

clarkone68
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 03 March 2010 - 02:08 PM

I haven't really been having issues now. But, I haven't done anything other then to go to this site and follow your instructions on this computer. The computer seems to be behaving fine for now. I clicked on Firefox and it told me that it wasn't the default browser, but that's about it. It didn't ask me to reboot this time. Here's the new log:

ComboFix 10-03-03.02 - Clint J 03/03/2010 13:52:13.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1888 [GMT -5:00]
Running from: c:\users\Clint J\Downloads\ComboFix.exe
Command switches used :: c:\users\Clint J\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\kirojeke
c:\programdata\kirojeke\kirojeke.dll
c:\programdata\kohuhego
c:\programdata\sowimudu
c:\programdata\sudoroke
c:\programdata\sudoroke\sudoroke.dll
c:\programdata\watusero
c:\programdata\watusero\watusero.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 18:59 . 2010-03-03 18:59 -------- d-----w- c:\users\Clint J\AppData\Local\temp
2010-03-03 18:59 . 2010-03-03 18:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 18:59 . 2010-03-03 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-03 17:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 17:05 . 2010-03-03 17:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 17:05 . 2010-03-03 17:05 -------- d-----w- c:\programdata\Malwarebytes
2010-03-03 17:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 14:23 . 2010-03-02 14:23 -------- d-----w- C:\found.004
2010-03-02 05:53 . 2010-03-02 05:53 -------- d-----w- C:\found.003
2010-03-02 01:40 . 2010-03-02 01:40 -------- d-----w- C:\found.002
2010-03-02 01:22 . 2010-03-02 01:22 52224 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 19:46 . 2010-03-01 19:46 -------- d-----w- C:\found.001
2010-03-01 16:35 . 2010-03-01 16:35 -------- d-----w- C:\found.000
2010-03-01 13:51 . 2010-02-05 14:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-03-01 13:51 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 13:51 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 13:51 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 13:51 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 13:51 . 2010-03-01 13:51 -------- d-----w- c:\users\Clint J\AppData\Roaming\PC Tools
2010-03-01 12:40 . 2010-03-02 14:47 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 12:40 . 2010-03-01 13:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 12:40 . 2010-03-01 13:51 -------- d-----w- c:\programdata\PC Tools
2010-03-01 12:38 . 2010-03-01 12:40 -------- d-----w- c:\users\Clint J\AppData\Roaming\GetRightToGo
2010-02-11 21:06 . 2010-02-11 21:06 50354 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\uninstall.exe
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\users\Clint J\AppData\Roaming\Facebook
2010-02-01 23:52 . 2010-02-01 23:52 -------- d-----w- c:\program files\iPod
2010-02-01 23:49 . 2010-02-01 23:49 -------- d-----w- c:\program files\QuickTime
2010-02-01 23:47 . 2010-02-01 23:47 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 15:28 . 2009-04-18 03:08 -------- d-----w- c:\programdata\Google Updater
2010-03-02 14:02 . 2008-12-25 05:14 113776 ----a-w- c:\users\Clint J\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 13:57 . 2009-06-20 22:55 -------- d-----w- c:\program files\Backgammon Classic
2010-03-02 03:55 . 2009-03-06 14:54 6648 ----a-w- c:\users\Clint J\AppData\Local\d3d9caps.dat
2010-03-02 01:22 . 2009-08-30 05:14 117760 ----a-w- c:\users\Clint J\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 14:37 . 2010-03-01 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-26 12:27 . 2009-02-11 12:35 -------- d-----w- c:\users\Clint J\AppData\Roaming\gtk-2.0
2010-02-20 23:45 . 2009-08-30 05:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 01:42 . 2009-07-11 08:10 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-02-10 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 16:51 . 2008-10-24 21:15 -------- d-----w- c:\programdata\Microsoft Help
2010-02-04 10:20 . 2008-08-14 19:40 -------- d-----w- c:\program files\Google
2010-02-01 23:52 . 2009-11-02 18:17 -------- d-----w- c:\program files\iTunes
2010-02-01 23:52 . 2008-12-25 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-01-28 22:59 . 2010-01-28 22:59 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9925.tmp.exe
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWMP\unins000.exe
2010-01-27 08:06 . 2010-01-27 08:05 161 ----a-w- c:\programdata\Last.fm\Client\uninst2.bat
2010-01-27 08:06 . 2010-01-27 08:06 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWA\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 683801 ----a-w- c:\programdata\Last.fm\Client\UninstITW\unins000.exe
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\programdata\Last.fm
2010-01-27 08:05 . 2010-01-27 08:05 -------- d-----w- c:\program files\Last.fm
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 22:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 22:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 22:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 22:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 22:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 22:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 22:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 19:38 . 2009-01-13 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-08 22:37 . 2008-12-25 18:16 -------- d-----w- c:\users\Clint J\AppData\Roaming\Apple Computer
2010-01-06 15:39 . 2010-02-23 22:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 22:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-23 22:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 22:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 22:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 22:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-23 22:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 20:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 01:11 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 01:11 . 2009-09-26 20:23 144160 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\uninstall.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 16:24 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 16:24 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 16:24 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 16:24 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 16:24 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 16:24 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Clint J\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:30 . 2010-02-10 16:24 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:24 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:24 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:24 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:24 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:24 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:24 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:24 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-04 00:19 . 2009-12-04 00:19 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8AC6.tmp.exe
2009-04-01 02:47 . 2009-03-10 04:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-25 05:13 . 2008-12-25 05:13 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-25 05:13 . 2008-12-25 05:13 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-06 515416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 01:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:64,02,2d,14,cc,51,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/6/2009 1:32 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/1/2010 8:51 AM 207280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2/20/2009 5:13 PM 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 66632]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [7/10/2008 7:58 PM 40960]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 7:37 AM 149352]
R2 TMachInfo;TMachInfo;c:\program files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [8/14/2008 2:15 PM 62776]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 7:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [8/14/2008 2:08 PM 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [4/28/2008 8:29 AM 3658752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 8:35 PM 73728]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S2 gupdate1c9bfd2fc5e2720;Google Update Service (gupdate1c9bfd2fc5e2720);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 10:08 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/12/2008 2:32 PM 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/1/2010 8:51 AM 365280]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [8/20/2008 1:41 PM 9216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:49]

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 03:08]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:08]

2010-02-21 c:\windows\Tasks\Norton Security Scan for Clint J.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-16 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: pogo.com
FF - ProfilePath - c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\Clint J\AppData\Roaming\Mozilla\Firefox\Profiles\alb9ycpa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 14:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-03-03 14:02:37
ComboFix-quarantined-files.txt 2010-03-03 19:02
ComboFix2.txt 2010-03-03 18:20
ComboFix3.txt 2010-03-03 17:01
ComboFix4.txt 2010-03-03 15:51
ComboFix5.txt 2010-03-03 18:50

Pre-Run: 213,730,762,752 bytes free
Post-Run: 213,712,351,232 bytes free

- - End Of File - - 3751DC3108B37B12449D0AEFA6792278

Edited by clarkone68, 03 March 2010 - 02:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users