Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rustok Trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 Wileywolf

Wileywolf

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 25 May 2010 - 08:35 AM

Hi there!,

Last Monday our company website was attacked and was taken down completely, the web hosts advised that as part of the attack a virus had then been sent to my laptop from the website. They advised that it is a Trojan called Rustok, one of thier machines had also been infected with the same from our website so it was quite agressive. They advised that they used GMER to remove it, I have downloaded GMER but I dont think that I have the correct knowledge to start deleting things using it.

scans with AVG, StopZilla and Search and destroy all turned up nothing. (I now only have AVG9 running)

Someone has looked at our wireless router and my laptop is apparently sending out massive amounts of spam? 20 emails every couple of seconds in sporadic bursts, this is playing havoc with my internet connection which frequently appears to drop connection or say server unavailable when I try to access the internet. I have now disconnected the machine from the network to stop this happening, this was the case whilst running all of the below, if you need it connected to the network whilst the reports are running just let me know.

My extensive searching of the internet has eventually lead me here to you guys to ask for a massive helping hand in getting this darned thing off of my machine please!

One thing keeps popping up in most of the reports that I have ran 'ggvtaksr'. I have no idea if this is the culprit as unfortunately im not that clued up on this sort of thing.

I have posted the DSS below as well as the log from defogger, I have also attached the attach.txt file and also the report from GMER.

Defogger Disable log after I had ran Defogger:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:21 on 25/05/2010 (samantha)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read ggvtaksr.sys


-=E.O.F=-



DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by samantha at 13:25:06.61 on 25/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2942.1787 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NTR global\NTRconnect\NTRconnect.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9 Admin\Server\AVG9AdminServerMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\samantha.EGRESS\Desktop\Trojan Removal\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://companyweb
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [PrnStatusMX] c:\program files\hewlett-packard\prnstatusmx\PrnStatusMX.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Avg9AdminServerMonitor] "c:\program files\avg\avg9 admin\server\AVG9AdminServerMonitor.exe" /startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://craggy-island/connectcomputer/nshelp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {4C2563DC-7207-4B1A-813F-776A8FB83993} = 192.168.1.1,192.168.1.2
TCP: {8AF47AAC-1922-4AF6-B61A-F9D72A3CC627} = 192.168.1.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: c:\progra~1\google\google~3\goec62~1.dll,c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samant~1.egr\appdata\roaming\mozilla\firefox\profiles\ymtbijac.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 5
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\pdfforge toolbar\ff\components\pdfforgeToolbarFF.dll
FF - component: c:\users\samantha.egress\appdata\roaming\mozilla\firefox\profiles\ymtbijac.default\extensions\technicianconsole@logmeinrescue.com\platform\winnt\components\RescueComponent.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\samantha.egress\appdata\roaming\mozilla\firefox\profiles\ymtbijac.default\extensions\technicianconsole@logmeinrescue.com\platform\winnt\plugins\npRescue.dll
FF - plugin: c:\users\samantha.egress\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSvx.sys [2010-5-24 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-24 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-24 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-24 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-24 242896]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-7-22 25896]
R1 SafDskNT;SafeHouse;c:\windows\system32\drivers\SafDskNT.sys [2009-3-5 77824]
R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-6-13 24635]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-1-8 380928]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-24 308064]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-5-24 5888008]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 MSSQL$FOCUS;SQL Server (FOCUS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 ntrconnect;NTRconnect;c:\program files\ntr global\ntrconnect\NTRconnect.exe [2008-6-10 114688]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2010-4-17 241664]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSDriver.sys [2010-5-24 122376]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSFilter.sys [2010-5-24 30216]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSShim.sys [2010-5-24 27144]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-8-11 187904]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-8-11 48472]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-8-11 347648]
S2 AVG9AdminServer;AVG9 Admin Server;c:\program files\avg\avg9 admin\server\avgadmsv.exe [2010-5-24 6960408]
S2 FocusService;Focus Watch Service;c:\program files\hrindustries\focus 2\Focus.exe [2010-4-28 16171008]
S2 Realtek87B;Realtek87B;c:\program files\realtek\rtl8187b wireless lan utility\RtlService.exe [2010-5-19 40960]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-5-24 369920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-4-17 9728]

=============== Created Last 30 ================

2010-05-25 12:21:03 0 ----a-w- c:\users\samantha.egress\defogger_reenable
2010-05-25 09:31:56 2000 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-24 09:31:40 86016 ----a-w- c:\windows\system32\etc-1-0-12-3.dll
2010-05-24 09:31:40 770048 ----a-w- c:\windows\system32\libOCASecurityw-1-6.dll
2010-05-24 09:31:40 585728 ----a-w- c:\windows\system32\fssl-1-2-1-1.dll
2010-05-24 09:31:40 1523712 ----a-w- c:\windows\system32\libOCAHelper-2-13.dll
2010-05-24 09:31:40 1470464 ----a-w- c:\windows\system32\libOCAHelperw-2-13.dll
2010-05-24 09:31:39 89088 ----a-w- c:\windows\system32\atl71.dll
2010-05-24 09:31:39 1728512 ----a-w- c:\windows\system32\ebus-3-3-2-4.dll
2010-05-24 09:31:39 1654784 ----a-w- c:\windows\system32\cslibu-2-0-0.dll
2010-05-24 09:31:39 1273856 ----a-w- c:\windows\system32\cxlib-2-6.dll
2010-05-24 09:31:39 1265664 ----a-w- c:\windows\system32\cxlibw-2-6.dll
2010-05-24 09:31:39 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-05-24 09:31:39 1047552 ----a-w- c:\windows\system32\mfc71u.dll
2010-05-24 09:31:26 0 d-----w- c:\program files\common files\Business Objects
2010-05-24 09:18:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-24 09:18:44 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-24 09:18:36 0 d-----w- c:\programdata\AVG Security Toolbar
2010-05-24 09:17:55 25096 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2010-05-24 09:17:52 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-05-24 09:17:50 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-24 09:17:47 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-24 09:17:34 0 d-----w- c:\program files\AVG
2010-05-24 09:17:32 0 d-----w- c:\programdata\avg9
2010-05-21 15:53:26 0 d-----w- c:\programdata\SITEguard
2010-05-21 15:53:20 7675904 ---ha-w- C:\SZKGFS.dat
2010-05-21 15:51:33 0 d-----w- c:\program files\common files\iS3
2010-05-21 15:51:31 0 d-----w- c:\programdata\STOPzilla!
2010-05-20 08:29:35 0 d-----w- c:\programdata\Sun
2010-05-20 08:29:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 18:30:25 901 ----a-w- c:\windows\RtlUI2.exe.manifest
2010-05-19 18:30:24 380928 ----a-w- c:\windows\RtlUI2.exe
2010-05-19 18:30:23 614400 ----a-w- c:\windows\system32\Rtlihvs.dll
2010-05-19 18:30:23 188416 ----a-w- c:\windows\system32\RTLExtUI.dll
2010-05-19 18:30:21 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2010-05-19 08:17:07 741376 ----a-w- c:\windows\system32\drivers\ggvtaksr.sys
2010-05-19 08:15:02 20 ----a-w- c:\users\samant~1.egr\appdata\roaming\qvjsge.dat
2010-05-19 08:14:35 0 d-----w- c:\users\samant~1.egr\appdata\roaming\Quest Software
2010-05-19 08:08:34 0 d-----w- c:\users\samant~1.egr\appdata\roaming\Software
2010-05-19 08:08:29 0 d-----w- c:\programdata\Quest Software
2010-05-19 08:07:50 0 d-----w- c:\program files\Quest Software
2010-05-19 08:07:50 0 d-----w- c:\program files\common files\Quest Shared
2010-05-13 08:00:24 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-19 18:30:44 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-19 18:30:44 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-19 18:30:43 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-19 18:27:00 347648 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2010-05-19 08:06:20 168 ----a-w- c:\program files\INSTALL.LOG
2010-05-12 10:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-11-19 08:38:43 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-04 08:18:44 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat

============= FINISH: 13:26:20.78 ===============


Thanks again for your help and time!

Attached Files


Edited by Wileywolf, 25 May 2010 - 08:41 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:46 AM

Posted 25 May 2010 - 10:03 AM

Hi Wileywolf,

Unfortunately your logs show you have a rootkit infection, so you should be aware of the following information.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#3 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 25 May 2010 - 11:33 AM

Hi Syler,

Thankyou for your help

It has been diconnected from the internet since yesterday (im using a different machine to post this)

Lets have a go at cleaning this up, fully understand what you have posted about the fact that the machine may no longer be guarenteed to be safe in the future.

I've ran ComboFix and it appears to be just hanging at a certain point, it completed the 50 stages and then deleted files, then on the deleting folders part it has deleted 3 folders and now am just getting the flashing cursor below the last deleted folder and it doesnt appear to be doing anything, ive been checking it for the past 40 mins now.

I've just left it doing it's thing as I have to leave the office now, hopefully it will have progressed by the time i arrive back in the morning. I will post to advise in the morning,

thanks again for your help on this





#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:46 AM

Posted 25 May 2010 - 02:34 PM

Your welcome smile.gif

We will wait to see what tomorrow brings then. If it is still frozen when you get back to the office, make sure all
your security software is disable, if it's not then disable it and see if that helps combofix run, if it doesn't then let
me know.

Thanks

unite.jpg


#5 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 26 May 2010 - 03:59 AM

Hi Syler

I arrived at the office this morning and it was still at the same stage , so it has frozen I think, I have completely uninstalled AVG and have ran ComboFix again to see if it completes, I'll post shortly with the outcome.

Thanks

#6 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 26 May 2010 - 04:18 AM

Hi Syler,

The first ComboFix run froze so it didnt produce a log.
The second one ran really quickly and has generated a log, ive pasted it below.


ComboFix 10-05-24.07 - samantha 26/05/2010 9:55.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2942.1899 [GMT 1:00]
Running from: c:\users\samantha.EGRESS\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\%appdata%\Microsoft\Windows\IETldCache\index.dat . . . . failed to delete
.
---- Previous Run -------
.
c:\program files\INSTALL.LOG
c:\users\samantha.EGRESS\g2mdlhlpx.exe
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\system32\%appdata%
c:\windows\system32\blat.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 09:04 . 2010-05-26 09:04 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-05-26 09:00 . 2010-05-26 09:05 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\temp
2010-05-26 09:00 . 2010-05-26 09:00 -------- d-----w- c:\users\zoe\AppData\Local\temp
2010-05-26 09:00 . 2010-05-26 09:00 -------- d-----w- c:\users\Samantha\AppData\Local\temp
2010-05-26 09:00 . 2010-05-26 09:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-26 09:00 . 2010-05-26 09:00 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-05-24 09:45 . 2010-05-24 09:45 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-05-24 09:42 . 2010-05-24 09:42 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-05-24 09:17 . 2010-05-26 08:44 -------- d-----w- c:\programdata\avg9
2010-05-21 16:11 . 2010-05-21 15:54 1129120 ----a-w- c:\programdata\STOPzilla!\vdb\vbcorent.dll
2010-05-21 15:53 . 2010-05-21 15:53 -------- d-----w- c:\programdata\SITEguard
2010-05-21 15:53 . 2010-05-21 15:53 7675904 ---ha-w- C:\SZKGFS.dat
2010-05-21 15:51 . 2010-05-21 15:51 -------- d-----w- c:\program files\Common Files\iS3
2010-05-21 15:51 . 2010-05-25 10:41 -------- d-----w- c:\programdata\STOPzilla!
2010-05-20 08:29 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 18:30 . 2009-03-31 13:31 380928 ----a-w- c:\windows\RtlUI2.exe
2010-05-19 18:30 . 2009-04-02 09:27 188416 ----a-w- c:\windows\system32\RTLExtUI.dll
2010-05-19 18:30 . 2008-07-01 11:31 614400 ----a-w- c:\windows\system32\Rtlihvs.dll
2010-05-19 18:30 . 2009-02-05 01:49 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2010-05-19 10:16 . 2010-05-19 10:18 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\VirtualStore
2010-05-19 08:26 . 2010-05-19 08:36 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\Quest Software
2010-05-19 08:14 . 2010-05-19 08:14 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Quest Software
2010-05-19 08:08 . 2010-05-19 08:08 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Software
2010-05-19 08:08 . 2010-05-24 14:08 -------- d-----w- c:\programdata\Quest Software
2010-05-19 08:07 . 2010-05-25 10:38 -------- d-----w- c:\program files\Quest Software
2010-05-19 08:07 . 2010-05-25 10:38 -------- d-----w- c:\program files\Common Files\Quest Shared
2010-05-13 08:00 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 10:44 . 2008-03-04 09:32 -------- d-----w- c:\program files\Google
2010-05-25 10:39 . 2008-08-14 11:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-25 10:39 . 2008-08-14 11:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-25 10:38 . 2010-05-25 09:31 2000 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-25 01:07 . 2010-04-17 22:02 -------- d-----w- c:\program files\T-Mobile Mobile Broadband Manager
2010-05-24 08:35 . 2008-08-14 09:30 -------- d-----w- c:\program files\F-Secure Internet Security
2010-05-24 08:31 . 2008-08-14 09:31 -------- d-----w- c:\programdata\F-Secure
2010-05-24 07:46 . 2008-08-26 08:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-21 19:38 . 2010-03-16 16:41 -------- d-----w- c:\program files\pdfforge Toolbar
2010-05-20 10:05 . 2008-08-19 08:17 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Focus
2010-05-20 08:29 . 2008-03-04 08:48 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 08:29 . 2008-03-04 08:48 -------- d-----w- c:\program files\Java
2010-05-19 18:30 . 2008-07-22 14:01 -------- d-----w- c:\program files\REALTEK
2010-05-19 18:30 . 2008-03-04 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-19 18:27 . 2008-08-11 22:12 347648 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2010-05-19 08:15 . 2010-05-19 08:15 20 ----a-w- c:\users\samantha.EGRESS\AppData\Roaming\qvjsge.dat
2010-05-13 15:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 15:38 . 2008-03-04 14:05 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 10:21 . 2009-10-05 07:33 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 14:13 . 2010-05-26 07:53 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-22 08:45 . 2009-04-24 07:36 -------- d-----w- c:\programdata\Hewlett-Packard
2010-04-22 08:45 . 2010-04-22 08:45 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Marvell
2010-04-17 22:02 . 2010-04-17 22:02 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Program Files
2010-04-16 07:55 . 2008-08-14 08:31 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Hamachi
2010-04-16 07:54 . 2010-04-16 07:54 -------- d-----w- c:\program files\Ware5
2010-04-15 10:35 . 2010-04-15 10:35 -------- d-----w- c:\program files\HexCmp
2010-04-08 16:19 . 2008-08-14 08:13 -------- d-----w- c:\program files\Helpdesk
2010-04-08 07:58 . 2008-08-14 08:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 08:41 . 2009-08-20 08:28 167712 ----a-w- c:\users\samantha.EGRESS\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-11 11:44 . 2010-03-11 11:44 167320 ----a-w- c:\users\zoe\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-05 14:01 . 2010-04-14 12:21 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\Samantha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\users\zoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\users\__sbs_netsetup__\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-6-13 41041]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2008-01-22 13:25 712704 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-10-25 16:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-03-04 09:33 1836544 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2010-03-30 15:26 3036424 ----a-w- c:\program files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-02-12 18:07 5933912 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-12-06 01:44 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2008-01-25 12:33 509816 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-07-10 09:24 581632 ----a-w- c:\program files\Toshiba\Toshiba Online Product Information\TOPI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2007-05-04 10:05 571024 ----a-w- c:\program files\Toshiba\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouSendIt.exe]
2009-10-02 14:32 82432 ----a-w- c:\program files\YouSendIt\Express\YouSendIt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:11,33,21,d9,1f,52,ca,01

R2 FocusService;Focus Watch Service;c:\program files\HRIndustries\Focus 2\Focus.exe [2010-04-28 16171008]
R2 Realtek87B;Realtek87B;c:\program files\REALTEK\RTL8187B Wireless LAN Utility\RtlService.exe [2009-12-07 40960]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-05-22 9728]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S1 SafDskNT;SafeHouse;c:\windows\system32\drivers\SAFDSKNT.SYS [2009-03-04 77824]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-06-13 24635]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 MSSQL$FOCUS;SQL Server (FOCUS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S2 ntrconnect;ntrconnect;c:\program files\NTR global\NTRconnect\NTRconnect.exe [2008-06-10 114688]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [2009-07-16 241664]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-02-01 187904]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-01-15 48472]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2010-05-19 347648]


--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
*Deregistered* - ggvtaksr
*Deregistered* - mfehidk
*Deregistered* - MPFP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\User_Feed_Synchronization-{B259B98A-0393-4AA9-8AED-F3997EE91F78}.job
- c:\windows\system32\msfeedssync.exe [2010-04-07 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
TCP: {4C2563DC-7207-4B1A-813F-776A8FB83993} = 192.168.1.1,192.168.1.2
TCP: {8AF47AAC-1922-4AF6-B61A-F9D72A3CC627} = 192.168.1.1
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 5
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\components\RescueComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\plugins\npRescue.dll
FF - plugin: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Deluxe Tree - c:\users\samantha.EGRESS\Documents\deluxetree\Christmas.exe
MSConfigStartUp-F-Secure TNB - c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe
MSConfigStartUp-SearchSettings - c:\program files\pdfforge Toolbar\SearchSettings.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 10:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000003C8A0C2FDB36B29638 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ggvtaksr]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\conime.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-26 10:10:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 09:10

Pre-Run: 29,678,641,152 bytes free
Post-Run: 29,439,156,224 bytes free

- - End Of File - - C4345730F31F46DBD539E7DFB3672CCE







#7 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 26 May 2010 - 05:32 AM

Hi Syler

Apologies about the multiple posts but I thought I would run GMER and DDS again after the CombFix run and machine restart and it appears that it is still picking something up as it was last time so it looks like ComboFix didnt remove it?

I've attached a fresh set of logs for you if you should need them, DDS, Attach and Ark (GMER).

Attached Files


Edited by Wileywolf, 26 May 2010 - 05:33 AM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:46 AM

Posted 26 May 2010 - 07:06 AM

Hi Wileywolf,

Their is no need to run any extra scans, it will just get you pushed further down my reply list, please just
run the scans that I ask for, cheers.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Rootkit::
c:\windows\system32\drivers\ggvtaksr.sys
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 26 May 2010 - 09:12 AM

ComboFix log as requested

Thanks Syler

ComboFix 10-05-24.07 - samantha 26/05/2010 14:51:09.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2942.1570 [GMT 1:00]
Running from: c:\users\samantha.EGRESS\Desktop\ComboFix.exe
Command switches used :: c:\users\samantha.EGRESS\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\%appdata%\Microsoft\Windows\IETldCache\index.dat . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ggvtaksr
-------\Service_ggvtaksr


((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 13:55 . 2010-05-26 14:01 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\temp
2010-05-26 13:55 . 2010-05-26 13:55 -------- d-----w- c:\users\zoe\AppData\Local\temp
2010-05-26 13:55 . 2010-05-26 13:55 -------- d-----w- c:\users\Samantha\AppData\Local\temp
2010-05-26 13:55 . 2010-05-26 13:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-26 13:55 . 2010-05-26 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-26 13:55 . 2010-05-26 13:55 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-05-26 13:55 . 2010-05-26 13:55 -------- d-----w- c:\users\__sbs_netsetup__\AppData\Local\temp
2010-05-26 07:53 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 09:45 . 2010-05-24 09:45 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-05-24 09:42 . 2010-05-24 09:42 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-05-24 09:17 . 2010-05-26 08:44 -------- d-----w- c:\programdata\avg9
2010-05-21 16:11 . 2010-05-21 15:54 1129120 ----a-w- c:\programdata\STOPzilla!\vdb\vbcorent.dll
2010-05-21 15:53 . 2010-05-21 15:53 -------- d-----w- c:\programdata\SITEguard
2010-05-21 15:53 . 2010-05-21 15:53 7675904 ---ha-w- C:\SZKGFS.dat
2010-05-21 15:51 . 2010-05-21 15:51 -------- d-----w- c:\program files\Common Files\iS3
2010-05-21 15:51 . 2010-05-25 10:41 -------- d-----w- c:\programdata\STOPzilla!
2010-05-20 08:29 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 18:30 . 2009-03-31 13:31 380928 ----a-w- c:\windows\RtlUI2.exe
2010-05-19 18:30 . 2009-04-02 09:27 188416 ----a-w- c:\windows\system32\RTLExtUI.dll
2010-05-19 18:30 . 2008-07-01 11:31 614400 ----a-w- c:\windows\system32\Rtlihvs.dll
2010-05-19 18:30 . 2009-02-05 01:49 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2010-05-19 10:16 . 2010-05-19 10:18 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\VirtualStore
2010-05-19 08:26 . 2010-05-19 08:36 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\Quest Software
2010-05-19 08:17 . 2010-05-26 13:56 741376 ----a-w- c:\windows\system32\drivers\ggvtaksr.sys
2010-05-19 08:14 . 2010-05-19 08:14 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Quest Software
2010-05-19 08:08 . 2010-05-19 08:08 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Software
2010-05-19 08:08 . 2010-05-24 14:08 -------- d-----w- c:\programdata\Quest Software
2010-05-19 08:07 . 2010-05-25 10:38 -------- d-----w- c:\program files\Quest Software
2010-05-19 08:07 . 2010-05-25 10:38 -------- d-----w- c:\program files\Common Files\Quest Shared
2010-05-13 08:00 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 10:44 . 2008-03-04 09:32 -------- d-----w- c:\program files\Google
2010-05-25 10:39 . 2008-08-14 11:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-25 10:39 . 2008-08-14 11:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-25 10:38 . 2010-05-25 09:31 2000 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-25 01:07 . 2010-04-17 22:02 -------- d-----w- c:\program files\T-Mobile Mobile Broadband Manager
2010-05-24 08:35 . 2008-08-14 09:30 -------- d-----w- c:\program files\F-Secure Internet Security
2010-05-24 08:31 . 2008-08-14 09:31 -------- d-----w- c:\programdata\F-Secure
2010-05-24 07:46 . 2008-08-26 08:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-21 19:38 . 2010-03-16 16:41 -------- d-----w- c:\program files\pdfforge Toolbar
2010-05-20 10:05 . 2008-08-19 08:17 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Focus
2010-05-20 08:29 . 2008-03-04 08:48 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 08:29 . 2008-03-04 08:48 -------- d-----w- c:\program files\Java
2010-05-19 18:30 . 2008-07-22 14:01 -------- d-----w- c:\program files\REALTEK
2010-05-19 18:30 . 2008-03-04 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-19 18:27 . 2008-08-11 22:12 347648 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2010-05-19 08:15 . 2010-05-19 08:15 20 ----a-w- c:\users\samantha.EGRESS\AppData\Roaming\qvjsge.dat
2010-05-13 15:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 15:38 . 2008-03-04 14:05 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 10:21 . 2009-10-05 07:33 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 08:45 . 2009-04-24 07:36 -------- d-----w- c:\programdata\Hewlett-Packard
2010-04-22 08:45 . 2010-04-22 08:45 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Marvell
2010-04-17 22:02 . 2010-04-17 22:02 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Program Files
2010-04-16 07:55 . 2008-08-14 08:31 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Hamachi
2010-04-16 07:54 . 2010-04-16 07:54 -------- d-----w- c:\program files\Ware5
2010-04-15 10:35 . 2010-04-15 10:35 -------- d-----w- c:\program files\HexCmp
2010-04-08 16:19 . 2008-08-14 08:13 -------- d-----w- c:\program files\Helpdesk
2010-04-08 07:58 . 2008-08-14 08:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 08:41 . 2009-08-20 08:28 167712 ----a-w- c:\users\samantha.EGRESS\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-11 11:44 . 2010-03-11 11:44 167320 ----a-w- c:\users\zoe\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-05 14:01 . 2010-04-14 12:21 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\Samantha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\users\zoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\users\__sbs_netsetup__\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-6-13 41041]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2008-01-22 13:25 712704 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-10-25 16:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-03-04 09:33 1836544 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2010-03-30 15:26 3036424 ----a-w- c:\program files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-02-12 18:07 5933912 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-12-06 01:44 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2008-01-25 12:33 509816 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-07-10 09:24 581632 ----a-w- c:\program files\Toshiba\Toshiba Online Product Information\TOPI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2007-05-04 10:05 571024 ----a-w- c:\program files\Toshiba\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouSendIt.exe]
2009-10-02 14:32 82432 ----a-w- c:\program files\YouSendIt\Express\YouSendIt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:11,33,21,d9,1f,52,ca,01

R2 FocusService;Focus Watch Service;c:\program files\HRIndustries\Focus 2\Focus.exe [2010-04-28 16171008]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-06-13 24635]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-02-01 187904]


--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
*Deregistered* - mfehidk
*Deregistered* - MPFP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\User_Feed_Synchronization-{B259B98A-0393-4AA9-8AED-F3997EE91F78}.job
- c:\windows\system32\msfeedssync.exe [2010-04-07 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
TCP: {4C2563DC-7207-4B1A-813F-776A8FB83993} = 192.168.1.1,192.168.1.2
TCP: {8AF47AAC-1922-4AF6-B61A-F9D72A3CC627} = 192.168.1.1
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 5
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\components\RescueComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\plugins\npRescue.dll
FF - plugin: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 15:01
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\NTR global\NTRconnect\NTRconnect.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\conime.exe
c:\windows\system32\consent.exe
.
**************************************************************************
.
Completion time: 2010-05-26 15:05:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 14:05
ComboFix2.txt 2010-05-26 09:10

Pre-Run: 29,691,777,024 bytes free
Post-Run: 29,032,333,312 bytes free

- - End Of File - - F06195E696E7C2FF8BB30E9B00C9C24A


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:46 AM

Posted 26 May 2010 - 09:25 AM

Looks like we are making progress, after you have run this cfscript please run gmer again then post back here with both logs.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/319087/infected-with-rustok-trojan/

Collect::
c:\windows\system32\drivers\ggvtaksr.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#11 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 26 May 2010 - 11:50 AM

Here you go Syler, GMER log is attached also

Thanks!

ComboFix 10-05-24.07 - samantha 26/05/2010 16:06:42.4.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2942.1980 [GMT 1:00]
Running from: c:\users\samantha.EGRESS\Desktop\ComboFix.exe
Command switches used :: c:\users\samantha.EGRESS\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\system32\drivers\ggvtaksr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ggvtaksr.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\temp
2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\zoe\AppData\Local\temp
2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\Samantha\AppData\Local\temp
2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-05-26 15:11 . 2010-05-26 15:11 -------- d-----w- c:\users\__sbs_netsetup__\AppData\Local\temp
2010-05-26 07:53 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 09:45 . 2010-05-24 09:45 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-05-24 09:42 . 2010-05-24 09:42 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-05-24 09:17 . 2010-05-26 08:44 -------- d-----w- c:\programdata\avg9
2010-05-21 16:11 . 2010-05-21 15:54 1129120 ----a-w- c:\programdata\STOPzilla!\vdb\vbcorent.dll
2010-05-21 15:53 . 2010-05-21 15:53 -------- d-----w- c:\programdata\SITEguard
2010-05-21 15:53 . 2010-05-21 15:53 7675904 ---ha-w- C:\SZKGFS.dat
2010-05-21 15:51 . 2010-05-21 15:51 -------- d-----w- c:\program files\Common Files\iS3
2010-05-21 15:51 . 2010-05-25 10:41 -------- d-----w- c:\programdata\STOPzilla!
2010-05-20 08:29 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 18:30 . 2009-03-31 13:31 380928 ----a-w- c:\windows\RtlUI2.exe
2010-05-19 18:30 . 2009-04-02 09:27 188416 ----a-w- c:\windows\system32\RTLExtUI.dll
2010-05-19 18:30 . 2008-07-01 11:31 614400 ----a-w- c:\windows\system32\Rtlihvs.dll
2010-05-19 18:30 . 2009-02-05 01:49 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2010-05-19 10:16 . 2010-05-19 10:18 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\VirtualStore
2010-05-19 08:26 . 2010-05-19 08:36 -------- d-----w- c:\users\samantha.EGRESS\AppData\Local\Quest Software
2010-05-19 08:14 . 2010-05-19 08:14 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Quest Software
2010-05-19 08:08 . 2010-05-19 08:08 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Software
2010-05-19 08:08 . 2010-05-24 14:08 -------- d-----w- c:\programdata\Quest Software
2010-05-19 08:07 . 2010-05-25 10:38 -------- d-----w- c:\program files\Quest Software
2010-05-19 08:07 . 2010-05-25 10:38 -------- d-----w- c:\program files\Common Files\Quest Shared
2010-05-13 08:00 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 10:44 . 2008-03-04 09:32 -------- d-----w- c:\program files\Google
2010-05-25 10:39 . 2008-08-14 11:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-25 10:39 . 2008-08-14 11:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-25 10:38 . 2010-05-25 09:31 2000 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-25 01:07 . 2010-04-17 22:02 -------- d-----w- c:\program files\T-Mobile Mobile Broadband Manager
2010-05-24 08:35 . 2008-08-14 09:30 -------- d-----w- c:\program files\F-Secure Internet Security
2010-05-24 08:31 . 2008-08-14 09:31 -------- d-----w- c:\programdata\F-Secure
2010-05-24 07:46 . 2008-08-26 08:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-21 19:38 . 2010-03-16 16:41 -------- d-----w- c:\program files\pdfforge Toolbar
2010-05-20 10:05 . 2008-08-19 08:17 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Focus
2010-05-20 08:29 . 2008-03-04 08:48 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 08:29 . 2008-03-04 08:48 -------- d-----w- c:\program files\Java
2010-05-19 18:30 . 2008-07-22 14:01 -------- d-----w- c:\program files\REALTEK
2010-05-19 18:30 . 2008-03-04 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-19 18:27 . 2008-08-11 22:12 347648 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2010-05-19 08:15 . 2010-05-19 08:15 20 ----a-w- c:\users\samantha.EGRESS\AppData\Roaming\qvjsge.dat
2010-05-13 15:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 15:38 . 2008-03-04 14:05 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 10:21 . 2009-10-05 07:33 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 08:45 . 2009-04-24 07:36 -------- d-----w- c:\programdata\Hewlett-Packard
2010-04-22 08:45 . 2010-04-22 08:45 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Marvell
2010-04-17 22:02 . 2010-04-17 22:02 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Program Files
2010-04-16 07:55 . 2008-08-14 08:31 -------- d-----w- c:\users\samantha.EGRESS\AppData\Roaming\Hamachi
2010-04-16 07:54 . 2010-04-16 07:54 -------- d-----w- c:\program files\Ware5
2010-04-15 10:35 . 2010-04-15 10:35 -------- d-----w- c:\program files\HexCmp
2010-04-08 16:19 . 2008-08-14 08:13 -------- d-----w- c:\program files\Helpdesk
2010-04-08 07:58 . 2008-08-14 08:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 08:41 . 2009-08-20 08:28 167712 ----a-w- c:\users\samantha.EGRESS\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-11 11:44 . 2010-03-11 11:44 167320 ----a-w- c:\users\zoe\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-05 14:01 . 2010-04-14 12:21 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\Samantha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\users\zoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\users\__sbs_netsetup__\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-6-13 41041]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2008-01-22 13:25 712704 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-10-25 16:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-03-04 09:33 1836544 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2010-03-30 15:26 3036424 ----a-w- c:\program files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-02-12 18:07 5933912 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-12-06 01:44 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2008-01-25 12:33 509816 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-07-10 09:24 581632 ----a-w- c:\program files\Toshiba\Toshiba Online Product Information\TOPI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2007-05-04 10:05 571024 ----a-w- c:\program files\Toshiba\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouSendIt.exe]
2009-10-02 14:32 82432 ----a-w- c:\program files\YouSendIt\Express\YouSendIt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:11,33,21,d9,1f,52,ca,01

R2 FocusService;Focus Watch Service;c:\program files\HRIndustries\Focus 2\Focus.exe [2010-04-28 16171008]
R2 Realtek87B;Realtek87B;c:\program files\REALTEK\RTL8187B Wireless LAN Utility\RtlService.exe [2009-12-07 40960]
R2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [2009-07-16 241664]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-05-22 9728]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S1 SafDskNT;SafeHouse;c:\windows\system32\drivers\SAFDSKNT.SYS [2009-03-04 77824]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-06-13 24635]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 MSSQL$FOCUS;SQL Server (FOCUS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S2 ntrconnect;ntrconnect;c:\program files\NTR global\NTRconnect\NTRconnect.exe [2008-06-10 114688]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-02-01 187904]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-01-15 48472]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2010-05-19 347648]


--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
*Deregistered* - mfehidk
*Deregistered* - MPFP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\User_Feed_Synchronization-{B259B98A-0393-4AA9-8AED-F3997EE91F78}.job
- c:\windows\system32\msfeedssync.exe [2010-04-07 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
TCP: {4C2563DC-7207-4B1A-813F-776A8FB83993} = 192.168.1.1,192.168.1.2
TCP: {8AF47AAC-1922-4AF6-B61A-F9D72A3CC627} = 192.168.1.1
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 5
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\components\RescueComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\plugins\npRescue.dll
FF - plugin: c:\users\samantha.EGRESS\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 16:11
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-26 16:13:34
ComboFix-quarantined-files.txt 2010-05-26 15:13
ComboFix2.txt 2010-05-26 14:05
ComboFix3.txt 2010-05-26 09:10

Pre-Run: 29,022,527,488 bytes free
Post-Run: 28,972,621,824 bytes free

- - End Of File - - 2CC3E2649C497CBDF06C8880AE39D7F1

Attached Files



#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:46 AM

Posted 26 May 2010 - 06:52 PM

Great that's the rootkit taken care of, now let's do a couple more checks.


Please navigate to the following file, then copy and paste the contents in your reply

C:\QooBox\ComboFix-quarantined-files.txt



We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

unite.jpg


#13 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 27 May 2010 - 03:19 AM

Hi Syler, that's absoloutley brilliant news thankyou, all you have requested is below.....

ComboFix Quarantine files.......

2010-05-26 15:06:39 . 2010-05-26 15:06:40 725,817 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-05-26_16.06.37.zip
2010-05-26 13:55:28 . 2010-05-26 13:55:28 74 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_ggvtaksr.reg.dat
2010-05-26 13:55:28 . 2010-05-26 13:55:28 1,100 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_ggvtaksr.reg.dat
2010-05-26 09:09:17 . 2010-05-26 09:09:17 920 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SearchSettings.reg.dat
2010-05-26 09:09:17 . 2010-05-26 09:09:17 982 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-F-Secure TNB.reg.dat
2010-05-26 09:09:17 . 2010-05-26 09:09:17 926 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Deluxe Tree.reg.dat
2010-05-26 09:09:06 . 2010-05-26 09:09:06 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2010-05-26 09:09:05 . 2010-05-26 09:09:05 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2010-05-25 16:10:03 . 2010-05-26 15:09:42 11,176 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-05-25 15:57:58 . 2010-05-26 15:06:37 268 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-05-19 08:17:07 . 2010-05-26 13:56:53 741,376 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\ggvtaksr.sys.vir
2010-05-19 08:15:08 . 2010-05-19 08:06:20 168 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2009-09-04 12:15:57 . 2009-09-04 12:15:59 70,984 ----a-w- C:\Qoobox\Quarantine\C\Users\samantha.EGRESS\g2mdlhlpx.exe.vir
2008-08-20 14:02:19 . 2009-07-29 10:51:51 510,776 ----a-w- C:\Qoobox\Quarantine\C\Windows\Downloaded Program Files\x64\racodec.ax.vir
2008-08-20 14:02:17 . 2009-07-29 10:51:51 337,208 ----a-w- C:\Qoobox\Quarantine\C\Windows\Downloaded Program Files\x86\racodec.ax.vir
2007-02-25 12:06:22 . 2007-02-25 12:06:22 115,200 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\blat.exe.vir


OTL.txt............


OTL logfile created on: 27/05/2010 09:05:15 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\samantha.EGRESS\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.96 Gb Total Space | 27.03 Gb Free Space | 36.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 72.62 Gb Total Space | 67.73 Gb Free Space | 93.26% Space Free | Partition Type: NTFS
Drive F: | 2.87 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: INCDFS
Drive G: | 953.72 Mb Total Space | 562.00 Mb Free Space | 58.93% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FATHER-DOUGAL
Current User Name: samantha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/27 08:59:04 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\samantha.EGRESS\Desktop\OTL.exe
PRC - [2010/01/08 01:51:02 | 000,380,928 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
PRC - [2009/07/16 14:43:04 | 000,241,664 | ---- | M] () -- C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
PRC - [2009/07/16 14:42:20 | 000,132,608 | ---- | M] () -- C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/11 07:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/06/10 13:59:28 | 000,114,688 | ---- | M] (Net Transmit & Receive) -- C:\Program Files\NTR global\NTRconnect\NTRconnect.exe
PRC - [2008/01/21 17:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/01/17 16:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2007/12/25 14:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2007/12/03 17:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 18:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2007/08/29 16:06:10 | 001,077,248 | ---- | M] (Marvell Semiconductor, Inc.) -- C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
PRC - [2007/05/15 15:55:46 | 001,628,208 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2007/05/15 15:55:46 | 001,550,896 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2007/05/15 15:55:26 | 001,057,328 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe
PRC - [2007/02/12 16:43:44 | 000,065,536 | ---- | M] (O2Micro International) -- C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
PRC - [2006/09/08 15:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\hidfind.exe
PRC - [2006/08/23 17:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/05/27 08:59:04 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\samantha.EGRESS\Desktop\OTL.exe
MOD - [2009/04/11 07:28:21 | 002,241,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msi.dll
MOD - [2009/04/11 07:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/21 03:22:45 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2006/11/02 10:46:07 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msiltcfg.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/28 10:21:20 | 016,171,008 | ---- | M] (HR Industries) [Auto | Stopped] -- C:\Program Files\HRIndustries\Focus 2\Focus.exe -- (FocusService)
SRV - [2010/01/08 01:51:02 | 000,380,928 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2009/12/07 13:49:24 | 000,040,960 | ---- | M] (Realtek) [Auto | Stopped] -- C:\Program Files\REALTEK\RTL8187B Wireless LAN Utility\RtlService.exe -- (Realtek87B)
SRV - [2009/09/25 02:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/16 14:43:04 | 000,241,664 | ---- | M] () [Auto | Running] -- C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe -- (UI Assistant Service)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$FOCUS) SQL Server (FOCUS)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 23:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/06/10 13:59:28 | 000,114,688 | ---- | M] (Net Transmit & Receive) [Auto | Running] -- C:\Program Files\NTR global\NTRconnect\NTRconnect.exe -- (ntrconnect)
SRV - [2008/03/04 10:33:50 | 001,836,544 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2008/01/21 17:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/21 03:21:41 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 16:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 14:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 17:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 18:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/05/15 15:55:46 | 001,550,896 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2007/02/12 16:43:44 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe -- (o2flash)
SRV - [2006/08/23 17:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2010/05/19 19:27:00 | 000,347,648 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8187B.sys -- (RTL8187B)
DRV - [2009/05/22 09:08:38 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2009/05/22 09:04:04 | 000,105,344 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2009/05/22 09:04:04 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2009/05/22 09:04:04 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2009/05/22 09:04:04 | 000,009,728 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
DRV - [2009/03/05 00:03:14 | 000,077,824 | ---- | M] (PC Dynamics, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\SafDskNT.sys -- (SafDskNT)
DRV - [2008/08/14 09:30:31 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/02/01 11:46:08 | 000,187,904 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (CnxtHdAudAddService)
DRV - [2008/01/21 03:21:35 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 03:21:35 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 03:21:35 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 03:21:34 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 03:21:34 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 03:21:34 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 03:21:33 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 03:21:33 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 03:21:33 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/21 03:21:33 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 03:21:32 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 03:21:32 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 03:21:32 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 03:21:31 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 03:21:31 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 03:21:31 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 03:21:31 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 03:21:30 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 03:21:29 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 03:21:29 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 03:21:29 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 03:21:28 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 03:21:09 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 03:21:09 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 03:21:09 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/15 10:34:58 | 000,048,472 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\o2media.sys -- (O2MDRDR)
DRV - [2007/12/28 11:51:00 | 000,298,496 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2007/12/17 11:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/11/27 09:39:40 | 000,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/11/09 14:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/11/01 00:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/11/01 00:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/11/01 00:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/10/17 22:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/27 22:36:40 | 002,929,664 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/05/15 15:55:36 | 000,118,576 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\Windows\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2007/05/15 15:55:36 | 000,038,576 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/05/15 15:55:36 | 000,037,040 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/04/23 10:50:50 | 000,025,896 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | System | Running] -- C:\Windows\System32\drivers\RtlProt.sys -- (RtlProt)
DRV - [2007/02/01 17:24:42 | 000,075,776 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2006/11/02 10:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 10:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 10:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 10:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 10:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 10:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 10:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 10:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 10:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 10:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 10:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 09:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 09:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 09:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 09:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 09:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 09:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 08:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/10/30 10:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2006/10/23 17:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 12:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: TechnicianConsole@logmeinrescue.com:6.2.0.743
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: pdfforge@mybrowserbar.com:1.1.2
FF - prefs.js..extensions.enabledItems: searchsettings@spigot.com:1.2.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.type: 5


FF - HKLM\software\mozilla\Firefox\Extensions\\ff-bmboc@bytemobile.com: C:\Program Files\T-Mobile Mobile Broadband Manager\addon [2010/04/17 23:02:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/07 17:26:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/24 12:05:57 | 000,000,000 | ---D | M]

[2008/08/11 17:21:43 | 000,000,000 | ---D | M] -- C:\Users\samantha.EGRESS\AppData\Roaming\mozilla\Extensions
[2010/05/25 12:48:27 | 000,000,000 | ---D | M] -- C:\Users\samantha.EGRESS\AppData\Roaming\mozilla\Firefox\Profiles\ymtbijac.default\extensions
[2010/04/27 10:37:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\samantha.EGRESS\AppData\Roaming\mozilla\Firefox\Profiles\ymtbijac.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/04 10:15:37 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\samantha.EGRESS\AppData\Roaming\mozilla\Firefox\Profiles\ymtbijac.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/02/08 11:12:28 | 000,000,000 | ---D | M] -- C:\Users\samantha.EGRESS\AppData\Roaming\mozilla\Firefox\Profiles\ymtbijac.default\extensions\TechnicianConsole@logmeinrescue.com
[2010/05/20 09:29:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/20 09:29:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/06/30 22:02:00 | 000,663,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2010/05/26 16:11:16 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe (Marvell Semiconductor, Inc.)
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [UIExec] C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe ()
O4 - Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
O4 - Startup: C:\Users\Samantha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
O4 - Startup: C:\Users\zoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
O4 - Startup: C:\Users\__sbs_netsetup__\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
O9 - Extra Button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\..Trusted Ranges: Range78 ([*] in Local intranet)
O15 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\..Trusted Ranges: Range78 ([https] in Local intranet)
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} https://secure.logmeinrescue.com/TechConsol...scueControl.cab (LogMeIn Rescue Technician Console)
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} http://craggy-island/connectcomputer/nshelp.dll (NSHelp Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Egress.local
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/01/19 21:00:00 | 000,000,043 | R--- | M] () - F:\autorun.inf -- [ INCDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/21 03:32:53 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpReg: 00TCrdMain - hkey= - key= - File not found
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Camera Assistant Software - hkey= - key= - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
MsConfig - StartUpReg: Google Desktop Search - hkey= - key= - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
MsConfig - StartUpReg: GrooveMonitor - hkey= - key= - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
MsConfig - StartUpReg: Jing - hkey= - key= - C:\Program Files\TechSmith\Jing\Jing.exe (TechSmith Corporation)
MsConfig - StartUpReg: LanguageShortcut - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
MsConfig - StartUpReg: Logitech Vid - hkey= - key= - C:\Program Files\Logitech\Logitech Vid\vid.exe (Logitech Inc.)
MsConfig - StartUpReg: Picasa Media Detector - hkey= - key= - C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
MsConfig - StartUpReg: SmoothView - hkey= - key= - File not found
MsConfig - StartUpReg: topi - hkey= - key= - C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (TOSHIBA)
MsConfig - StartUpReg: Toshiba Registration - hkey= - key= - C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe (Toshiba)
MsConfig - StartUpReg: YouSendIt.exe - hkey= - key= - C:\Program Files\YouSendIt\Express\YouSendIt.exe ()
MsConfig - State: "startup" - 2

Drivers32: msacm.dvacm - C:\Program Files\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/05/27 09:00:18 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\samantha.EGRESS\Desktop\OTL.exe
[2010/05/26 16:14:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/26 16:14:10 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/26 16:14:10 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\AppData\Local\temp
[2010/05/26 16:05:13 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/05/26 16:04:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/26 08:53:57 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/05/25 16:59:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/25 16:59:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/25 16:59:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/25 16:57:57 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/25 16:57:39 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/25 11:41:29 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/05/25 11:35:39 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\Desktop\Trojan Removal
[2010/05/24 10:31:40 | 001,523,712 | ---- | C] (Business Objects) -- C:\Windows\System32\libOCAHelper-2-13.dll
[2010/05/24 10:31:40 | 001,470,464 | ---- | C] (Business Objects) -- C:\Windows\System32\libOCAHelperw-2-13.dll
[2010/05/24 10:31:40 | 000,770,048 | ---- | C] (Business Objects) -- C:\Windows\System32\libOCASecurityw-1-6.dll
[2010/05/24 10:31:40 | 000,585,728 | ---- | C] (Business Objects) -- C:\Windows\System32\fssl-1-2-1-1.dll
[2010/05/24 10:31:40 | 000,086,016 | ---- | C] (Business Objects) -- C:\Windows\System32\etc-1-0-12-3.dll
[2010/05/24 10:31:39 | 001,728,512 | ---- | C] (Business Objects) -- C:\Windows\System32\ebus-3-3-2-4.dll
[2010/05/24 10:31:39 | 001,654,784 | ---- | C] (Business Objects) -- C:\Windows\System32\cslibu-2-0-0.dll
[2010/05/24 10:31:39 | 001,273,856 | ---- | C] (Business Objects) -- C:\Windows\System32\cxlib-2-6.dll
[2010/05/24 10:31:39 | 001,265,664 | ---- | C] (Business Objects) -- C:\Windows\System32\cxlibw-2-6.dll
[2010/05/24 10:31:39 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc71.dll
[2010/05/24 10:31:39 | 001,047,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc71u.dll
[2010/05/24 10:31:39 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl71.dll
[2010/05/24 10:31:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Business Objects
[2010/05/24 10:17:34 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/05/24 10:17:32 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/05/24 10:04:58 | 037,908,376 | ---- | C] (AVG Technologies) -- C:\Users\samantha.EGRESS\Desktop\avg_rad_stf_all_90_790.exe
[2010/05/24 10:01:03 | 121,175,904 | ---- | C] (AVG Technologies) -- C:\Users\samantha.EGRESS\Desktop\avg_ipw_stf_all_90_800a2779.exe
[2010/05/24 08:46:27 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/05/21 16:53:26 | 000,000,000 | ---D | C] -- C:\ProgramData\SITEguard
[2010/05/21 16:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/05/21 16:51:31 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
[2010/05/20 15:40:59 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\Desktop\Focus_2.697
[2010/05/20 09:29:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/05/20 09:29:13 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/05/20 09:29:13 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/05/20 09:29:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/05/20 09:29:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/05/19 19:30:24 | 000,380,928 | ---- | C] (Realtek) -- C:\Windows\RtlUI2.exe
[2010/05/19 19:30:23 | 000,614,400 | ---- | C] (Realtek Semiconductor Corp. ) -- C:\Windows\System32\Rtlihvs.dll
[2010/05/19 19:30:23 | 000,188,416 | ---- | C] (Realtek Semiconductor Corp. ) -- C:\Windows\System32\RTLExtUI.dll
[2010/05/19 11:16:45 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\AppData\Local\VirtualStore
[2010/05/19 09:36:01 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\Documents\Shared Toad
[2010/05/19 09:26:43 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\AppData\Local\Quest Software
[2010/05/19 09:14:35 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\AppData\Roaming\Quest Software
[2010/05/19 09:08:34 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\AppData\Roaming\Software
[2010/05/19 09:08:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Quest Software
[2010/05/19 09:07:50 | 000,000,000 | ---D | C] -- C:\Program Files\Quest Software
[2010/05/19 09:07:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Quest Shared
[2010/04/28 10:59:06 | 000,000,000 | ---D | C] -- C:\Users\samantha.EGRESS\Desktop\Mark
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/27 09:05:06 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{B259B98A-0393-4AA9-8AED-F3997EE91F78}.job
[2010/05/27 09:05:00 | 007,864,320 | -HS- | M] () -- C:\Users\samantha.EGRESS\ntuser.dat
[2010/05/27 08:59:04 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\samantha.EGRESS\Desktop\OTL.exe
[2010/05/27 08:25:32 | 000,005,120 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/27 08:25:32 | 000,005,120 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/27 08:25:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/27 08:25:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/27 08:25:22 | 3085,361,152 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/26 17:51:04 | 000,524,288 | -HS- | M] () -- C:\Users\samantha.EGRESS\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
[2010/05/26 17:51:04 | 000,065,536 | -HS- | M] () -- C:\Users\samantha.EGRESS\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010/05/26 17:50:58 | 003,848,070 | -H-- | M] () -- C:\Users\samantha.EGRESS\AppData\Local\IconCache.db
[2010/05/26 16:11:21 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/26 16:11:16 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/26 16:06:40 | 000,001,230 | ---- | M] () -- C:\CF-Submit.htm
[2010/05/25 16:54:56 | 003,698,362 | R--- | M] () -- C:\Users\samantha.EGRESS\Desktop\ComboFix.exe
[2010/05/25 13:21:03 | 000,000,000 | ---- | M] () -- C:\Users\samantha.EGRESS\defogger_reenable
[2010/05/25 11:38:34 | 000,002,000 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2010/05/25 10:08:36 | 000,818,870 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/25 10:08:36 | 000,689,550 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/25 10:08:36 | 000,141,746 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/24 15:26:00 | 000,000,036 | ---- | M] () -- C:\Users\samantha.EGRESS\AppData\Local\housecall.guid.cache
[2010/05/24 12:05:58 | 000,001,892 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2010/05/24 10:31:40 | 001,728,512 | ---- | M] (Business Objects) -- C:\Windows\System32\ebus-3-3-2-4.dll
[2010/05/24 10:31:40 | 001,523,712 | ---- | M] (Business Objects) -- C:\Windows\System32\libOCAHelper-2-13.dll
[2010/05/24 10:31:40 | 001,470,464 | ---- | M] (Business Objects) -- C:\Windows\System32\libOCAHelperw-2-13.dll
[2010/05/24 10:31:40 | 000,770,048 | ---- | M] (Business Objects) -- C:\Windows\System32\libOCASecurityw-1-6.dll
[2010/05/24 10:31:40 | 000,585,728 | ---- | M] (Business Objects) -- C:\Windows\System32\fssl-1-2-1-1.dll
[2010/05/24 10:31:40 | 000,086,016 | ---- | M] (Business Objects) -- C:\Windows\System32\etc-1-0-12-3.dll
[2010/05/24 10:31:39 | 001,654,784 | ---- | M] (Business Objects) -- C:\Windows\System32\cslibu-2-0-0.dll
[2010/05/24 10:31:39 | 001,273,856 | ---- | M] (Business Objects) -- C:\Windows\System32\cxlib-2-6.dll
[2010/05/24 10:31:39 | 001,265,664 | ---- | M] (Business Objects) -- C:\Windows\System32\cxlibw-2-6.dll
[2010/05/24 10:31:39 | 001,060,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc71.dll
[2010/05/24 10:31:39 | 001,047,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc71u.dll
[2010/05/24 10:31:39 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\atl71.dll
[2010/05/21 16:53:20 | 007,675,904 | -H-- | M] () -- C:\SZKGFS.dat
[2010/05/19 19:27:00 | 000,347,648 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\Windows\System32\drivers\rtl8187B.sys
[2010/05/19 09:15:18 | 000,000,020 | ---- | M] () -- C:\Users\samantha.EGRESS\AppData\Roaming\qvjsge.dat
[2010/05/19 08:51:53 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/05/19 08:51:49 | 000,009,728 | ---- | M] () -- C:\Users\samantha.EGRESS\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/05 16:45:38 | 000,228,864 | ---- | M] () -- C:\Users\samantha.EGRESS\Desktop\Setting Up Netport.doc
[2010/05/05 16:45:22 | 000,228,864 | ---- | M] () -- C:\Users\samantha.EGRESS\Documents\Setting Up Netport.doc
[2010/04/30 08:40:17 | 000,554,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/26 16:06:40 | 000,001,230 | ---- | C] () -- C:\CF-Submit.htm
[2010/05/25 16:59:15 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/25 16:59:15 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/25 16:59:15 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/25 16:59:15 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/25 16:59:15 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/25 16:56:29 | 003,698,362 | R--- | C] () -- C:\Users\samantha.EGRESS\Desktop\ComboFix.exe
[2010/05/25 13:21:03 | 000,000,000 | ---- | C] () -- C:\Users\samantha.EGRESS\defogger_reenable
[2010/05/25 10:31:56 | 000,002,000 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2010/05/24 15:26:00 | 000,000,036 | ---- | C] () -- C:\Users\samantha.EGRESS\AppData\Local\housecall.guid.cache
[2010/05/24 08:46:51 | 000,001,892 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2010/05/21 16:53:20 | 007,675,904 | -H-- | C] () -- C:\SZKGFS.dat
[2010/05/19 19:30:25 | 000,000,901 | ---- | C] () -- C:\Windows\RtlUI2.exe.manifest
[2010/05/19 19:30:21 | 000,451,072 | ---- | C] () -- C:\Windows\System32\ISSRemoveSP.exe
[2010/05/19 09:15:02 | 000,000,020 | ---- | C] () -- C:\Users\samantha.EGRESS\AppData\Roaming\qvjsge.dat
[2010/05/05 16:45:37 | 000,228,864 | ---- | C] () -- C:\Users\samantha.EGRESS\Desktop\Setting Up Netport.doc
[2010/05/05 16:45:21 | 000,228,864 | ---- | C] () -- C:\Users\samantha.EGRESS\Documents\Setting Up Netport.doc
[2010/03/16 17:40:03 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2010/02/01 15:03:45 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009/10/20 09:02:39 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/08/14 09:16:19 | 000,000,447 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/08/11 23:12:51 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/08/11 17:53:22 | 000,000,398 | ---- | C] () -- C:\Windows\System32\CNCMP60.INI
[2008/07/25 15:01:48 | 000,008,784 | ---- | C] () -- C:\Windows\System32\ractrlkeyhook.dll
[2008/07/22 15:01:48 | 000,131,072 | ---- | C] () -- C:\Windows\System32\EnumDevLib.dll
[2008/03/04 10:57:41 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/03/04 10:39:12 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/03/04 10:39:12 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/03/04 10:39:12 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/03/04 10:39:12 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/03/04 10:39:12 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/03/04 10:39:12 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/03/04 09:59:51 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/03/04 09:59:51 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/03/04 09:59:51 | 000,009,484 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/03/04 09:59:51 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/02/07 10:05:18 | 000,163,840 | ---- | C] () -- C:\Windows\System32\hppatusg01.dll
[2008/02/04 19:35:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\Focus32.dll
[2008/01/28 18:01:42 | 000,057,344 | ---- | C] () -- C:\Windows\System32\SmartFaceVCapt.dll
[2008/01/28 18:01:06 | 000,471,040 | ---- | C] () -- C:\Windows\System32\SmartFaceVCP.dll
[2008/01/28 17:53:02 | 006,701,056 | ---- | C] () -- C:\Windows\System32\FaceHI.dll
[2008/01/28 17:53:02 | 000,995,328 | ---- | C] () -- C:\Windows\System32\FaceRec.dll
[2008/01/28 17:53:02 | 000,126,976 | ---- | C] () -- C:\Windows\System32\SmartFaceVCtrl.dll
[2008/01/28 17:52:28 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IppLib.dll
[2008/01/21 03:23:41 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007/12/21 17:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2007/10/29 13:26:44 | 000,118,784 | ---- | C] () -- C:\Windows\System32\MFSEngine.dll
[2007/08/03 09:37:12 | 000,065,536 | ---- | C] () -- C:\Windows\System32\HRiBio32.dll
[2007/02/07 08:42:08 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BS_SDK.dll
[2007/01/29 13:44:12 | 000,045,056 | ---- | C] () -- C:\Windows\System32\hrihp32.dll
[2006/11/02 13:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/07/22 22:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2007/07/27 22:26:42 | 000,344,064 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\Windows\System32\ATIDEMGX.dll
[2009/04/11 07:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 07:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2009/04/11 07:28:25 | 000,443,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\win32spl.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/21 04:16:46 | 017,956,864 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/21 04:16:31 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/21 04:16:46 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
< End of report >


Extras.txt...........


OTL Extras logfile created on: 27/05/2010 09:05:15 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\samantha.EGRESS\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.96 Gb Total Space | 27.03 Gb Free Space | 36.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 72.62 Gb Total Space | 67.73 Gb Free Space | 93.26% Space Free | Partition Type: NTFS
Drive F: | 2.87 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: INCDFS
Drive G: | 953.72 Mb Total Space | 562.00 Mb Free Space | 58.93% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FATHER-DOUGAL
Current User Name: samantha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2905520605-798954039-3669010485-1145\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2FC6F7CF-51CB-4F0D-BD16-606A75C9E7C9}" = lport=1542 | protocol=6 | dir=in | name=realtek wps tcp prot |
"{426968F5-DF56-4A72-AA50-06EDF9F91871}" = lport=1542 | protocol=17 | dir=in | name=realtek wps udp prot |
"{56E27565-FF11-444B-9F12-3B2DC7C200DC}" = lport=2869 | protocol=6 | dir=in | app=system |
"{62A88381-9DE6-4D6D-B35E-5AF3B70CB226}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{D28626AE-2443-4797-8F2A-B966F5C2322B}" = lport=53 | protocol=17 | dir=in | name=realtek ap udp prot |
"{E34F1B81-D318-4E9E-8CB8-B460E9166F93}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B28B72D-5620-4446-A517-EDACB0FE586E}" = protocol=6 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{0E5222D2-C81B-4998-9ED4-DD68CE0F1C55}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{2A8D7851-7338-4CF7-A664-D17295FD6513}" = protocol=17 | dir=in | app=c:\program files\realtek\rtl8187b wireless lan utility\rtwlan.exe |
"{42F349AE-8243-49A9-83F1-35E5FFFE2690}" = protocol=6 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{44E4D9BB-4055-4344-991A-2D3C7ACDD2C2}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{471F4CDB-9020-4A3D-9E68-F876C3E6FA3B}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{7C587BB3-182A-4517-8F14-0B338E74054E}" = protocol=6 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{A38BDB36-8465-4BB8-9897-4F7A38B1EE62}" = protocol=17 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{B483470B-4854-492B-BF51-A3E7A5FF8906}" = protocol=17 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{C543B226-0E29-4EFD-ACAD-29EB89EBA3B6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{D0784752-D5AC-499C-86F7-3A0187A8F015}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{F6B101D3-A166-462A-84FD-C9B61E5844A3}" = protocol=17 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{FA304871-C8F3-4743-8F87-FB23D482E42F}" = protocol=6 | dir=in | app=c:\program files\realtek\rtl8187b wireless lan utility\rtwlan.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{02CA24DD-C8B0-4280-BE53-7862869C2EB1}" = Realtek WiFi Protected Setup Library
"{02DD09E1-3365-75C2-BFD0-43412EEFB45E}" = CCC Help Finnish
"{033649DD-2651-D029-5663-29E61094E7E8}" = Catalyst Control Center Core Implementation
"{053B3DA8-91B5-4682-A130-715412A1A252}" = Paint.NET v3.5.4
"{0A084990-69FE-6D33-4BD0-AD6FD8AE57E8}" = CCC Help Japanese
"{0B884C9B-5D85-4461-88EE-826E1BB33008}" = Serif PagePlus 11
"{0F4F4815-76AD-4B26-8763-72F3344041C2}" = TOSHIBA Manuals
"{11E2CEB4-09B4-1392-392D-4FAA23B88AF8}" = CCC Help Italian
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1365D613-47EA-38F7-BD83-0F1A8E6AFAAE}" = CCC Help Polish
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{160D6F45-15AF-10A2-DC61-FB4FE5CBE9BA}" = Skins
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18796D6B-60D7-2771-D145-90A366A9A78D}" = CCC Help German
"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter
"{1ABBBBA0-A790-3C9D-F806-A14140BCDFBF}" = ccc-utility
"{1E187923-04E5-4E1F-9BF2-40E32D93A1C4}" = HP Color LaserJet CP1210 Series Toolbox
"{1F26C039-E655-91CB-E3AD-82A272BCD8B6}" = CCC Help English
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{2015087B-31D9-8661-5A9C-B1EA6D3C22C0}" = CCC Help Turkish
"{202B6750-A01B-A7BD-7D0B-ADE001239C04}" = CCC Help Hungarian
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{2547290E-8DDF-7479-4E73-9CFE99989F08}" = CCC Help Norwegian
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 20
"{26DDB12A-CB5E-4C0B-89AF-817CA0E59CC9}" = HP LaserJet Toolbox
"{28E9B542-E70C-8C81-D5A9-D4410FDDA1D8}" = Catalyst Control Center Localization Korean
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (FOCUS)
"{2B95D414-26A8-8DD6-567E-E58B2C0CAF69}" = CCC Help Czech
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3347DE17-A1EE-16C6-A7B0-F474FB3B985A}" = Catalyst Control Center Localization Dutch
"{353A838E-85B5-F8E7-FABA-EA2055DD4418}" = ccc-core-static
"{35691D1C-EBA1-D1BF-53D0-00BD59713DF5}" = Catalyst Control Center Localization Finnish
"{36F7B270-B9EF-E9AB-87AE-67FE6EBD232B}" = CCC Help Danish
"{372B31CF-77FB-4E29-860C-A0EA2985AB7F}" = O2Micro Flash Memory Card Reader Driver (x86)
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{38767763-328D-7529-7E25-909C15ED2A87}" = Catalyst Control Center Localization Russian
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA3B438-18DB-97BE-FB52-AEF329CF85E5}" = Catalyst Control Center Localization Hungarian
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46516ED6-47E6-31C1-F3A7-1D280FBA6438}" = Catalyst Control Center Localization Portuguese
"{46EB4EC8-F43A-D6D9-97EB-A23B625BD8C9}" = CCC Help Korean
"{491DD193-1B57-4D1C-8B14-18B96992A89F}" = TOSHIBA Supervisor Password
"{49E5F021-4DA5-41A3-A893-0A9564D30264}" = Jing
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}" = Logitech Vid
"{52573F8D-F099-4CB5-9EDE-5C27ECB4A02B}" = TOSHIBA Hardware Setup
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{54360A73-B080-4A69-BFD4-53C190DD3AB0}" = HP Color LaserJet CP1210 Series
"{549514BF-2BDA-422B-9134-67B5A79C2487}" = NTRconnect
"{54D1E808-FF55-45ED-9626-E5817077B763}" = DeviceInstaller
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5791B7D3-8B34-4218-9750-6A8E45D0AD32}" = pdfforge Toolbar v1.1.2
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F3D958A-ADBF-98D0-5F7C-25B61B9FC941}" = Catalyst Control Center Graphics Previews Vista
"{60D1F96A-1858-6EFC-1303-425BA95DB80E}" = Catalyst Control Center Localization Japanese
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{61CA53F0-C162-DD83-64CA-3746A5ECA94A}" = Catalyst Control Center Localization Danish
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6717AD52-855E-BA83-C733-151C5D9EAFF5}" = Catalyst Control Center Graphics Light
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6E1205BF-25BC-44A5-B10E-34402BFF5D45}" = PHP 5.2.6
"{7613C81D-378E-BECD-0FFC-8C4345FAD40C}" = ATI Catalyst Install Manager
"{76F0B78F-8E7F-1FD5-5A16-4D7DE94871B1}" = Catalyst Control Center Localization Chinese Traditional
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder
"{78A2312B-CF4A-4EC5-B025-4CE5C5BD7C8E}_is1" = Free VAT Calculator 1.0.10
"{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7B5F16F1-6929-74B3-6265-62DBD5AC997F}" = Catalyst Control Center Localization Turkish
"{7CC30050-DAEC-8076-8DC9-30012A0B5EC9}" = CCC Help Greek
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}" = Apache HTTP Server 2.2.9
"{895722FE-25FE-4854-95AC-B0C42F9DBEDA}" = REALTEK RTL8187B Wireless LAN Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8AE70EF8-F70C-E35C-CC76-AD0B85827C08}" = Catalyst Control Center Graphics Full Existing
"{8C8224B7-AA9B-4807-97CD-55899BAC83FE}" = YouSendIt Express
"{8CF50625-4147-9026-6BF2-8AB7CE8ABE93}" = Catalyst Control Center Localization Polish
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{949D54CF-E476-30C5-42A8-69C75C51A875}" = CCC Help Swedish
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{97E9C12B-1319-B6AF-39E4-E8204C887564}" = CCC Help Chinese Standard
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9B4E6CB9-E54D-47F7-A414-E2D5740E1033}" = Nero 7 Essentials
"{9C09E3A4-850A-40B2-B94F-EBFB5349C238}" = hppusgCP1215
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{9FE96851-05ED-4D86-B202-8A4BC79671D9}" = LogMeIn Rescue Technician Console
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A58DF0E3-4A0C-2BCE-0761-A04A38302E61}" = CCC Help Thai
"{A82D052A-0806-42DF-80CD-1730A1AC0ED3}" = MrvlUsgTracking
"{A8432E22-FDAD-02FE-6FD5-E1395C186FBB}" = Catalyst Control Center Localization Italian
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A871F719-F328-8A59-951E-C57E165DA65A}" = Catalyst Control Center Localization French
"{A9E5EDA7-2E6C-49E7-924B-A32B89C24A04}" = T-Mobile Mobile Broadband Manager
"{AA18EE51-24A5-4748-A5E2-4B035C9A4AB2}" = Canon MP780
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.2
"{AD8178D1-B2E2-43E7-63E4-1320DD2E0F27}" = Catalyst Control Center Localization Chinese Standard
"{B063AFC7-F4E1-8164-6FA9-DC72C7A5DC22}" = Catalyst Control Center Localization Swedish
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{B6A7D977-9617-6175-8B4C-F365B1C0E75E}" = Catalyst Control Center Graphics Full New
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BDD9AC08-2895-DE6A-2539-F026FC3A7905}" = CCC Help Portuguese
"{BE686891-3C56-4714-AFEF-341A7867BA80}" = REALTEK Wireless LAN Driver and Utility
"{C606A7D5-6F16-8D93-CB93-3CD545F0FD90}" = Catalyst Control Center Localization Spanish
"{C6AA3FB7-804F-4808-AD91-B62D6ED9B788}" = Windows Vista Upgrade Advisor
"{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBA24065-7561-3A01-B624-620C4B5532E7}" = CCC Help French
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CFBCC6ED-95B8-436F-83A3-42E88A36F0C3}" = Focus 2
"{D58A1E94-9EEA-4C6E-B9FB-D7C63DC6C941}" = Catalyst Control Center - Branding
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D79B4F31-E69A-04C3-C5C9-9CB8DD0F2331}" = CCC Help Russian
"{D819A5E4-30CB-0D5E-2034-B16A9342F0DB}" = Catalyst Control Center Localization Greek
"{D915CDB9-E57D-FF82-251B-83776E954615}" = Catalyst Control Center Localization Thai
"{D962B2EA-1848-3A51-CB4A-45C82D4FF543}" = Catalyst Control Center Localization German
"{DC91AE54-9AA2-2CB2-180A-36B16069FB47}" = Catalyst Control Center Localization Czech
"{DED6CDFB-5C63-DA19-8CD1-1EE016717139}" = CCC Help Chinese Traditional
"{E1266AC2-A3B5-1FBC-4776-16AF83C22E26}" = CCC Help Dutch
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E56E2DFF-9B53-E03A-4913-57F35764C659}" = Catalyst Control Center Localization Norwegian
"{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"{E6B5F5E7-51B6-D334-D953-35B847A81AC7}" = CCC Help Spanish
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5051&SUBSYS_1179" = HDAUDIO Soft Data Fax Modem with SmartCP
"Data Dynamics ActiveReports 2" = Data Dynamics ActiveReports 2
"Diagram Designer" = Diagram Designer
"ENTERPRISER" = Microsoft Office Enterprise 2007
"exPressit S.E. 2.1" = exPressit S.E. 2.1
"FileZilla Client" = FileZilla Client 3.1.1.1
"Google Desktop" = Google Desktop
"Hamachi" = Hamachi 1.0.3.0
"HexCmp 2_is1" = HexCmp 2.34.1
"HP Color LaserJet CP1210 Series" = HP Color LaserJet CP1210 Series
"HxD Hex Editor_is1" = HxD Hex Editor version 1.7.7.0
"InstallShield_{491DD193-1B57-4D1C-8B14-18B96992A89F}" = TOSHIBA Supervisor Password
"InstallShield_{52573F8D-F099-4CB5-9EDE-5C27ECB4A02B}" = TOSHIBA Hardware Setup
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder
"InstallShield_{8C8224B7-AA9B-4807-97CD-55899BAC83FE}" = YouSendIt Express
"InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"myphotobook" = myphotobook 3.5
"Nvu_is1" = Nvu 1.0
"Picasa2" = Picasa 2
"SafeHouseExplorer" = SafeHouse Explorer 3.00
"Tera Term_is1" = Tera Term 4.65
"VLC media player" = VLC media player 1.0.5
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2905520605-798954039-3669010485-1145\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.1.0.366

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >





#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:46 AM

Posted 27 May 2010 - 08:11 AM

Hi Wileywolf,

Please let me know in your next reply how the machine is running and if you are having any more problems thanks.


Go to the Malware Upload Channel and upload the following file.
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
url here
  • Then click "Browse" on the line below and navigate to the following file:
C:\Qoobox\Quarantine\[4]-Submit_2010-05-26_16.06.37.zip
  • Click Send File
Please let me know when the submission has finished. Thanks.



Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push



Once you have done these instructions, please reinstall your AV, then do the next step.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    SRV - [2010/01/08 01:51:02 | 000,380,928 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
    FF - prefs.js..extensions.enabledItems: searchsettings@spigot.com:1.2.3
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O9 - Extra Button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
    O9 - Extra Button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - File not found
    O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_16)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O37 - HKU\S-1-5-21-2905520605-798954039-3669010485-1145\...exe [@ = exefile] -- Reg Error: Key error. File not found
    MsConfig - StartUpReg: 00TCrdMain - hkey= - key= - File not found
    MsConfig - StartUpReg: SmoothView - hkey= - key= - File not found
    [2010/05/19 09:15:18 | 000,000,020 | ---- | M] () -- C:\Users\samantha.EGRESS\AppData\Roaming\qvjsge.dat
    :Files
    C:\Program Files\Application Updater
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • ESET report
  • OTL results
  • New OTL log

Thanks

unite.jpg


#15 Wileywolf

Wileywolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 01 June 2010 - 04:55 AM

Hi Syler

Hope you had a good bank holiday weekend!,

Reports attached as requested....

The ESET scan did report something about a trojan so im not sure if the machine is fully clean yet?

I've reinstalled AVG on the machine now but it is still disconnected from the internet just to be sure until you say it's ok to do so.

Would you recommend running CCleaner? I've heard it's a good little program...

Thanks!




Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users