View Full Version : another win32.tdss.rtk victim... help plz
awishstar
2009-09-28, 21:55
Hi,
My lil cousins laptop has hte win32.tdss.rtk virus/malware. I have tried many methods from around the web. Here is what I have done.
Uninstall Limewire
Uninstall AVG free virus (it was buggy and crashing)
ran spybot-sd many times
ran combofix (saw it from another post)(logged posted)
combofix crashed the computer when run again now.
gmer crashed comp as well.
please help, the kids need their laptop for school. Also, does anyone have any good software to prevent this from happening again? I installed AVG, malwarebytes, spybot and still got this virus. Very frustrating.
awishstar
2009-09-28, 21:56
sysprot log file
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\Windows\System32\smss.exe
PID: 404
Hidden: No
Window Visible: No
Name: C:\Windows\System32\csrss.exe
PID: 480
Hidden: No
Window Visible: No
Name: C:\Windows\System32\wininit.exe
PID: 532
Hidden: No
Window Visible: No
Name: C:\Windows\System32\csrss.exe
PID: 544
Hidden: No
Window Visible: No
Name: C:\Windows\System32\services.exe
PID: 576
Hidden: No
Window Visible: No
Name: C:\Windows\System32\winlogon.exe
PID: 604
Hidden: No
Window Visible: No
Name: C:\Windows\System32\lsass.exe
PID: 656
Hidden: No
Window Visible: No
Name: C:\Windows\System32\lsm.exe
PID: 664
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 820
Hidden: No
Window Visible: No
Name: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
PID: 884
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 932
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 992
Hidden: No
Window Visible: No
Name: C:\Windows\System32\Ati2evxx.exe
PID: 1068
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1128
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1164
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1184
Hidden: No
Window Visible: No
Name: C:\Windows\System32\audiodg.exe
PID: 1244
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1328
Hidden: No
Window Visible: No
Name: C:\Windows\System32\SLsvc.exe
PID: 1344
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1380
Hidden: No
Window Visible: No
Name: C:\Windows\System32\Ati2evxx.exe
PID: 1496
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1536
Hidden: No
Window Visible: No
Name: C:\Windows\System32\spoolsv.exe
PID: 1776
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1800
Hidden: No
Window Visible: No
Name: C:\Windows\System32\agrsmsvc.exe
PID: 1960
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1996
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 2008
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 248
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 524
Hidden: No
Window Visible: No
Name: C:\Toshiba\IVP\ISM\pinger.exe
PID: 1232
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 636
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 900
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1308
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 1472
Hidden: No
Window Visible: No
Name: C:\Toshiba\IVP\swupdate\swupdtmr.exe
PID: 1596
Hidden: No
Window Visible: No
Name: C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PID: 2068
Hidden: No
Window Visible: No
Name: C:\Windows\System32\TODDSrv.exe
PID: 2080
Hidden: No
Window Visible: No
Name: C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PID: 2104
Hidden: No
Window Visible: No
Name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PID: 2156
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PID: 2172
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 2200
Hidden: No
Window Visible: No
Name: C:\Windows\System32\SearchIndexer.exe
PID: 2232
Hidden: No
Window Visible: No
Name: C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PID: 2280
Hidden: No
Window Visible: No
Name: C:\Windows\System32\svchost.exe
PID: 2536
Hidden: No
Window Visible: No
Name: C:\Windows\System32\taskeng.exe
PID: 2960
Hidden: No
Window Visible: No
Name: C:\Windows\System32\taskeng.exe
PID: 2508
Hidden: No
Window Visible: No
Name: C:\Windows\System32\dwm.exe
PID: 2816
Hidden: No
Window Visible: No
Name: C:\Windows\explorer.exe
PID: 2924
Hidden: No
Window Visible: No
Name: C:\Windows\RtHDVCpl.exe
PID: 1276
Hidden: No
Window Visible: No
Name: C:\Program Files\Toshiba\Utilities\KeNotify.exe
PID: 3192
Hidden: No
Window Visible: No
Name: C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PID: 3240
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PID: 3136
Hidden: No
Window Visible: No
Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 2784
Hidden: No
Window Visible: No
Name: C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PID: 3396
Hidden: No
Window Visible: No
Name: C:\Program Files\Windows Sidebar\sidebar.exe
PID: 3412
Hidden: No
Window Visible: Yes
Name: C:\Windows\ehome\ehtray.exe
PID: 3420
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 2360
Hidden: No
Window Visible: No
Name: C:\Program Files\Logitech\SetPoint\SetPoint.exe
PID: 3492
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PID: 2860
Hidden: No
Window Visible: No
Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 3692
Hidden: No
Window Visible: No
Name: C:\Windows\ehome\ehmsas.exe
PID: 3616
Hidden: No
Window Visible: No
Name: C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PID: 2004
Hidden: No
Window Visible: No
Name: C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
PID: 4044
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PID: 3028
Hidden: No
Window Visible: No
Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 796
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 2664
Hidden: No
Window Visible: Yes
Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 4064
Hidden: No
Window Visible: No
Name: C:\Windows\System32\taskeng.exe
PID: 2864
Hidden: No
Window Visible: No
Name: C:\Users\crawford\Desktop\SysProt\SysProt.exe
PID: 3672
Hidden: No
Window Visible: Yes
Name: C:\Windows\System32\wbem\WmiPrvSE.exe
PID: 4008
Hidden: No
Window Visible: No
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\gasfkyesicmtnx.sys
Service Name: gasfkyppyicvpt
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \??\C:\Users\crawford\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: 9DBB9000
Module End: 9DBC4000
Hidden: No
Module Name: C:\Windows\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 8241F000
Module End: 827D8000
Hidden: No
Module Name: C:\Windows\system32\hal.dll
Service Name: ---
Module Base: 827D8000
Module End: 8280B000
Hidden: No
Module Name: C:\Windows\system32\kdcom.dll
Service Name: ---
Module Base: 80601000
Module End: 80609000
Hidden: No
Module Name: C:\Windows\system32\PSHED.dll
Service Name: ---
Module Base: 80609000
Module End: 8061A000
Hidden: No
Module Name: C:\Windows\system32\BOOTVID.dll
Service Name: ---
Module Base: 8061A000
Module End: 80622000
Hidden: No
Module Name: C:\Windows\system32\CLFS.SYS
Service Name: CLFS
Module Base: 80622000
Module End: 80663000
Hidden: No
Module Name: C:\Windows\system32\CI.dll
Service Name: ---
Module Base: 80663000
Module End: 80743000
Hidden: No
Module Name: C:\Windows\system32\drivers\Wdf01000.sys
Service Name: Wdf01000
Module Base: 80743000
Module End: 807BF000
Hidden: No
Module Name: C:\Windows\system32\drivers\WDFLDR.SYS
Service Name: ---
Module Base: 807BF000
Module End: 807CC000
Hidden: No
Module Name: C:\Windows\system32\drivers\acpi.sys
Service Name: ACPI
Module Base: 82A02000
Module End: 82A48000
Hidden: No
Module Name: C:\Windows\system32\drivers\WMILIB.SYS
Service Name: ---
Module Base: 82A48000
Module End: 82A51000
Hidden: No
Module Name: C:\Windows\system32\drivers\msisadrv.sys
Service Name: msisadrv
Module Base: 82A51000
Module End: 82A59000
Hidden: No
Module Name: C:\Windows\system32\drivers\pci.sys
Service Name: pci
Module Base: 82A59000
Module End: 82A80000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\LPCFilter.sys
Service Name: LPCFilter
Module Base: 82A80000
Module End: 82A8A000
Hidden: No
Module Name: C:\Windows\System32\drivers\partmgr.sys
Service Name: partmgr
Module Base: 82A8A000
Module End: 82A99000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\compbatt.sys
Service Name: Compbatt
Module Base: 82A99000
Module End: 82A9C000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: 82A9C000
Module End: 82AA6000
Hidden: No
Module Name: C:\Windows\system32\drivers\volmgr.sys
Service Name: volmgr
Module Base: 82AA6000
Module End: 82AB5000
Hidden: No
Module Name: C:\Windows\System32\drivers\volmgrx.sys
Service Name: volmgrx
Module Base: 82AB5000
Module End: 82AFF000
Hidden: No
Module Name: C:\Windows\system32\drivers\pciide.sys
Service Name: pciide
Module Base: 82AFF000
Module End: 82B06000
Hidden: No
Module Name: C:\Windows\system32\drivers\PCIIDEX.SYS
Service Name: ---
Module Base: 82B06000
Module End: 82B14000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\pcmcia.sys
Service Name: pcmcia
Module Base: 82B14000
Module End: 82B41000
Hidden: No
Module Name: C:\Windows\System32\drivers\mountmgr.sys
Service Name: MountMgr
Module Base: 82B41000
Module End: 82B51000
Hidden: No
Module Name: C:\Windows\system32\drivers\atapi.sys
Service Name: atapi
Module Base: 82B51000
Module End: 82B59000
Hidden: No
Module Name: C:\Windows\system32\drivers\ataport.SYS
Service Name: ---
Module Base: 82B59000
Module End: 82B77000
Hidden: No
Module Name: C:\Windows\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: 82B77000
Module End: 82BA9000
Hidden: No
Module Name: C:\Windows\system32\drivers\fileinfo.sys
Service Name: FileInfo
Module Base: 82BA9000
Module End: 82BB9000
Hidden: No
Module Name: C:\Windows\System32\Drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: 82BB9000
Module End: 82BC2000
Hidden: No
Module Name: C:\Windows\System32\Drivers\ksecdd.sys
Service Name: KSecDD
Module Base: 8A80A000
Module End: 8A87B000
Hidden: No
Module Name: C:\Windows\system32\drivers\ndis.sys
Service Name: NDIS
Module Base: 8A87B000
Module End: 8A986000
Hidden: No
Module Name: C:\Windows\system32\drivers\msrpc.sys
Service Name: MsRPC
Module Base: 8A986000
Module End: 8A9B1000
Hidden: No
Module Name: C:\Windows\system32\drivers\NETIO.SYS
Service Name: ---
Module Base: 8A9B1000
Module End: 8A9EB000
Hidden: No
Module Name: C:\Windows\System32\drivers\tcpip.sys
Service Name: Tcpip
Module Base: 8AA0F000
Module End: 8AAF8000
Hidden: No
Module Name: C:\Windows\System32\drivers\fwpkclnt.sys
Service Name: ---
Module Base: 8AAF8000
Module End: 8AB13000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Ntfs.sys
Service Name: Ntfs
Module Base: 8AC0C000
Module End: 8AD1B000
Hidden: No
Module Name: C:\Windows\system32\drivers\volsnap.sys
Service Name: volsnap
Module Base: 8AD1B000
Module End: 8AD54000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\TVALZ_O.SYS
Service Name: TVALZ
Module Base: 8AD54000
Module End: 8AD59000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\tos_sps32.sys
Service Name: tos_sps32
Module Base: 8AD59000
Module End: 8ADA4000
Hidden: No
Module Name: C:\Windows\System32\Drivers\spldr.sys
Service Name: spldr
Module Base: 8ADA4000
Module End: 8ADAC000
Hidden: No
Module Name: C:\Windows\System32\Drivers\mup.sys
Service Name: Mup
Module Base: 8ADAC000
Module End: 8ADBB000
Hidden: No
Module Name: C:\Windows\System32\drivers\ecache.sys
Service Name: Ecache
Module Base: 8ADBB000
Module End: 8ADE2000
Hidden: No
Module Name: C:\Windows\system32\drivers\disk.sys
Service Name: disk
Module Base: 8ADE2000
Module End: 8ADF3000
Hidden: No
Module Name: C:\Windows\system32\drivers\CLASSPNP.SYS
Service Name: ---
Module Base: 8AB13000
Module End: 8AB34000
Hidden: No
Module Name: C:\Windows\system32\drivers\crcdisk.sys
Service Name: crcdisk
Module Base: 8ADF3000
Module End: 8ADFC000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\tunnel.sys
Service Name: tunnel
Module Base: 8AB49000
Module End: 8AB54000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\tunmp.sys
Service Name: tunmp
Module Base: 8AB54000
Module End: 8AB5D000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\amdk8.sys
Service Name: AmdK8
Module Base: 8AB5D000
Module End: 8AB6D000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\atikmdag.sys
Service Name: atikmdag
Module Base: 8EC07000
Module End: 8F309000
Hidden: No
Module Name: C:\Windows\System32\drivers\dxgkrnl.sys
Service Name: DXGKrnl
Module Base: 8F309000
Module End: 8F3A8000
Hidden: No
Module Name: C:\Windows\System32\drivers\watchdog.sys
Service Name: ---
Module Base: 8F3A8000
Module End: 8F3B5000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: 8F3B5000
Module End: 8F3C7000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\Rtlh86.sys
Service Name: RTL8169
Module Base: 8F3C7000
Module End: 8F3DF000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\athr.sys
Service Name: athr
Module Base: 8E802000
Module End: 8E8BC000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: 8E8BC000
Module End: 8E8C6000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: 8E8C6000
Module End: 8E904000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: 8E904000
Module End: 8E913000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\tdcmdpst.sys
Service Name: tdcmdpst
Module Base: 8E913000
Module End: 8E91D000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\cdrom.sys
Service Name: cdrom
Module Base: 8E91E000
Module End: 8E936000
Hidden: No
Module Name: C:\Windows\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: 8E937000
Module End: 8E93E000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: 8E93E000
Module End: 8E951000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\kbdclass.sys
Service Name: kbdclass
Module Base: 8E951000
Module End: 8E95C000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: 8E95C000
Module End: 8E989000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: 8E989000
Module End: 8E98B000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\mouclass.sys
Service Name: mouclass
Module Base: 8E98B000
Module End: 8E996000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: 8E996000
Module End: 8E99A000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\ohci1394.sys
Service Name: ohci1394
Module Base: 8E99A000
Module End: 8E9AA000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: 8E9AA000
Module End: 8E9B8000
Hidden: No
Module Name: C:\Windows\system32\drivers\tifm21.sys
Service Name: tifm21
Module Base: 8AB6D000
Module End: 8ABB9000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: 8E9B8000
Module End: 8E9D2000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\msiscsi.sys
Service Name: iScsiPrt
Module Base: 8E9D2000
Module End: 8EA00000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\storport.sys
Service Name: ---
Module Base: 8ABB9000
Module End: 8ABFA000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: 8F3DF000
Module End: 8F3EA000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: 82BC2000
Module End: 82BD9000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: 8F3EA000
Module End: 8F3F5000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: 82BD9000
Module End: 82BFC000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: 8AA00000
Module End: 8AA0F000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: 8A9EB000
Module End: 8A9FF000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\rassstp.sys
Service Name: RasSstp
Module Base: 807CC000
Module End: 807E1000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: 807E1000
Module End: 807F1000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: 8E800000
Module End: 8E802000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: 8F402000
Module End: 8F42C000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: 8F42C000
Module End: 8F436000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\umbus.sys
Service Name: umbus
Module Base: 8F436000
Module End: 8F443000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: 8F443000
Module End: 8F477000
Hidden: No
Module Name: C:\Windows\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: 8F477000
Module End: 8F488000
Hidden: No
Module Name: C:\Windows\system32\drivers\HdAudio.sys
Service Name: HdAudAddService
Module Base: 8F488000
Module End: 8F4C7000
Hidden: No
Module Name: C:\Windows\system32\drivers\portcls.sys
Service Name: ---
Module Base: 8F4C7000
Module End: 8F4F4000
Hidden: No
Module Name: C:\Windows\system32\drivers\drmk.sys
Service Name: ---
Module Base: 8F4F4000
Module End: 8F519000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: 8F605000
Module End: 8F721000
Hidden: No
Module Name: C:\Windows\system32\drivers\modem.sys
Service Name: Modem
Module Base: 8F721000
Module End: 8F72E000
Hidden: No
Module Name: C:\Windows\system32\drivers\RTKVHDA.sys
Service Name: IntcAzAudAddService
Module Base: 8F80D000
Module End: 8F9C0000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Cdr4_xp.SYS
Service Name: Cdr4_xp
Module Base: 8F9C0000
Module End: 8F9C1000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Cdralw2k.SYS
Service Name: Cdralw2k
Module Base: 8F9C1000
Module End: 8F9C2000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: 8F9C2000
Module End: 8F9CB000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Null.SYS
Service Name: Null
Module Base: 8F9CB000
Module End: 8F9D2000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: 8F9D2000
Module End: 8F9D9000
Hidden: No
Module Name: C:\Windows\System32\drivers\vga.sys
Service Name: vga
Module Base: 8F9D9000
Module End: 8F9E5000
Hidden: No
Module Name: C:\Windows\System32\drivers\VIDEOPRT.SYS
Service Name: ---
Module Base: 8F72E000
Module End: 8F74F000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: 8F9E5000
Module End: 8F9ED000
Hidden: No
Module Name: C:\Windows\system32\drivers\rdpencdd.sys
Service Name: RDPENCDD
Module Base: 8F9ED000
Module End: 8F9F5000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: 8F9F5000
Module End: 8FA00000
Hidden: No
Module Name: C:\Windows\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: 8F770000
Module End: 8F77E000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: 8F800000
Module End: 8F809000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\tdx.sys
Service Name: tdx
Module Base: 8F77E000
Module End: 8F794000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\netbt.sys
Service Name: netbt
Module Base: 8F794000
Module End: 8F7C6000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\smb.sys
Service Name: Smb
Module Base: 8F7C6000
Module End: 8F7DA000
Hidden: No
Module Name: C:\Windows\system32\drivers\afd.sys
Service Name: AFD
Module Base: 8F519000
Module End: 8F561000
Hidden: No
Module Name: C:\Windows\system32\drivers\ws2ifsl.sys
Service Name: ws2ifsl
Module Base: 8F7DA000
Module End: 8F7E3000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\pacer.sys
Service Name: PSched
Module Base: 8F7E3000
Module End: 8F7F9000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: 8F561000
Module End: 8F56F000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: 8F56F000
Module End: 8F582000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\rdbss.sys
Service Name: rdbss
Module Base: 8F582000
Module End: 8F5BE000
Hidden: No
Module Name: C:\Windows\system32\drivers\nsiproxy.sys
Service Name: nsiproxy
Module Base: 8F5BE000
Module End: 8F5C8000
Hidden: No
Module Name: C:\Windows\System32\Drivers\dfsc.sys
Service Name: DfsC
Module Base: 8F5C8000
Module End: 8F5DF000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: 8F5DF000
Module End: 8F5F6000
Hidden: No
Module Name: C:\Windows\System32\Drivers\UVCFTR_S.SYS
Service Name: UVCFTR
Module Base: 8F5F6000
Module End: 8F5FF000
Hidden: No
Module Name: C:\Windows\System32\Drivers\usbvideo.sys
Service Name: usbvideo
Module Base: 90803000
Module End: 90824000
Hidden: No
Module Name: C:\Windows\System32\Drivers\crashdmp.sys
Service Name: ---
Module Base: 90824000
Module End: 90831000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 90831000
Module End: 9083C000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 9083C000
Module End: 90844000
Hidden: Yes
Module Name: C:\Windows\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: 90844000
Module End: 9084E000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\monitor.sys
Service Name: monitor
Module Base: 9084E000
Module End: 9085D000
Hidden: No
Module Name: C:\Windows\system32\drivers\luafv.sys
Service Name: luafv
Module Base: 9085D000
Module End: 90878000
Hidden: No
Module Name: C:\Windows\system32\drivers\spsys.sys
Service Name: ---
Module Base: 90880000
Module End: 9092F000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\lltdio.sys
Service Name: lltdio
Module Base: 9092F000
Module End: 9093F000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\nwifi.sys
Service Name: NativeWifiP
Module Base: 9093F000
Module End: 90969000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: 90969000
Module End: 90973000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\rspndr.sys
Service Name: rspndr
Module Base: 90973000
Module End: 90986000
Hidden: No
Module Name: C:\Windows\system32\drivers\HTTP.sys
Service Name: HTTP
Module Base: 90986000
Module End: 909F1000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\srvnet.sys
Service Name: srvnet
Module Base: 9D209000
Module End: 9D226000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\bowser.sys
Service Name: bowser
Module Base: 9D226000
Module End: 9D23F000
Hidden: No
Module Name: C:\Windows\System32\drivers\mpsdrv.sys
Service Name: mpsdrv
Module Base: 9D23F000
Module End: 9D254000
Hidden: No
Module Name: C:\Windows\system32\drivers\mrxdav.sys
Service Name: MRxDAV
Module Base: 9D254000
Module End: 9D274000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\mrxsmb.sys
Service Name: mrxsmb
Module Base: 9D274000
Module End: 9D293000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Service Name: mrxsmb10
Module Base: 9D293000
Module End: 9D2CC000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Service Name: mrxsmb20
Module Base: 9D2CC000
Module End: 9D2E4000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\srv2.sys
Service Name: srv2
Module Base: 9D2E4000
Module End: 9D30B000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\srv.sys
Service Name: srv
Module Base: 9D30B000
Module End: 9D357000
Hidden: No
Module Name: C:\Windows\system32\drivers\peauth.sys
Service Name: PEAUTH
Module Base: 9DA02000
Module End: 9DAE0000
Hidden: No
Module Name: C:\Windows\System32\Drivers\secdrv.SYS
Service Name: secdrv
Module Base: 9DAE0000
Module End: 9DAEA000
Hidden: No
Module Name: C:\Windows\System32\drivers\tcpipreg.sys
Service Name: tcpipreg
Module Base: 9DAEA000
Module End: 9DAF6000
Hidden: No
Module Name: C:\Windows\system32\drivers\tdtcp.sys
Service Name: TDTCP
Module Base: 9DAF6000
Module End: 9DB01000
Hidden: No
Module Name: C:\Windows\System32\DRIVERS\tssecsrv.sys
Service Name: tssecsrv
Module Base: 9DB01000
Module End: 9DB0D000
Hidden: No
Module Name: C:\Windows\System32\Drivers\RDPWD.SYS
Service Name: Wd
Module Base: 9DB0D000
Module End: 9DB40000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\cdfs.sys
Service Name: cdfs
Module Base: 9DB40000
Module End: 9DB56000
Hidden: No
Module Name: C:\Windows\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: 9DB58000
Module End: 9DB6A000
Hidden: No
Module Name: C:\Windows\System32\Drivers\fastfat.SYS
Service Name: fastfat
Module Base: 9DB6A000
Module End: 9DB92000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8267462A
Jump To: 876238BA
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 82674523
Jump To: 87622A32
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 825D130B
Jump To: 8762384C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 82626BA2
Jump To: 87623884
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 82458FE2
Jump To: 8762183B
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 824DAF6F
Jump To: 87622A6A
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: CRAWFORD-PC.OC.COX.NET:49372
Remote Address: 89-149-236-39.INTERNETSERVICETEAM.COM:HTTP
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: SYN_SENT
Local Address: CRAWFORD-PC.OC.COX.NET:49368
Remote Address: 74.125.3.213:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC.OC.COX.NET:49360
Remote Address: QY-IN-F113.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC.OC.COX.NET:49321
Remote Address: A96-7-19-190.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49320
Remote Address: A96-7-19-190.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49308
Remote Address: IP72-215-225-83.AT.AT.COX.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49180
Remote Address: IP72-215-225-89.AT.AT.COX.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC.OC.COX.NET:49179
Remote Address: A-70-183-191-47.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49177
Remote Address: IP72-215-225-112.AT.AT.COX.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49174
Remote Address: IP72-215-225-112.AT.AT.COX.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49173
Remote Address: IP72-215-225-112.AT.AT.COX.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49172
Remote Address: IP72-215-225-112.AT.AT.COX.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:49171
Remote Address: IP72-215-225-112.AT.AT.COX.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC.OC.COX.NET:49170
Remote Address: IP72-215-225-112.AT.AT.COX.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: CRAWFORD-PC.OC.COX.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CRAWFORD-PC:49161
Remote Address: LOCALHOST:49160
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC:49160
Remote Address: LOCALHOST:49161
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC:49159
Remote Address: LOCALHOST:49158
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC:49158
Remote Address: LOCALHOST:49159
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC:49157
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC:27015
Remote Address: LOCALHOST:49157
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED
Local Address: CRAWFORD-PC:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING
Local Address: CRAWFORD-PC:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING
Local Address: CRAWFORD-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING
Local Address: CRAWFORD-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: CRAWFORD-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING
Local Address: CRAWFORD-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: CRAWFORD-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING
Local Address: CRAWFORD-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CRAWFORD-PC:MS-WBT-SERVER
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: CRAWFORD-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CRAWFORD-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: CRAWFORD-PC.OC.COX.NET:62515
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC.OC.COX.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: CRAWFORD-PC.OC.COX.NET:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC.OC.COX.NET:427
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC.OC.COX.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: CRAWFORD-PC.OC.COX.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: CRAWFORD-PC:62516
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC:59561
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC:49165
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Sidebar\sidebar.exe
State: NA
Local Address: CRAWFORD-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC:49159
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\spoolsv.exe
State: NA
Local Address: CRAWFORD-PC:49152
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: CRAWFORD-PC:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: CRAWFORD-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\SPP
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\Users\crawford\Favorites\DienDanMauTam Di?n dàn.url
Status: Hidden
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied
awishstar
2009-09-28, 21:57
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:38 AM, on 9/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.miniclip.com/games/crash-course-football/en/"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) - http://lunchbox.iusd.org/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MHGK - Sysinternals - www.sysinternals.com - C:\Users\crawford\AppData\Local\Temp\MHGK.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Windows Backup SDRSVCidsvc (SDRSVCidsvc) - Unknown owner - C:\Windows\system32\apdsx.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 8565 bytes
awishstar
2009-09-28, 21:58
ComboFix 09-09-25.01 - crawford 09/27/2009 17:50.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2026 [GMT -7:00]
Running from: c:\users\crawford\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RI1UOY4\IMG_0615.JPG
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RI1UOY4\Picasa.ini
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$ROALP6W.picasaoriginals\.picasa.ini
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$ROALP6W.picasaoriginals\IMG_0994.JPG
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$ROQNWYU\_Setup.dll
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$ROQNWYU\ISSetup.dll
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RUJYZKI\.picasaoriginals\IMG_1087.JPG
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\manifest.xml
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\05HospitalShootout_short.mp3
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\08Sweetnin_short.mp3
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\42Glamdring_short.mp3
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\edit1.jpg
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\edit2.jpg
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\projectIcon.jpg
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\SB_11293302.jpg
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\snappyIcon.jpg
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\template.swf
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\templateContent.xml
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\templateDescription.xml
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-1000\$RXLYZOW\Racecars\templateIcon.jpg
c:\$recycle.bin\S-1-5-21-2255522232-2540408132-457849326-500
c:\$recycle.bin\S-1-5-21-2289998049-2954938465-3815309393-500
c:\program files\TS\tsc.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\ntuser.dat{84e998b7-07db-11dd-9f44-001eec03d37a}.TMContainer00000000000000000001.regtrans-ms
c:\users\crawford\AppData\Roaming\wiaserva.log
c:\users\crawford\Desktop\Total Security.lnk
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\1251214205.exe
c:\windows\system32\1620298512.dat
c:\windows\system32\AutoRun.inf
----- BITS: Possible infected sites -----
hxxp://msgr.dlservice.microsoft.com
.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.
2009-09-28 01:35 . 2009-09-28 01:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-26 23:42 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-09-20 00:54 . 2009-09-20 00:55 -------- d-----w- c:\users\carleen\AppData\Local\Microsoft Games
2009-09-18 00:37 . 2009-09-18 00:37 -------- d-----w- c:\program files\Common Files\TSUninstall
2009-09-18 00:37 . 2009-09-28 01:30 -------- d-----w- c:\program files\TS
2009-09-09 16:24 . 2009-09-09 16:24 3195 ----a-w- c:\users\senna\AppData\Local\olegasutiyayi.dll
2009-09-05 02:17 . 2009-09-05 02:17 3187 ----a-w- c:\users\senna\AppData\Local\ibezeleqayi.dll
2009-09-04 15:37 . 2009-09-04 15:37 3195 ----a-w- c:\users\senna\AppData\Local\uliyogom.dll
2009-09-03 21:52 . 2009-09-03 21:52 3211 ----a-w- c:\users\senna\AppData\Local\ekugubel.dll
2009-09-03 21:25 . 2009-09-03 21:25 -------- d-----w- c:\users\alec\AppData\Local\Adobe
2009-09-03 16:51 . 2009-09-09 00:36 3211 ----a-w- c:\users\senna\AppData\Local\eqexupetozuxaho.dll
2009-09-03 16:47 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 16:47 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 00:21 . 2009-09-02 00:21 3219 ----a-w- c:\users\senna\AppData\Local\axosabam.dll
2009-09-01 16:50 . 2009-09-01 16:50 3187 ----a-w- c:\users\senna\AppData\Local\unayiruburu.dll
2009-08-31 20:01 . 2009-08-31 20:01 3091 ----a-w- c:\users\senna\AppData\Local\ecehazuyosegefim.dll
2009-08-30 18:00 . 2009-08-30 18:00 -------- d-----w- c:\users\alec\AppData\Local\Unity
2009-08-29 23:45 . 2009-08-29 23:45 3195 ----a-w- c:\users\senna\AppData\Local\ejiyakiw.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 00:15 . 2009-03-14 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 23:54 . 2009-03-14 01:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-26 23:49 . 2008-08-13 01:10 -------- d-----w- c:\programdata\avg8
2009-09-26 23:45 . 2008-10-23 01:22 -------- d-----w- c:\users\crawford\AppData\Roaming\LimeWire
2009-09-26 21:44 . 2009-08-17 21:06 120 ----a-w- c:\users\senna\AppData\Local\Ykuxamujoyexam.dat
2009-09-23 00:11 . 2009-03-14 03:07 -------- d-----w- c:\users\senna\AppData\Roaming\LimeWire
2009-09-10 21:54 . 2009-03-14 01:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-03-14 01:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 16:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-09 16:56 . 2007-11-21 05:15 -------- d-----w- c:\programdata\Microsoft Help
2009-08-21 18:53 . 2009-08-21 18:53 3227 ----a-w- c:\users\senna\AppData\Local\okilohawurovi.dll
2009-08-20 21:53 . 2009-08-20 21:53 3203 ----a-w- c:\users\senna\AppData\Local\arikinas.dll
2009-08-20 17:12 . 2009-03-14 04:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 17:12 . 2008-08-13 01:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 17:12 . 2008-04-13 00:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 17:07 . 2009-09-09 16:21 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 16:21 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 16:21 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 16:21 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 16:21 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 16:21 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 16:21 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 16:21 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 16:21 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 16:21 10240 ----a-w- c:\windows\system32\finger.exe
2009-07-21 21:52 . 2009-09-26 23:43 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-26 23:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-26 23:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-26 23:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 20:08 . 2009-03-17 00:44 112408 ----a-w- c:\users\alec\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-17 14:35 . 2009-08-12 21:53 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-12 21:53 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 21:53 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 21:53 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 21:53 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-09 16:21 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-09 16:21 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-09 16:21 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-09 16:21 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-02-21 21:00 . 2009-02-21 21:00 37888 --sh--r- c:\windows\System32\apdsx.exe
2008-03-29 22:11 . 2008-03-29 22:11 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 417792]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-11 413696]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-06-13 4489216]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-4-1 692224]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyGames"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2255522232-2540408132-457849326-1000]
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{346D3BA6-BEB2-464B-A6CF-F96476EC76B1}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4F3F0893-6C72-4772-B321-2068238560FE}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{61DC09EE-6ED9-41F8-92D2-DB7D5A5C94B0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{38C539B3-063F-4B7F-9F1A-38B5DECDE0B5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{59BFE721-AF80-47B0-909D-79D234E513AA}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C6F4CC72-1B77-483A-A0A6-DFEA0E2A2777}"= Disabled:UDP:d:\setup\HPZnui01.exe:hpznui01.exe
"{D02F16D0-3CB4-4527-8333-62AED97D56F2}"= Disabled:TCP:d:\setup\HPZnui01.exe:hpznui01.exe
"{F80A646E-FD4E-4F76-977F-F4C6BED54107}"= Disabled:UDP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{DE350171-5001-40D8-90EB-FBA8D26FFA91}"= Disabled:TCP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{EEA9EB90-DC9B-44AC-9731-9F5300028AEC}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{DE6BD288-EEE5-46C0-B9B1-2F7779FB720F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{1E19496F-2346-4F33-8930-B9715AB53F84}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{EFC158BC-4ED7-4115-A134-BAB1F273186B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{DFF055F9-CA74-425F-9D67-126185F3200A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{90E7FDA4-99B2-40A6-ADA3-73823D8554C0}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{448342A1-9D40-4B37-B1A6-1F2A91C076D3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{7AC38BD4-D00D-4A53-B788-FF9B34069C41}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{F597B22B-45A3-458E-9BB7-DFBEA8211544}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{CA55D2BC-5827-41E5-BEEB-3FDBBCEC67A8}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{469FBDE6-C4E7-4AE4-A61D-BE0D0C94F9BF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{DD531A9F-6E77-4A17-9ACC-CAE52A2CC636}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{BD0B9E51-ED4D-4775-ABEB-D0A1B363D8BC}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{05DB087A-6E3D-45DC-AC2F-88E27FD73247}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{6B92AB37-AE7F-47F3-80F0-15889A0C6F9F}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{8C46B414-2BED-46A2-8C77-C8FC38444D3A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{7128E0BB-6BEA-4EE1-85D6-5DE6C73A350B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{3E4F247A-A31E-419F-8AC4-33673F32C232}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{06A19AC7-D37E-4EEB-A1CF-BC3FBFAE7B91}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{537A9610-54A5-4F26-9E71-26D53F9C14E5}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"TCP Query User{7D9B14F7-437B-4B3E-901D-E1008C8DDA54}d:\\setup.exe"= UDP:D:\setup.exe:Setup
"UDP Query User{CD7A8C80-27B1-4C0A-BF5A-7742F0291FD7}d:\\setup.exe"= TCP:D:\setup.exe:Setup
"{D2416700-6204-4047-A334-268D581E8258}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{4077C923-9004-4325-AD09-1B75DB7F9794}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{76F9E9B6-BDAC-42F0-A571-AAB878FA8069}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{B2A96120-9C9D-489C-8949-D72AF75DD1DC}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{D6967C98-A5C7-4337-92FD-BAD2D4A20B6E}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{3912272F-681D-4001-B573-73C0E8F856AA}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{63FC3874-DF51-4CB1-A563-A95DFE433CA6}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2563508C-142D-4F10-8DF2-44377A00A6E4}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{9CFF4BBF-35A3-44DB-9BE5-ADE5F1E7A560}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [8/12/2008 6:10 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/13/2009 9:18 PM 297752]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [3/13/2009 6:22 PM 809296]
S2 SDRSVCidsvc;Windows Backup SDRSVCidsvc;c:\windows\system32\apdsx.exe srv --> c:\windows\system32\apdsx.exe srv [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2255522232-2540408132-457849326-1001Core.job
- c:\users\carleen\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-06 21:04]
2009-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2255522232-2540408132-457849326-1001UA.job
- c:\users\carleen\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-06 21:04]
2009-09-28 c:\windows\Tasks\User_Feed_Synchronization-{62097DF1-7580-4894-9F3D-8DF4A841945C}.job
- c:\windows\system32\msfeedssync.exe [2009-09-26 20:13]
2009-09-28 c:\windows\Tasks\User_Feed_Synchronization-{F18E36A0-DF8A-4213-8627-26D6771BDCB8}.job
- c:\windows\system32\msfeedssync.exe [2009-09-26 20:13]
2009-09-28 c:\windows\Tasks\User_Feed_Synchronization-{F61C58D8-CCC9-44CD-9333-3BFD7E7E10B6}.job
- c:\windows\system32\msfeedssync.exe [2009-09-26 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
FF - ProfilePath - c:\users\crawford\AppData\Roaming\Mozilla\Firefox\Profiles\2ga920c5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-eeekp.sys
AddRemove-TS - c:\program files\TS\tsc.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 19:58
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3456)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-09-28 20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 03:03
Pre-Run: 126,827,278,336 bytes free
Post-Run: 131,275,624,448 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
308
Hello awishstar :welcome:
Due to the volume of posts to your own topic, it would appear to volunteer analysts that you are already being assisted as they look for topics with no response. :eek:
ran combofix (saw it from another post)(logged posted)
combofix crashed the computer when run again now.
gmer crashed comp as well.
Please read this forum's FAQs. ;)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
After you have followed the procedure, we ask for one log only to be posted into your new topic. The HJT log - HijackThis 2.0.2. If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response.
Please wait to be advised, do NOT run fixes until requested or follow advice given to another user. All instructions given are customized for that member's computer only. Your symptoms may only appear to be similar and if you use tools improperly you could turn your machine into a doorstop.
NOTE: ComboFix is not a general purpose cleaning tool!
It should only be run under the supervision of someone who has been trained and continues their education in its use.
If you start another topic please provide a link back to this one. :)
Best regards.
awishstar
2009-09-29, 00:51
I did all that before I found this website... I was hoping to list out everything I did so the expert can help me with the full info. Now I know not to do anything before but it is too late.
So if someone can help me even after all that, I would greatly appreciated it. The kids really need the laptop for their schoolwork. Thank you for your time.
Duy
Hi awishstar,
It's good that you listed the steps you have already taken, that helps our volunteer analysts. :)
Please start a new topic though and copy paste the HJT log into it.
Cheers.