Jump to content

Search Results Redirected


clayman
 Share

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:07:58 PM, on 11/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Gadwin PrintScreen Pro] C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe /nosplash

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--

End of file - 9505 bytes

Malware Bytes Log

Malwarebytes' Anti-Malware 1.41

Database version: 3259

Windows 5.1.2600 Service Pack 3

11/29/2009 9:14:44 PM

mbam-log-2009-11-29 (21-14-44).txt

Scan type: Quick Scan

Objects scanned: 101232

Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Combo Fix Log

ComboFix 09-11-29.03 - clayman 11/29/2009 23:09.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.993 [GMT -5:00]

Running from: c:\documents and settings\clayman\Desktop\detox.exe

AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\clayman\Application Data\inst.exe

c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003

.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))

.

2009-11-30 03:07 . 2009-11-30 03:07 -------- d-----w- c:\program files\Trend Micro

2009-11-30 01:41 . 2009-11-30 01:41 -------- d-----r- C:\AHCache

2009-11-29 19:50 . 2009-11-29 19:50 -------- d-----w- c:\program files\Microsoft Security Essentials

2009-11-29 19:36 . 2009-11-29 19:36 -------- d-----w- C:\ARK

2009-11-29 19:22 . 2009-11-29 19:22 -------- d-----w- c:\documents and settings\clayman\Application Data\Malwarebytes

2009-11-29 19:21 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-29 19:21 . 2009-11-29 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-29 19:21 . 2009-11-29 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-29 19:21 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 03:21 . 2009-11-29 03:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-11-29 03:21 . 2009-11-29 20:06 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\pjffda

2009-11-29 00:11 . 2009-11-29 00:11 -------- d-----w- c:\program files\iPod

2009-11-29 00:11 . 2009-11-29 00:11 -------- d-----w- c:\program files\iTunes

2009-11-29 00:10 . 2009-11-29 00:10 -------- d-----w- c:\program files\Bonjour

2009-11-29 00:09 . 2009-11-29 00:10 -------- d-----w- c:\program files\QuickTime

2009-11-29 00:08 . 2009-07-09 17:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-11-29 00:08 . 2009-07-09 17:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-11-29 00:04 . 2009-11-29 00:04 -------- d-----w- c:\program files\Apple Software Update

2009-11-29 00:03 . 2009-11-29 00:11 -------- d-----w- c:\program files\Common Files\Apple

2009-11-28 22:21 . 2009-11-28 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-11-28 19:46 . 2009-11-28 19:46 -------- d-sh--w- c:\documents and settings\clayman\IECompatCache

2009-11-28 17:46 . 2009-11-28 17:46 44044 ---ha-w- c:\windows\system32\mlfcache.dat

2009-11-28 02:29 . 2009-11-29 17:48 -------- d-----w- c:\documents and settings\clayman\Application Data\DivX

2009-11-28 02:28 . 2009-11-28 02:28 -------- d-----w- c:\program files\DivX

2009-11-28 02:28 . 2009-11-28 02:28 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-11-28 01:12 . 2009-11-28 01:12 61015016 ----a-w- C:\registrybackup.reg

2009-11-27 02:33 . 2009-11-28 02:20 -------- d-----w- c:\windows\SxsCaPendDel

2009-11-27 01:53 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-11-27 01:53 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2009-11-26 16:35 . 2008-04-13 15:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-11-26 16:35 . 2008-04-13 15:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-11-26 16:35 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-11-26 16:35 . 2008-04-13 21:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-11-26 16:22 . 2009-11-26 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-11-26 04:43 . 2009-11-29 00:21 -------- d-----w- c:\documents and settings\clayman\Application Data\Apple Computer

2009-11-26 04:14 . 2009-11-29 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-11-26 04:13 . 2009-11-26 04:13 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Apple

2009-11-26 04:13 . 2009-11-28 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-11-26 04:13 . 2009-11-28 01:24 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Apple Computer

2009-11-26 00:41 . 2009-11-26 00:41 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Identities

2009-11-24 20:29 . 2009-11-24 20:30 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Roblox

2009-11-24 20:28 . 2009-11-26 15:49 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\RobloxDownloads

2009-11-24 20:28 . 2009-11-26 15:49 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\RobloxVersions

2009-11-24 04:13 . 2009-11-24 04:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2009-11-24 00:36 . 2009-11-24 00:36 552 ----a-w- c:\windows\system32\d3d8caps.dat

2009-11-22 23:28 . 2009-11-22 23:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-11-22 23:28 . 2009-11-29 17:59 -------- d-----w- c:\documents and settings\clayman\Application Data\skypePM

2009-11-22 23:26 . 2009-11-30 02:27 -------- d-----w- c:\documents and settings\clayman\Application Data\Skype

2009-11-22 23:22 . 2009-11-22 23:22 -------- d-----w- c:\program files\Common Files\Skype

2009-11-22 23:22 . 2009-11-22 23:22 -------- d-----r- c:\program files\Skype

2009-11-22 23:22 . 2009-11-22 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-11-21 19:38 . 2009-11-21 19:38 -------- d-----w- c:\documents and settings\clayman\fontconfig

2009-11-21 19:37 . 2009-11-30 00:04 -------- d-----w- c:\documents and settings\clayman\.smplayer

2009-11-21 19:37 . 2009-11-21 19:37 -------- d-----w- c:\program files\SMPlayer

2009-11-17 03:46 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-11-17 03:46 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll

2009-11-16 07:47 . 2009-11-16 07:47 -------- d-----w- c:\documents and settings\clayman\Application Data\Sonic

2009-11-16 06:53 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-11-16 06:21 . 2009-11-16 06:23 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy

2009-11-16 06:21 . 2009-11-16 06:33 -------- d-----w- c:\documents and settings\clayman\Application Data\Vso

2009-11-16 06:21 . 2009-11-16 06:33 47360 ----a-w- c:\documents and settings\clayman\Application Data\pcouffin.sys

2009-11-16 06:21 . 2009-11-16 06:21 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2009-11-16 05:59 . 2009-11-30 03:41 -------- d-----w- c:\documents and settings\clayman\Tracing

2009-11-16 05:44 . 2009-11-17 06:32 -------- d-----w- c:\program files\Microsoft Silverlight

2009-11-16 05:44 . 2009-11-29 00:08 -------- dc----w- c:\windows\system32\DRVSTORE

2009-11-16 05:44 . 2009-08-06 06:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys

2009-11-16 05:43 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2009-11-16 05:43 . 2009-11-16 05:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----w- c:\program files\Microsoft

2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-11-16 05:41 . 2009-11-16 05:44 -------- d-----w- c:\program files\Windows Live

2009-11-16 05:36 . 2009-11-16 05:36 -------- d-----w- c:\program files\Common Files\Windows Live

2009-11-16 05:27 . 2009-11-16 05:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\system32\scripting

2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\system32\en

2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\system32\bits

2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\l2schemas

2009-11-16 05:08 . 2009-11-16 05:08 -------- d-----w- c:\windows\EHome

2009-11-16 04:59 . 2009-11-16 04:59 -------- d-sh--w- c:\documents and settings\clayman\PrivacIE

2009-11-16 04:56 . 2009-11-16 04:56 -------- d-sh--w- c:\documents and settings\clayman\IETldCache

2009-11-16 04:54 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-11-16 04:54 . 2009-11-16 04:54 -------- d-----w- c:\windows\ie8updates

2009-11-16 04:53 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-11-16 04:53 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-11-16 04:53 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-11-16 04:53 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-11-16 04:53 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-11-16 04:53 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll

2009-11-16 04:52 . 2009-11-16 04:53 -------- dc-h--w- c:\windows\ie8

2009-11-16 01:17 . 2009-11-16 01:17 -------- d-----w- c:\windows\Twain32

2009-11-16 00:47 . 2009-11-16 00:47 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Opera

2009-11-16 00:47 . 2009-11-16 00:47 -------- d-----w- c:\program files\Opera

2009-11-16 00:46 . 2009-11-16 05:13 -------- d-----w- c:\windows\ServicePackFiles

2009-11-15 23:32 . 2004-08-04 06:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys

2009-11-15 23:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-11-15 23:24 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2009-11-15 23:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-11-15 23:21 . 2009-11-29 23:48 -------- d-----w- c:\windows\ShellNew

2009-11-15 23:21 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-11-15 23:21 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-15 23:21 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys

2009-11-15 23:21 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-11-15 23:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-11-15 23:21 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-11-15 23:20 . 2009-11-15 23:20 -------- d-----w- c:\documents and settings\clayman\Application Data\Microsoft Web Folders

2009-11-15 23:16 . 2009-06-10 17:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-11-15 23:15 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-11-15 23:15 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-11-15 23:15 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-11-14 21:26 . 2009-04-28 20:20 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2009-11-14 21:26 . 2009-04-28 20:20 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2009-11-14 21:26 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll

2009-11-14 21:26 . 2009-11-15 23:00 -------- d-----w- c:\program files\Winamp

2009-11-14 21:26 . 2009-11-14 21:31 -------- d-----w- c:\documents and settings\clayman\Application Data\Winamp

2009-11-14 21:24 . 2009-11-14 21:24 -------- d-sh--w- c:\documents and settings\clayman\UserData

2009-11-14 21:18 . 2009-11-14 21:18 -------- d-----w- c:\documents and settings\clayman\Application Data\TotalRecorder

2009-11-14 21:17 . 2009-11-14 21:17 90192 ----a-w- c:\windows\system32\drivers\TotRec8.sys

2009-11-14 21:17 . 2009-11-14 21:17 131152 ----a-w- c:\windows\system32\drivers\TotRec7.sys

2009-11-14 21:17 . 2009-11-14 21:17 -------- d-----w- c:\program files\HighCriteria

2009-11-14 21:17 . 2009-11-14 21:17 61520 ----a-w- c:\windows\system32\DrvTrNTm.dll

2009-11-14 21:17 . 2009-11-14 21:17 106496 ----a-w- c:\windows\system32\DrvTrNTl.dll

2009-11-14 20:54 . 2001-01-19 23:34 207872 ----a-w- c:\windows\system32\DVDRGCTL.dll

2009-11-14 20:54 . 2000-10-27 22:56 193536 ----a-w- c:\windows\system32\AllNode.DLL

2009-11-14 20:54 . 2000-05-17 23:59 145920 ----a-w- c:\windows\system32\Mmac3.dll

2009-11-14 20:54 . 2000-04-27 06:15 67584 ----a-w- c:\windows\system32\macrovsn.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-30 03:38 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2009-11-28 22:27 . 2005-11-05 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-11-21 17:20 . 2005-11-29 22:16 -------- d-----w- c:\program files\Metamail Inc

2009-11-16 05:58 . 2009-11-14 19:17 57968 ----a-w- c:\documents and settings\clayman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-16 05:16 . 2005-11-05 02:29 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-11-16 01:33 . 2009-11-16 01:32 -------- d-----w- c:\program files\SONY

2009-11-16 01:33 . 2005-11-05 02:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-11-15 23:24 . 2009-11-15 23:24 5058 ----a-w- c:\windows\Help\hhcolreg.dat

2009-11-15 23:19 . 2005-11-05 02:30 -------- d-----w- c:\program files\microsoft frontpage

2009-11-15 23:12 . 2005-11-05 04:09 -------- d-----w- c:\program files\Pure Networks

2009-11-15 23:08 . 2005-11-05 04:05 -------- d-----w- c:\program files\Quicken

2009-11-15 23:03 . 2005-11-05 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com

2009-11-15 23:01 . 2005-11-05 04:09 -------- d-----w- c:\program files\Common Files\AOL

2009-11-15 23:01 . 2009-11-14 19:17 -------- d-----w- c:\documents and settings\clayman\Application Data\AOL

2009-11-14 19:10 . 2005-11-29 23:08 -------- d-----w- c:\program files\Sonic

2009-11-14 00:49 . 2005-11-05 04:07 120056 ------w- c:\windows\system32\pxcpyi64.exe

2009-11-14 00:49 . 2005-11-05 04:07 118520 ------w- c:\windows\system32\pxinsi64.exe

2009-09-11 14:18 . 2005-11-05 00:52 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2005-11-05 00:52 58880 ----a-w- c:\windows\system32\msasn1.dll

.

------- Sigcheck -------

[-] 2009-11-30 03:38 . 84B647F9DF97B26A4412FE01CCEFE108 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-11-10 15473664]

"NDSTray.exe"="NDSTray.exe" [bU]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]

"TFncKy"="TFncKy.exe" [bU]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"wave"=DrvTrNTm.dll

"mixer"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [11/16/2009 12:44 AM 54752]

R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/14/2009 3:54 PM 7196]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [11/14/2009 4:17 PM 131152]

R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [11/14/2009 4:17 PM 90192]

S1 btydqpxg;btydqpxg;\??\c:\windows\system32\drivers\btydqpxg.sys --> c:\windows\system32\drivers\btydqpxg.sys [?]

S1 rrsovyyn;rrsovyyn;\??\c:\windows\system32\drivers\rrsovyyn.sys --> c:\windows\system32\drivers\rrsovyyn.sys [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/6/2009 1:48 AM 704864]

.

Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-30 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{32F29F81-2AF4-4EC6-BF09-659C1DDB958D}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

.

- - - - ORPHANS REMOVED - - - -

AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0

AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-29 23:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A34F618]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74a8852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(584)

c:\windows\system32\WININET.dll

.

Completion time: 2009-11-29 23:23

ComboFix-quarantined-files.txt 2009-11-30 04:23

Pre-Run: 53,224,480,768 bytes free

Post-Run: 53,255,688,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9919D25C9752205DE7B2F0E002DBD0E0

Link to post
Share on other sites

Hope this helps too.

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit quick scan 2009-11-29 23:35:41

Windows 5.1.2600 Service Pack 3

Running: ljwu8ejo.exe; Driver: C:\DOCUME~1\CLAYMAN~1\LOCALS~1\Temp\fwlcqpow.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\CLAYMAN~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A34F618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • 3 weeks later...

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions: http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.