Jump to content

Persistent Alureon.CT


jimbeaux
 Share

Recommended Posts

Hello,

I've been trying to help a friend to purge all sorts of nastiness from his Toshiba laptop but am struggling to prevent the reoccurrence of Alureon.CT a few minutes after connection to the internet. I've installed Online Armor and I've noticed in the monitor that svchost makes a connection just prior to Microsoft Security Essentials flagging the problem.

The Malwarebytes scan is now clean and I am pasting and attaching all the diagnostic logs below. Please let me know if you need any further information.

I'd be very grateful for any pointers from any of you Malware removal experts out there.

Cheers

Jim

Defogger:

=========

Didn't get a prompt to reboot the machine after the 'Finished! message. Not sure if this was a problem or not so I did reboot and I'll paste the log here:

d

attach.zip

Link to post
Share on other sites

Defogger:

=========

Didn't get a prompt to reboot the machine after the 'Finished! message. Not sure if this was a problem or not so I did reboot and I'll paste the log here:

defogger_disable by jpshortstuff (28.11.09.2)

Log created at 18:54 on 17/12/2009 (martin1)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Does this indicate it worked OK ?????

=========================================================================

MBAM:

=====

Malwarebytes' Anti-Malware 1.42

Database version: 3380

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

17/12/2009 17:36:55

mbam-log-2009-12-17 (17-36-55).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 207998

Time elapsed: 1 hour(s), 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{17A4E34B-B0F7-41F0-9E0F-14EE907186CC}\RP231\A0186413.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{17A4E34B-B0F7-41F0-9E0F-14EE907186CC}\RP231\A0186448.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

===========================================================================

DDS:

====

DDS (Ver_09-12-01.01) - NTFSx86

Run by martin1 at 19:29:51.32 on 17/12/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.98 [GMT 0:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TODDSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\WINDOWS\system32\ZoomingHook.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\WINDOWS\system32\TCtrlIOHook.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Documents and Settings\martin1\Desktop\jimbo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe

mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe

mRun: [<NO NAME>]

mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP

mRun: [sVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe

mRun: [TPSMain] TPSMain.exe

mRun: [Zooming] ZoomingHook.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [TCtryIOHook] TCtrlIOHook.exe

mRun: [TFncKy] TFncKy.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe

mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-16 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-16 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-16 29776]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-12-16 1282248]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-4-18 98816]

S1 gkgfysyz;gkgfysyz;\??\c:\windows\system32\drivers\gkgfysyz.sys --> c:\windows\system32\drivers\gkgfysyz.sys [?]

S1 lcphtkss;lcphtkss;\??\c:\windows\system32\drivers\lcphtkss.sys --> c:\windows\system32\drivers\lcphtkss.sys [?]

S1 nlduralv;nlduralv;\??\c:\windows\system32\drivers\nlduralv.sys --> c:\windows\system32\drivers\nlduralv.sys [?]

S2 gupdate1c9f4be6e8b1bc6;Google Update Service (gupdate1c9f4be6e8b1bc6);c:\program files\google\update\GoogleUpdate.exe [2009-6-24 133104]

S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]

S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-12-16 3291336]

=============== Created Last 30 ================

2009-12-17 18:18:47 0 ----a-w- c:\documents and settings\martin1\defogger_reenable

2009-12-16 21:45:07 0 d-----w- c:\docume~1\martin1\applic~1\OnlineArmor

2009-12-16 21:45:07 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor

2009-12-16 21:44:12 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2009-12-16 21:44:12 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2009-12-16 21:44:12 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2009-12-16 21:44:02 0 d-----w- c:\program files\Tall Emu

2009-12-06 17:20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-06 17:20:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 09:38:26 3384461312 ----a-w- C:\BIRDINGINBRITAIN.ISO

2009-11-18 18:09:51 0 d-----w- c:\docume~1\martin1\applic~1\CC

==================== Find3M ====================

2009-12-01 23:39:57 1814 -c--a-w- c:\docume~1\martin1\applic~1\wklnhst.dat

2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58:48 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

============= FINISH: 19:31:15.18 ===============

Link to post
Share on other sites

  • Root Admin

Hello Jim,

You have a new TDL3 rootkit infection. Please follow the instructions below and we'll see if we're able to correct it with this tool. If not then you'll need to have access to the installation CD so that we can attempt to fix it.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Hello,

As requested, here are the logs. ComboFix displayed that I didn't have Windows Recovery Console installed and gave me the option to install, which I declined:

Thanks

Jim

ComboFix:

======

ComboFix 09-12-20.08 - martin1 22/12/2009 11:12:30.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.167 [GMT 0:00]

Running from: c:\documents and settings\martin1\Desktop\Combo-Fix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\martin1\Application Data\CC

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mcc10.tmp

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mcc1C.tmp

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mcc1F.tmp

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mccB.tmp

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mccD.tmp

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mccE.tmp

c:\windows\EventSystem.log

c:\windows\system32\encapi32.dll

c:\windows\system32\muzapp.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYWEBSEARCHSERVICE

-------\Service_MyWebSearchService

((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))

.

2009-12-16 21:45 . 2009-12-16 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2009-12-16 21:45 . 2009-12-16 21:45 -------- d-----w- c:\documents and settings\martin1\Application Data\OnlineArmor

2009-12-16 21:44 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2009-12-16 21:44 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2009-12-16 21:44 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2009-12-16 21:44 . 2009-12-16 21:44 -------- d-----w- c:\program files\Tall Emu

2009-12-06 17:20 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-06 17:20 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-02 22:29 . 2009-12-02 22:29 109568 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{DDE86945-8340-9BA6-E1A1-510D576F695B}-sdra64.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-16 23:44 . 2009-06-24 11:23 -------- d-----w- c:\program files\Google

2009-12-13 18:51 . 2006-05-24 05:44 -------- d-----w- c:\program files\Microsoft Works

2009-12-06 17:20 . 2009-10-31 20:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-01 23:39 . 2007-05-30 16:45 1814 -c--a-w- c:\documents and settings\martin1\Application Data\wklnhst.dat

2009-11-29 09:38 . 2006-12-31 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-11-20 03:53 . 2006-10-07 22:55 121200 -c--a-w- c:\documents and settings\martin1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-20 03:48 . 2007-11-09 23:06 -------- d-----w- c:\program files\AutoCAD 2005

2009-11-20 03:47 . 2007-11-09 23:06 -------- d-----w- c:\program files\Common Files\Autodesk Shared

2009-11-20 03:47 . 2007-11-09 23:13 -------- d-----w- c:\program files\AnswerWorks 4.0

2009-11-20 03:41 . 2007-11-09 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk

2009-11-02 20:42 . 2009-11-01 14:53 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-11-02 14:26 . 2009-11-02 14:25 -------- d-----w- c:\program files\Microsoft Security Essentials

2009-11-02 13:40 . 2009-11-02 13:40 120744 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-01 19:14 . 2006-10-04 13:37 -------- d-----w- c:\program files\Common Files\AOL

2009-11-01 19:10 . 2006-10-07 19:24 -------- d-----w- c:\documents and settings\martin1\Application Data\AOL

2009-11-01 19:10 . 2006-10-07 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-11-01 15:58 . 2009-11-01 15:58 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-10-31 20:33 . 2009-10-31 20:33 -------- d-----w- c:\documents and settings\martin1\Application Data\Malwarebytes

2009-10-31 20:33 . 2009-10-31 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-29 07:46 . 2006-05-23 06:26 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2006-05-23 06:26 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2006-05-23 06:25 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00 . 2006-05-23 06:26 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2006-05-23 06:26 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-03 23:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53 . 2006-05-23 06:26 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2006-05-23 06:26 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2006-05-23 06:26 112128 ----a-w- c:\windows\system32\rastls.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-24 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]

"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]

"TPSMain"="TPSMain.exe" [2005-08-11 266240]

"Zooming"="ZoomingHook.exe" [2005-06-06 24576]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]

"TCtryIOHook"="TCtrlIOHook.exe" [2006-01-03 28672]

"TFncKy"="TFncKy.exe" [bU]

"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-07 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-21 155648]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-15 113664]

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-5-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-06-10 17:01 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Check-Up.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk

backup=c:\windows\pss\AOL Broadband Check-Up.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk

backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^martin1^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\martin1\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jessops photoexpress Insert Detect]

2003-02-17 12:45 262144 ----a-w- c:\program files\Jessops photoexpress\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2009-09-10 14:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbabj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-06-24 11:23 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [16/12/2009 21:44 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [16/12/2009 21:44 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [16/12/2009 21:44 29776]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [16/12/2009 21:44 1282248]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 14:12 98816]

S1 gkgfysyz;gkgfysyz;\??\c:\windows\system32\drivers\gkgfysyz.sys --> c:\windows\system32\drivers\gkgfysyz.sys [?]

S1 lcphtkss;lcphtkss;\??\c:\windows\system32\drivers\lcphtkss.sys --> c:\windows\system32\drivers\lcphtkss.sys [?]

S1 nlduralv;nlduralv;\??\c:\windows\system32\drivers\nlduralv.sys --> c:\windows\system32\drivers\nlduralv.sys [?]

S2 gupdate1c9f4be6e8b1bc6;Google Update Service (gupdate1c9f4be6e8b1bc6);c:\program files\Google\Update\GoogleUpdate.exe [24/06/2009 11:25 133104]

S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [16/12/2009 21:44 3291336]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe

MSConfigStartUp-Google Quick Search Box - c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1244752768\ee\AOLSoftware.exe

MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL

MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

AddRemove-PComponents - c:\documents and settings\martin1\Application Data\PC\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-22 11:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2500)

c:\windows\system32\WININET.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\TPSMain.exe

c:\windows\system32\ZoomingHook.exe

c:\windows\system32\TCtrlIOHook.exe

c:\windows\system32\TPSBattM.exe

c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

c:\windows\AGRSMMSG.exe

c:\program files\Apoint2K\Apntex.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2009-12-22 11:26:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-22 11:26

Pre-Run: 13,893,693,440 bytes free

Post-Run: 13,976,604,672 bytes free

- - End Of File - - 15BD689B33754A39EF7E3D23D82663B4

DDS:

===

DDS (Ver_09-12-01.01) - NTFSx86

Run by martin1 at 11:33:35.46 on 22/12/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.135 [GMT 0:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TODDSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\WINDOWS\system32\ZoomingHook.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\WINDOWS\system32\TCtrlIOHook.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\martin1\Desktop\jimbo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe

mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe

mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP

mRun: [sVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe

mRun: [TPSMain] TPSMain.exe

mRun: [Zooming] ZoomingHook.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [TCtryIOHook] TCtrlIOHook.exe

mRun: [TFncKy] TFncKy.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe

mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-16 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-16 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-16 29776]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-12-16 1282248]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-4-18 98816]

S1 gkgfysyz;gkgfysyz;\??\c:\windows\system32\drivers\gkgfysyz.sys --> c:\windows\system32\drivers\gkgfysyz.sys [?]

S1 lcphtkss;lcphtkss;\??\c:\windows\system32\drivers\lcphtkss.sys --> c:\windows\system32\drivers\lcphtkss.sys [?]

S1 nlduralv;nlduralv;\??\c:\windows\system32\drivers\nlduralv.sys --> c:\windows\system32\drivers\nlduralv.sys [?]

S2 gupdate1c9f4be6e8b1bc6;Google Update Service (gupdate1c9f4be6e8b1bc6);c:\program files\google\update\GoogleUpdate.exe [2009-6-24 133104]

S3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-12-16 3291336]

=============== Created Last 30 ================

2009-12-22 10:54:09 98816 ----a-w- c:\windows\sed.exe

2009-12-22 10:54:09 77312 ----a-w- c:\windows\MBR.exe

2009-12-22 10:54:09 261632 ----a-w- c:\windows\PEV.exe

2009-12-22 10:54:09 161792 ----a-w- c:\windows\SWREG.exe

2009-12-22 10:53:52 0 d-----w- C:\Combo-Fix

2009-12-17 18:18:47 0 ----a-w- c:\documents and settings\martin1\defogger_reenable

2009-12-16 21:45:07 0 d-----w- c:\docume~1\martin1\applic~1\OnlineArmor

2009-12-16 21:45:07 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor

2009-12-16 21:44:12 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2009-12-16 21:44:12 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2009-12-16 21:44:12 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2009-12-16 21:44:02 0 d-----w- c:\program files\Tall Emu

2009-12-06 17:20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-06 17:20:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 09:38:26 3384461312 ----a-w- C:\BIRDINGINBRITAIN.ISO

==================== Find3M ====================

2009-12-01 23:39:57 1814 -c--a-w- c:\docume~1\martin1\applic~1\wklnhst.dat

2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

============= FINISH: 11:33:49.23 ===============

Attach_2.zip

Link to post
Share on other sites

  • Root Admin

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

File::
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{DDE86945-8340-9BA6-E1A1-510D576F695B}-sdra64.exe
c:\windows\system32\drivers\gkgfysyz.sys
c:\windows\system32\drivers\lcphtkss.sys
c:\windows\system32\drivers\nlduralv.sys
Driver::
gkgfysyz
lcphtkss
nlduralv

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

Hi,

Here's the latest ComboFix log - Recovery console installed this time:

ComboFix 09-12-20.08 - martin1 23/12/2009 10:36:41.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.172 [GMT 0:00]

Running from: c:\documents and settings\martin1\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\martin1\Desktop\CFscript.txt

AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::

"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{DDE86945-8340-9BA6-E1A1-510D576F695B}-sdra64.exe"

"c:\windows\system32\drivers\gkgfysyz.sys"

"c:\windows\system32\drivers\lcphtkss.sys"

"c:\windows\system32\drivers\nlduralv.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{DDE86945-8340-9BA6-E1A1-510D576F695B}-sdra64.exe

c:\documents and settings\martin1\Local Settings\Temporary Internet Files\mccC.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gkgfysyz

-------\Service_lcphtkss

-------\Service_nlduralv

((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))

.

2009-12-22 10:53 . 2009-12-22 11:27 -------- d-----w- C:\Combo-Fix

2009-12-16 21:45 . 2009-12-16 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2009-12-16 21:45 . 2009-12-16 21:45 -------- d-----w- c:\documents and settings\martin1\Application Data\OnlineArmor

2009-12-16 21:44 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2009-12-16 21:44 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2009-12-16 21:44 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2009-12-16 21:44 . 2009-12-16 21:44 -------- d-----w- c:\program files\Tall Emu

2009-12-06 17:20 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-06 17:20 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-16 23:44 . 2009-06-24 11:23 -------- d-----w- c:\program files\Google

2009-12-13 18:51 . 2006-05-24 05:44 -------- d-----w- c:\program files\Microsoft Works

2009-12-06 17:20 . 2009-10-31 20:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-01 23:39 . 2007-05-30 16:45 1814 -c--a-w- c:\documents and settings\martin1\Application Data\wklnhst.dat

2009-11-29 09:38 . 2006-12-31 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-11-20 03:53 . 2006-10-07 22:55 121200 -c--a-w- c:\documents and settings\martin1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-20 03:48 . 2007-11-09 23:06 -------- d-----w- c:\program files\AutoCAD 2005

2009-11-20 03:47 . 2007-11-09 23:06 -------- d-----w- c:\program files\Common Files\Autodesk Shared

2009-11-20 03:47 . 2007-11-09 23:13 -------- d-----w- c:\program files\AnswerWorks 4.0

2009-11-20 03:41 . 2007-11-09 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk

2009-11-02 20:42 . 2009-11-01 14:53 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-11-02 14:26 . 2009-11-02 14:25 -------- d-----w- c:\program files\Microsoft Security Essentials

2009-11-02 13:40 . 2009-11-02 13:40 120744 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-01 19:14 . 2006-10-04 13:37 -------- d-----w- c:\program files\Common Files\AOL

2009-11-01 19:10 . 2006-10-07 19:24 -------- d-----w- c:\documents and settings\martin1\Application Data\AOL

2009-11-01 19:10 . 2006-10-07 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-11-01 15:58 . 2009-11-01 15:58 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-10-31 20:33 . 2009-10-31 20:33 -------- d-----w- c:\documents and settings\martin1\Application Data\Malwarebytes

2009-10-31 20:33 . 2009-10-31 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-29 07:46 . 2006-05-23 06:26 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2006-05-23 06:26 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2006-05-23 06:25 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00 . 2006-05-23 06:26 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2006-05-23 06:26 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-03 23:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53 . 2006-05-23 06:26 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2006-05-23 06:26 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2006-05-23 06:26 112128 ----a-w- c:\windows\system32\rastls.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-24 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]

"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]

"TPSMain"="TPSMain.exe" [2005-08-11 266240]

"Zooming"="ZoomingHook.exe" [2005-06-06 24576]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]

"TCtryIOHook"="TCtrlIOHook.exe" [2006-01-03 28672]

"TFncKy"="TFncKy.exe" [bU]

"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-07 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-21 155648]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-15 113664]

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-5-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-06-10 17:01 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Check-Up.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk

backup=c:\windows\pss\AOL Broadband Check-Up.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk

backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^martin1^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\martin1\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jessops photoexpress Insert Detect]

2003-02-17 12:45 262144 ----a-w- c:\program files\Jessops photoexpress\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2009-09-10 14:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbabj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-06-24 11:23 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [16/12/2009 21:44 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [16/12/2009 21:44 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [16/12/2009 21:44 29776]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [16/12/2009 21:44 1282248]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 14:12 98816]

S2 gupdate1c9f4be6e8b1bc6;Google Update Service (gupdate1c9f4be6e8b1bc6);c:\program files\Google\Update\GoogleUpdate.exe [24/06/2009 11:25 133104]

S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [16/12/2009 21:44 3291336]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-23 10:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4004)

c:\windows\system32\WININET.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

c:\program files\Microsoft Office\OFFICE11\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\TPSMain.exe

c:\windows\system32\ZoomingHook.exe

c:\windows\system32\TCtrlIOHook.exe

c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

c:\program files\Apoint2K\Apntex.exe

c:\windows\AGRSMMSG.exe

c:\windows\system32\TPSBattM.exe

c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2009-12-23 10:49:45 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-23 10:49

ComboFix2.txt 2009-12-22 11:26

Pre-Run: 13,952,794,624 bytes free

Post-Run: 13,923,561,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F3A5D8BC70B2C62EC2764B1360918069

Link to post
Share on other sites

  • Root Admin

Just about done. Please run the following and if that comes back good we'll just need to finish our cleanup process.

The log looks much better now. What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

OK, here's that report:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, December 24, 2009

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, December 24, 2009 06:52:28

Records in database: 3406927

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 81001

Threats found: 2

Infected objects found: 2

Suspicious objects found: 0

Scan duration: 01:54:06

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1

C:\System Volume Information\_restore{17A4E34B-B0F7-41F0-9E0F-14EE907186CC}\RP172\A0148265.DLL Infected: not-a-virus:Monitor.Win32.Agent.c 1

Selected area has been scanned.

Link to post
Share on other sites

  • Root Admin

Those files are okay for now.

Please update and run an MBAM scan.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log on your next reply.

Link to post
Share on other sites

Thanks for the response - here's the MBAM log. Loking good.

Malwarebytes' Anti-Malware 1.42

Database version: 3446

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

29/12/2009 00:07:26

mbam-log-2009-12-29 (00-07-25).txt

Scan type: Quick Scan

Objects scanned: 121845

Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Looks good. Let's go ahead and remove combofix now.

Temporarily disable your Anti-Virus again and then click on START - RUN and type in Combofix.exe /uninstall and click OK

Once CF has been removed make sure to re-enable your Anti-Virus and make sure it's up to date.

You should now be able to run any Service Pack Updates required. If this is an HP computer though you may need to get an update from HP to prevent a blue screen of death caused by SP3 update.

Link to post
Share on other sites

Looks good. Let's go ahead and remove combofix now.

Temporarily disable your Anti-Virus again and then click on START - RUN and type in Combofix.exe /uninstall and click OK

Once CF has been removed make sure to re-enable your Anti-Virus and make sure it's up to date.

You should now be able to run any Service Pack Updates required. If this is an HP computer though you may need to get an update from HP to prevent a blue screen of death caused by SP3 update.

Everything's back to normal now and the upgrade to SP3 went without a hitch this time. Thank you so much for the time you have spent helping me with this problem. It's nice to know that there are still plenty of 'good guys' out there.

One last question (hopefully). Do I need to do anything with Defogger? I'm not sure if the disable at the start actually worked as I never got the prompt to re-boot. Here's the log I got:

defogger_disable by jpshortstuff (28.11.09.2)

Log created at 18:54 on 17/12/2009 (martin1)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Link to post
Share on other sites

  • Root Admin

You're quite welcome. Glad I could be of help.

No it did not find anything to disable. You can remove any files we used as part of this scanning, cleaning process.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

  • Root Admin

Okay, closing the post now. Reminder, now that you've got SP3 installed you still need to keep going back to the Microsoft Update site and check for any new updates until you've finally installed all the Critical Updates. After that you can set it to check weekly or monthly if you like.

Thank you again and take care and be safe out there.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.