Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Desktop is gone


  • Please log in to reply

#121
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
I've got to call it a night. Will check your log tomorrow.
  • 0

Advertisements


#122
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Do you know how many stages? it has compleated 8
  • 0

#123
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
ComboFix 09-12-18.02 - Tony 12/19/2009 0:02.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1210 [GMT -7:00]
Running from: c:\users\Tony\Desktop\KittyFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Cursors\aero_link.cur

.
((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 07:14 . 2009-12-19 07:14 -------- d-----w- c:\users\Tony\AppData\Local\temp
2009-12-19 07:14 . 2009-12-19 07:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-19 07:14 . 2009-12-19 07:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-19 07:14 . 2009-12-19 07:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-12-19 06:41 . 2009-12-19 06:41 -------- d-----w- c:\users\Tony\AppData\Local\Google
2009-12-19 06:37 . 2009-12-19 06:37 -------- d-----w- c:\windows\B7F95718207441B6BB0EC5E1EFC6ADE4.TMP
2009-12-19 00:31 . 2009-12-19 00:31 -------- d-----w- c:\users\Tony\AppData\Local\Apple
2009-12-18 14:57 . 2009-12-18 14:57 -------- d-----w- c:\users\Tony\AppData\Local\Autodesk
2009-12-18 14:57 . 2009-12-18 14:57 -------- d-----w- c:\users\Tony\AppData\Roaming\Autodesk
2009-12-18 14:49 . 2009-12-19 05:02 -------- d-----w- c:\users\Tony\AppData\Local\Adobe
2009-12-18 14:48 . 2009-12-18 14:48 174232 ----a-w- c:\users\Tony\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 14:45 . 2006-09-25 21:40 648744 ----a-w- c:\users\Tony\AppData\Roaming\Corel\WordPerfect Office X3\User Config\InitLBar.exe
2009-12-18 04:29 . 2009-12-18 14:17 174232 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 03:55 . 2009-12-18 03:55 -------- d-----w- c:\users\Administrator\AppData\Local\Apple
2009-12-16 03:54 . 2006-09-25 21:40 648744 ----a-w- c:\windows\System32\config\systemprofile\AppData\Roaming\COREL\WordPerfect Office X3\User Config\InitLBar.exe
2009-12-16 03:54 . 2009-12-16 03:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\COREL
2009-12-11 05:45 . 2009-12-11 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2009-12-09 04:55 . 2006-09-25 21:40 648744 ----a-w- c:\users\Default\AppData\Roaming\Corel\WordPerfect Office X3\User Config\InitLBar.exe
2009-12-09 04:55 . 2009-12-09 04:55 -------- d-----w- c:\users\Default\AppData\Roaming\Corel
2009-12-09 03:07 . 2009-12-09 04:48 -------- d-----w- c:\users\Default\AppData\Roaming\Chief Architect Full Version 11
2009-12-09 03:06 . 2009-12-09 03:07 -------- d-----w- c:\users\Default\AppData\Roaming\DAEMON Tools
2009-12-09 02:54 . 2009-12-16 00:44 174232 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-09 02:54 . 2009-12-09 02:54 680 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2009-12-08 01:58 . 2009-12-15 23:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Chief Architect Full Version 11
2009-12-03 16:28 . 2009-12-03 16:28 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Roxio
2009-12-03 15:22 . 2009-12-03 15:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Shareaza
2009-12-03 15:22 . 2009-12-03 15:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Shareaza
2009-12-03 06:18 . 2009-12-03 06:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2009-12-03 01:39 . 2009-12-03 01:39 11264 ----a-w- c:\windows\system32\drivers\uzkwmzmy.sys
2009-12-01 17:15 . 2009-12-11 01:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Microsoft
2009-11-29 15:49 . 2009-11-29 15:50 -------- d-----w- c:\programdata\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 04:30 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Corel
2009-12-16 00:45 . 2009-09-07 02:39 -------- d-----w- c:\program files\AutoCAD 2009
2009-12-09 04:55 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\Corel
2009-12-09 04:48 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\Chief Architect Full Version 11
2009-12-09 04:48 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Chief Architect Full Version 11
2009-12-09 03:07 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\DAEMON Tools
2009-12-09 03:07 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\DAEMON Tools
2009-11-16 01:50 . 2009-11-16 01:50 -------- d-----w- c:\program files\Trend Micro
2009-11-15 20:06 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\Malwarebytes
2009-11-15 20:06 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2009-11-15 20:06 . 2009-11-15 20:06 -------- d-----w- c:\users\Default\AppData\Roaming\Malwarebytes
2009-11-15 20:02 . 2009-11-15 20:02 -------- d-----w- c:\program files\Malbytes' Anti-Malware
2009-11-15 19:56 . 2009-11-15 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 19:56 . 2009-11-15 19:56 -------- d-----w- c:\programdata\Malwarebytes
2009-11-15 19:49 . 2009-11-15 19:45 -------- d-----w- c:\program files\ERUNT
2009-11-12 08:01 . 2009-11-10 02:32 -------- d-----w- c:\programdata\avg9
2009-11-12 07:24 . 2009-09-07 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-12 07:24 . 2009-09-07 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-12 07:24 . 2009-09-06 02:18 -------- d-----w- c:\users\Jerry\AppData\Roaming\DAEMON Tools
2009-11-12 07:24 . 2009-09-06 02:07 -------- d-----w- c:\programdata\RetroExp
2009-11-09 17:21 . 2009-09-06 15:53 -------- d-----w- c:\programdata\FLEXnet
2009-11-08 22:51 . 2009-09-07 02:37 -------- d-----w- c:\program files\Autodesk
2009-11-08 19:12 . 2009-09-06 01:22 -------- d-----w- c:\program files\Protector Suite QL
2009-11-08 19:02 . 2009-11-08 19:02 -------- d-----w- c:\program files\RSA
2009-11-08 19:00 . 2009-09-06 01:21 -------- d-----w- c:\programdata\UIB
2009-11-07 18:32 . 2009-09-10 19:46 -------- d-----w- c:\program files\AVG
2009-11-06 16:55 . 2009-10-16 13:58 -------- d-----w- c:\users\Jerry\AppData\Roaming\HpUpdate
2009-11-03 03:42 . 2009-10-06 19:58 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 22:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-01 18:33 . 2009-11-01 18:33 -------- d-----w- c:\program files\Sophos
2009-11-01 17:15 . 2009-10-27 03:55 -------- d-----w- c:\program files\Shareaza
2009-11-01 16:44 . 2009-09-06 02:05 -------- d-----w- c:\users\Jerry\AppData\Roaming\InstallShield
2009-11-01 16:44 . 2009-09-11 14:46 -------- d-----w- c:\program files\Epson Software
2009-11-01 16:44 . 2007-05-09 21:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 16:43 . 2009-10-30 20:46 -------- d-----w- c:\program files\VideoLAN
2009-11-01 16:29 . 2009-11-01 16:29 -------- d-----w- c:\program files\EPSON
2009-10-30 20:53 . 2009-10-30 20:31 -------- d---a-w- c:\users\Jerry\AppData\Roaming\vlc
2009-10-30 15:57 . 2009-10-30 15:53 -------- d-----w- c:\program files\PlanSwift8
2009-10-27 03:55 . 2009-10-27 03:55 -------- d-----w- c:\users\Jerry\AppData\Roaming\Shareaza
2009-10-16 14:07 . 2009-10-16 14:04 116841 ----a-w- c:\windows\hpqins00.dat
2009-10-07 01:10 . 2009-10-06 23:07 130375 ----a-w- c:\windows\hpoins13.dat
2009-09-12 16:14 . 2009-09-11 15:33 952 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-11-14 19:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-11-14 19:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-11-14 19:07 96008 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Windows^system32^config^systemprofile^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2007-01-17 20:46 534648 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-02-13 16:30 405504 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-02-13 23:09 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-05-09 22:16 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 06:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 02:13 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 03:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-07 23:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2006-11-01 15:06 413696 ----a-w- c:\program files\Toshiba\Utilities\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 02:13 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 10:56 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 03:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 02:13 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-11-14 18:38 49416 ----a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2007-01-03 05:21 83568 ----a-w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
2007-01-22 19:11 9385504 ----a-w- c:\progra~1\RETROS~1\RETROS~1.0\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-10-27 14:41 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-02-16 00:07 4390912 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
2008-10-01 18:00 5723136 ----a-w- c:\program files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-01-19 05:24 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2006-11-01 18:08 438272 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-06 03:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-20 13:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2006-12-20 06:16 411768 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 05:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 uzkwmzmy;AVZ-RK Kernel Driver;c:\windows\System32\drivers\uzkwmzmy.sys [12/2/2009 6:39 PM 11264]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/6/2009 8:30 PM 809296]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [11/17/2008 2:40 PM 3668480]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/5/2009 7:18 PM 716272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BufferZone - c:\program files\BufferZone\CLIENTGUI.EXE
MSConfigStartUp-NDSTray - NDSTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 00:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????TF?l{?????;?8?;?p?;???;???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\714.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll
.
Completion time: 2009-12-19 00:20:33
ComboFix-quarantined-files.txt 2009-12-19 07:20

Pre-Run: 76,893,581,312 bytes free
Post-Run: 76,688,400,384 bytes free

- - End Of File - - 320981F7BE9C2284996ADE7DADDAFDAE
  • 0

#124
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=-
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Close all other windows and programs. In normal mode, drag the CFScript.txt onto KiityFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Let me know if Ctrl+Alt+Del is working properly, the status of your internet connection (test ping again too), if you can open Network Connections console, etc.
  • 0

#125
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Good morning!!! Last night I rebooted the computer from Safe to Normal Mode several times and the system hung so I did a hard shutdown every time to expedite our communication. I logged off last night and this morning the computer was still hung, on the log off screen. This happens only in Normal Mode. Any way just to let you know. I run the command as you instructed, as I do this I have to save to a USB drive to transfer the file to my desktop so I can send it to you. This is the first time that after I press the Safely Remove Hardware Icon, this message came up: C:\Windows\System32\rundll32.exe Illegal operation attempted on a regisry key that has been marked for deletion. C/A/D Still the same. Ping command result Send 4, Received 4, Lost 0 with a return time of 97 ms. Internet still no working, tried to open Network and
sharing Center the system is bussy trying to open but it's been a few minutes and it hasn't happen, I will wait a little longer and I will cancel the proccess.


ComboFix 09-12-18.02 - Tony 12/19/2009 9:45.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1201 [GMT -7:00]
Running from: c:\users\Tony\Desktop\KittyFix.exe
Command switches used :: c:\users\Tony\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 16:56 . 2009-12-19 16:56 -------- d-----w- c:\users\Tony\AppData\Local\temp
2009-12-19 16:56 . 2009-12-19 16:56 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-19 16:56 . 2009-12-19 16:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-19 16:56 . 2009-12-19 16:56 -------- d-----w- c:\users\Jerry\AppData\Local\temp
2009-12-19 16:56 . 2009-12-19 16:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-19 16:56 . 2009-12-19 16:56 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-12-19 06:59 . 2009-12-19 07:20 -------- d-----w- C:\KittyFix
2009-12-19 06:41 . 2009-12-19 06:41 -------- d-----w- c:\users\Tony\AppData\Local\Google
2009-12-19 06:37 . 2009-12-19 06:37 -------- d-----w- c:\windows\B7F95718207441B6BB0EC5E1EFC6ADE4.TMP
2009-12-19 00:31 . 2009-12-19 00:31 -------- d-----w- c:\users\Tony\AppData\Local\Apple
2009-12-18 14:57 . 2009-12-18 14:57 -------- d-----w- c:\users\Tony\AppData\Local\Autodesk
2009-12-18 14:57 . 2009-12-18 14:57 -------- d-----w- c:\users\Tony\AppData\Roaming\Autodesk
2009-12-18 14:49 . 2009-12-19 05:02 -------- d-----w- c:\users\Tony\AppData\Local\Adobe
2009-12-18 14:48 . 2009-12-18 14:48 174232 ----a-w- c:\users\Tony\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 14:45 . 2006-09-25 21:40 648744 ----a-w- c:\users\Tony\AppData\Roaming\Corel\WordPerfect Office X3\User Config\InitLBar.exe
2009-12-18 04:29 . 2009-12-18 14:17 174232 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 03:55 . 2009-12-18 03:55 -------- d-----w- c:\users\Administrator\AppData\Local\Apple
2009-12-16 03:54 . 2006-09-25 21:40 648744 ----a-w- c:\windows\System32\config\systemprofile\AppData\Roaming\COREL\WordPerfect Office X3\User Config\InitLBar.exe
2009-12-16 03:54 . 2009-12-16 03:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\COREL
2009-12-11 05:45 . 2009-12-11 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2009-12-09 04:55 . 2006-09-25 21:40 648744 ----a-w- c:\users\Default\AppData\Roaming\Corel\WordPerfect Office X3\User Config\InitLBar.exe
2009-12-09 04:55 . 2009-12-09 04:55 -------- d-----w- c:\users\Default\AppData\Roaming\Corel
2009-12-09 03:07 . 2009-12-09 04:48 -------- d-----w- c:\users\Default\AppData\Roaming\Chief Architect Full Version 11
2009-12-09 03:06 . 2009-12-09 03:07 -------- d-----w- c:\users\Default\AppData\Roaming\DAEMON Tools
2009-12-09 02:54 . 2009-12-16 00:44 174232 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-09 02:54 . 2009-12-09 02:54 680 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2009-12-08 01:58 . 2009-12-15 23:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Chief Architect Full Version 11
2009-12-03 16:28 . 2009-12-03 16:28 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Roxio
2009-12-03 15:22 . 2009-12-03 15:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Shareaza
2009-12-03 15:22 . 2009-12-03 15:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Shareaza
2009-12-03 06:18 . 2009-12-03 06:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2009-12-03 01:39 . 2009-12-03 01:39 11264 ----a-w- c:\windows\system32\drivers\uzkwmzmy.sys
2009-12-01 17:15 . 2009-12-11 01:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Microsoft
2009-11-29 15:49 . 2009-11-29 15:50 -------- d-----w- c:\programdata\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 04:30 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Corel
2009-12-16 00:45 . 2009-09-07 02:39 -------- d-----w- c:\program files\AutoCAD 2009
2009-12-09 04:55 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\Corel
2009-12-09 04:48 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\Chief Architect Full Version 11
2009-12-09 04:48 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Chief Architect Full Version 11
2009-12-09 03:07 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\DAEMON Tools
2009-12-09 03:07 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\DAEMON Tools
2009-11-16 01:50 . 2009-11-16 01:50 -------- d-----w- c:\program files\Trend Micro
2009-11-15 20:06 . 2009-12-18 14:45 -------- d-----w- c:\users\Tony\AppData\Roaming\Malwarebytes
2009-11-15 20:06 . 2009-12-18 03:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2009-11-15 20:06 . 2009-11-15 20:06 -------- d-----w- c:\users\Default\AppData\Roaming\Malwarebytes
2009-11-15 20:02 . 2009-11-15 20:02 -------- d-----w- c:\program files\Malbytes' Anti-Malware
2009-11-15 19:56 . 2009-11-15 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 19:56 . 2009-11-15 19:56 -------- d-----w- c:\programdata\Malwarebytes
2009-11-15 19:49 . 2009-11-15 19:45 -------- d-----w- c:\program files\ERUNT
2009-11-12 08:01 . 2009-11-10 02:32 -------- d-----w- c:\programdata\avg9
2009-11-12 07:24 . 2009-09-07 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-12 07:24 . 2009-09-07 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-12 07:24 . 2009-09-06 02:18 -------- d-----w- c:\users\Jerry\AppData\Roaming\DAEMON Tools
2009-11-12 07:24 . 2009-09-06 02:07 -------- d-----w- c:\programdata\RetroExp
2009-11-09 17:21 . 2009-09-06 15:53 -------- d-----w- c:\programdata\FLEXnet
2009-11-08 22:51 . 2009-09-07 02:37 -------- d-----w- c:\program files\Autodesk
2009-11-08 19:12 . 2009-09-06 01:22 -------- d-----w- c:\program files\Protector Suite QL
2009-11-08 19:02 . 2009-11-08 19:02 -------- d-----w- c:\program files\RSA
2009-11-08 19:00 . 2009-09-06 01:21 -------- d-----w- c:\programdata\UIB
2009-11-07 18:32 . 2009-09-10 19:46 -------- d-----w- c:\program files\AVG
2009-11-06 16:55 . 2009-10-16 13:58 -------- d-----w- c:\users\Jerry\AppData\Roaming\HpUpdate
2009-11-03 03:42 . 2009-10-06 19:58 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 22:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-01 18:33 . 2009-11-01 18:33 -------- d-----w- c:\program files\Sophos
2009-11-01 17:15 . 2009-10-27 03:55 -------- d-----w- c:\program files\Shareaza
2009-11-01 16:44 . 2009-09-06 02:05 -------- d-----w- c:\users\Jerry\AppData\Roaming\InstallShield
2009-11-01 16:44 . 2009-09-11 14:46 -------- d-----w- c:\program files\Epson Software
2009-11-01 16:44 . 2007-05-09 21:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 16:43 . 2009-10-30 20:46 -------- d-----w- c:\program files\VideoLAN
2009-11-01 16:29 . 2009-11-01 16:29 -------- d-----w- c:\program files\EPSON
2009-10-30 20:53 . 2009-10-30 20:31 -------- d---a-w- c:\users\Jerry\AppData\Roaming\vlc
2009-10-30 15:57 . 2009-10-30 15:53 -------- d-----w- c:\program files\PlanSwift8
2009-10-27 03:55 . 2009-10-27 03:55 -------- d-----w- c:\users\Jerry\AppData\Roaming\Shareaza
2009-10-16 14:07 . 2009-10-16 14:04 116841 ----a-w- c:\windows\hpqins00.dat
2009-10-07 01:10 . 2009-10-06 23:07 130375 ----a-w- c:\windows\hpoins13.dat
2009-09-12 16:14 . 2009-09-11 15:33 952 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_07.14.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-02 13:05 . 2009-12-19 06:45 68134 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-12-19 16:36 68134 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-12-01 17:15 . 2009-12-18 21:07 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-01 17:15 . 2009-12-19 06:41 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-01 17:15 . 2009-12-18 21:07 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-01 17:15 . 2009-12-19 06:41 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-18 17:56 . 2009-12-19 16:36 2660 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604506643-2707541610-3872154351-1004_UserData.bin
+ 2009-12-19 06:40 . 2009-12-19 16:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-19 06:40 . 2009-12-19 06:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-19 06:40 . 2009-12-19 16:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-19 06:40 . 2009-12-19 06:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-11-14 19:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-11-14 19:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-11-14 19:07 96008 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Windows^system32^config^systemprofile^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2007-01-17 20:46 534648 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-02-13 16:30 405504 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-02-13 23:09 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-05-09 22:16 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 06:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 02:13 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 03:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-07 23:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2006-11-01 15:06 413696 ----a-w- c:\program files\Toshiba\Utilities\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 02:13 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 10:56 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 03:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 02:13 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-11-14 18:38 49416 ----a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2007-01-03 05:21 83568 ----a-w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
2007-01-22 19:11 9385504 ----a-w- c:\progra~1\RETROS~1\RETROS~1.0\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-10-27 14:41 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-02-16 00:07 4390912 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
2008-10-01 18:00 5723136 ----a-w- c:\program files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-01-19 05:24 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2006-11-01 18:08 438272 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-06 03:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-20 13:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2006-12-20 06:16 411768 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 05:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 uzkwmzmy;AVZ-RK Kernel Driver;c:\windows\System32\drivers\uzkwmzmy.sys [12/2/2009 6:39 PM 11264]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/6/2009 8:30 PM 809296]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [11/17/2008 2:40 PM 3668480]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/5/2009 7:18 PM 716272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 09:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????TF?l{?????;?8?;?p?;???;???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\714.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll

- - - - - - - > 'Explorer.exe'(1588)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infql2.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-12-19 10:01:25
ComboFix-quarantined-files.txt 2009-12-19 17:01
ComboFix2.txt 2009-12-19 07:20

Pre-Run: 76,722,315,264 bytes free
Post-Run: 76,694,958,080 bytes free

- - End Of File - - 8811FE4D2B43C37449E8C21A2E5BECA3
  • 0

#126
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP

Ping command result Send 4, Received 4, Lost 0 with a return time of 97 ms.


That means the computer connected to google.com and received a response to the ping - you're connected. I'm guessing you get a blank page when opening a browser? Try opening a Run dialog (WinKey+R) and type the following then hit enter.

http://74.125.95.103


Please open an elevated command window and execute the follwing command.

sfc /scannow

This will run the System File Checker, which will determine if any of the system's protected operating system files are corrupt and attempt to replace them if found to be. Restart when it completes and let me know if problems persist.
  • 0

#127
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
I do access the gooogle page so I'm connected to the internet. I tried clicking IE Icon and it did work also, the reazon I though I was not connected is because the computer icons on the task bar have a red cross on them. I dis the command sfc and press enter the cursor change to the next line and is blinking but it doesen't seem to be any activity. Should I re-try?
  • 0

#128
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Please just wait on sfc, and do not try to do anything else with the computer until it completes.
  • 0

#129
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
I still see no disk activity.
  • 0

#130
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Close the command window then open a Run dialog and type msconfig - hit Enter.
In the System Configuration applet that opens, select the Services tab.
Check the box labled 'Hide all Microsoft Services'
Select the General tab then click Selective Startup
Uncheck Load startup items
Click OK to close - click Restart
Once logged on again, open an elevated command window and try sfc /scannow again.
  • 0

Advertisements


#131
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
It doesn't seem to be any disk activity again.
  • 0

#132
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
What happens after you enter the command? It should appear as below.

C:\Windows\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.


  • 0

#133
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
When I hit enter, the cursor goes to the next line and just blinks. I have to CONTROL+C to get out. No disk activity.
  • 0

#134
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
See what you get with this command.

sfc /?
  • 0

#135
jllaz

jllaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
It gives me a description of the extension commands. The only thing I see different on the command is tha is caps.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP