Solved Infected: Packed.Win32.TDSS.aa

Scott Smith · 2010/01/20

[Resolved] Infected: Packed.Win32.TDSS.aa

globalroot\systemroot\system32\H8SRTkgdxkuhnbx.dll/globalroot\systemroot\system32\H8SRTkgdxkuhnbx.dll

That's what Kaspersky Online Scanner version: 7.0.26.13 found

Combofix will not run
Mbam will not run
Avast will not start
Can not get to DDS
IE crashes

I had to use FF to get here.

hijackthis log attached

Logfile of HijackThis v1.99.1
Scan saved at 5:42:56 AM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

Scott Smith · 2010/01/20

I got DDS to run from a thumb drive.

DDS (Ver_09-12-01.01) - NTFSx86
Run by PHIL at 6:11:54.78 on Wed 01/20/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.631 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PHIL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [<NO NAME>]
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\pobcg8yi.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-8-21 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-19 20560]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [2009-8-18 48176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-6 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-4-6 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-19 138680]
S4 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-19 254040]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-19 352920]

=============== Created Last 30 ================

2010-01-20 00:32:39 0 d-----w- C:\HijackThis
2010-01-14 12:01:14 0 d-----w- c:\documents and settings\all users\Symantec Temporary Files
2010-01-13 21:18:16 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-15 00:50:50 830 ----a-w- c:\docume~1\phil\applic~1\wklnhst.dat
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-04-06 19:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-09-06 00:12:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090520090906\index.dat
2009-09-06 00:14:59 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-09-06 00:14:51 3 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 6:12:58.34 ===============

Scott Smith · 2010/01/20

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/5/2009 7:14:04 PM
System Uptime: 1/20/2010 5:27:04 AM (1 hours ago)

Motherboard: TOSHIBA | | KAVAA
Processor: Intel(R) Atom(TM) CPU N280 @ 1.66GHz | U2E1 | 1661/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 142 GiB total, 127.873 GiB free.
D: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/5/2009 7:14:07 PM - System Checkpoint
RP2: 9/5/2009 7:14:31 PM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP3: 9/5/2009 7:14:57 PM - Installed Toshiba Quality Application
RP4: 9/8/2009 6:11:54 AM - Software Distribution Service 3.0
RP5: 9/10/2009 6:01:36 AM - Software Distribution Service 3.0
RP6: 9/12/2009 7:26:58 AM - Software Distribution Service 3.0
RP7: 9/13/2009 8:56:37 AM - Software Distribution Service 3.0
RP8: 9/15/2009 7:12:25 AM - Software Distribution Service 3.0
RP9: 9/15/2009 7:32:52 AM - Printer Driver Microsoft XPS Document Writer Installed
RP10: 9/17/2009 7:13:43 AM - System Checkpoint
RP11: 9/25/2009 8:24:30 AM - Software Distribution Service 3.0
RP12: 9/25/2009 8:36:59 AM - Printer Driver Lexmark 510 Series Installed
RP13: 10/7/2009 12:11:14 PM - System Checkpoint
RP14: 10/8/2009 3:00:13 AM - Software Distribution Service 3.0
RP15: 10/18/2009 7:11:18 AM - Software Distribution Service 3.0
RP16: 10/22/2009 9:34:57 AM - Software Distribution Service 3.0
RP17: 10/23/2009 8:17:39 AM - Software Distribution Service 3.0
RP18: 10/24/2009 6:59:23 AM - Software Distribution Service 3.0
RP19: 10/28/2009 10:35:30 AM - Software Distribution Service 3.0
RP20: 10/31/2009 11:31:38 AM - Installed Windows XP KB932716-v2.
RP21: 10/31/2009 11:31:57 AM - Installed Windows XP KB945060-v3.
RP22: 10/31/2009 11:34:13 AM - Installed Print Creations
RP23: 10/31/2009 11:35:33 AM - Installed Connect Service
RP24: 10/31/2009 12:06:37 PM - Installed Windows Media Format Runtime
RP25: 10/31/2009 12:07:16 PM - Installed Music Server Controller
RP26: 10/31/2009 12:07:31 PM - Installed OpenMG Secure Module
RP27: 10/31/2009 12:08:16 PM - Installed SonicStage
RP28: 10/31/2009 12:08:41 PM - Installed SonicStage Add-on
RP29: 10/31/2009 12:09:01 PM - Installed Personal Audio Driver
RP30: 11/1/2009 7:45:41 AM - Software Distribution Service 3.0
RP31: 11/5/2009 4:58:22 PM - Software Distribution Service 3.0
RP32: 11/11/2009 6:44:25 AM - Software Distribution Service 3.0
RP33: 11/25/2009 7:08:07 AM - Software Distribution Service 3.0
RP34: 1/18/2010 12:37:57 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ALPS Touch Pad Driver
Ask Toolbar
Atheros Client Utility
Atheros Driver Installation Program
avast! Antivirus
Bluetooth Stack for Windows by Toshiba
Camera Assistant Software for Toshiba
CCScore
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java(TM) 6 Update 11
Kodak EasyShare software
Lexmark 510 Series
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
netbrdg
OfotoXMI
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SFR
SHASTA
skin0001
SKINXSDK
Skype Launcher
SonicStage 4.3
staticcr
TOSHIBA Accessibility
Toshiba Application and Driver Installer
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA HDD Protection
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Quality Application
TOSHIBA Recovery Disc Creator
Toshiba Registration
Toshiba Resources Page
TOSHIBA SD Memory Utilities
TOSHIBA Software Upgrades
TOSHIBA USB Sleep and Charge Utility
TOSHIBA Zooming Utility
TouchPad On/Off Utility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 Card Reader Software
Utility Common Driver
VPRINTOL
WebFldrs XP
Windows Driver Package - Chicony (cecnuvc) Image (03/26/2009 6.4.64.0326)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
WIRELESS
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

1/19/2010 7:45:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! iAVS4 Control Service service to connect.
1/19/2010 7:45:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Antivirus service to connect.
1/19/2010 7:45:33 PM, error: Service Control Manager [7000] - The avast! iAVS4 Control Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/19/2010 7:45:33 PM, error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/19/2010 7:40:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP Fips intelppm TPwSav
1/18/2010 5:32:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/18/2010 5:30:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SYMTDI Tcpip TPwSav
1/18/2010 5:30:52 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/18/2010 5:30:52 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/18/2010 5:30:52 PM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
1/18/2010 5:30:52 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/18/2010 5:30:52 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/18/2010 5:30:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/18/2010 5:29:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/18/2010 5:11:25 PM, error: PSched [14107] - QoS [Adapter {1ED095AC-5498-4225-818B-B976A082622C}]: The Packet Scheduler could not initialize the virtual miniport with NDIS.
1/18/2010 12:44:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Atheros Configuration Service service to connect.
1/18/2010 12:43:56 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/18/2010 12:28:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton Internet Security service to connect.
1/18/2010 12:28:37 PM, error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/18/2010 1:03:48 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
1/14/2010 6:28:29 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
1/14/2010 5:54:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IDSxpx86
1/13/2010 6:40:30 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 002308B3AA96. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
1/13/2010 6:40:24 AM, error: PSched [14103] - QoS [Adapter {003519ED-F0C5-48F0-B059-601379294512}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.

==== End Of File ===========================

broni · 2010/01/20

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

Scott Smith · 2010/01/20

Looks like Avast is running now.

12:13:07:687 2608 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
12:13:07:687 2608 ================================================================================
12:13:07:687 2608 SystemInfo:

12:13:07:687 2608 OS Version: 5.1.2600 ServicePack: 3.0
12:13:07:687 2608 Product type: Workstation
12:13:07:703 2608 ComputerName: MINIME
12:13:07:703 2608 UserName: PHIL
12:13:07:703 2608 Windows directory: C:\WINDOWS
12:13:07:703 2608 Processor architecture: Intel x86
12:13:07:703 2608 Number of processors: 2
12:13:07:703 2608 Page size: 0x1000
12:13:07:703 2608 Boot type: Normal boot
12:13:07:703 2608 ================================================================================
12:13:07:703 2608 UnloadDriverW: NtUnloadDriver error 2
12:13:07:703 2608 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:13:07:703 2608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:13:07:718 2608 UtilityInit: KLMD drop and load success
12:13:07:718 2608 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
12:13:07:718 2608 UtilityInit: KLMD open success
12:13:07:718 2608 UtilityInit: Initialize success
12:13:07:718 2608
12:13:07:718 2608 Scanning Services ...
12:13:07:718 2608 CreateRegParser: Registry parser init started
12:13:07:718 2608 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
12:13:07:718 2608 CreateRegParser: DisableWow64Redirection error
12:13:07:718 2608 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:13:07:718 2608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
12:13:07:718 2608 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:13:07:718 2608 wfopen_ex: Trying to KLMD file open
12:13:07:718 2608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
12:13:07:718 2608 wfopen_ex: File opened ok (Flags 2)
12:13:07:718 2608 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: D94B48
12:13:07:718 2608 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:13:07:718 2608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
12:13:07:718 2608 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:13:07:718 2608 wfopen_ex: Trying to KLMD file open
12:13:07:718 2608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
12:13:07:718 2608 wfopen_ex: File opened ok (Flags 2)
12:13:07:718 2608 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: D94A38
12:13:07:718 2608 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
12:13:07:718 2608 CreateRegParser: EnableWow64Redirection error
12:13:07:718 2608 CreateRegParser: RegParser init completed
12:13:07:796 2608 GetAdvancedServicesInfo: Raw services enum returned 352 services
12:13:07:812 2608 ScanTDL2Services: Exact detect H8SRTd.sys (h: 1)
12:13:07:812 2608 RegNode HKLM\SYSTEM\ControlSet001\services\H8SRTd.sys infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: SafeBoot Minimal doesn't infected
12:13:07:812 2608 DeleteTDL2Service: SafeBoot Network doesn't infected
12:13:07:812 2608 RegNode HKLM\SYSTEM\ControlSet003\services\H8SRTd.sys infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: SafeBoot Minimal doesn't infected
12:13:07:812 2608 DeleteTDL2Service: SafeBoot Network doesn't infected
12:13:07:812 2608 File C:\WINDOWS\system32\drivers\H8SRTydjepltqod.sys infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: Module enum: Name: H8SRTd. Type: 1
12:13:07:812 2608 DeleteTDL2Service: Module clone ImagePath, skipping
12:13:07:812 2608 DeleteTDL2Service: Module enum: Name: H8SRTc. Type: 1
12:13:07:812 2608 File C:\WINDOWS\system32\H8SRTauacseutdo.dll infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: Module enum: Name: H8SRTsrcr. Type: 1
12:13:07:812 2608 File C:\WINDOWS\system32\H8SRTulmcxqqaww.dat infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: Module enum: Name: h8srtserf. Type: 1
12:13:07:812 2608 File C:\WINDOWS\system32\H8SRTigvggjphwg.dll infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: Module enum: Name: h8srtmsg. Type: 1
12:13:07:812 2608 File C:\WINDOWS\system32\H8SRTkgdxkuhnbx.dll infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 DeleteTDL2Service: Module enum: Name: h8srtbbr. Type: 1
12:13:07:812 2608 File C:\WINDOWS\system32\H8SRTxoxssnyxjh.dll infected by TDSS rootkit ... 12:13:07:812 2608 will be deleted on reboot
12:13:07:812 2608 ScanTDL2Services: DeleteEvilService(H8SRTd.sys) success
12:13:07:812 2608 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:13:07:812 2608 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:13:07:812 2608
12:13:07:812 2608 Scanning Kernel memory ...
12:13:07:828 2608 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:13:07:828 2608 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86562D20
12:13:07:828 2608 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
12:13:07:828 2608
12:13:07:828 2608 DetectCureTDL3: DEVICE_OBJECT: 865558A0
12:13:07:828 2608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 865558A0
12:13:07:828 2608 KLMD_ReadMem: Trying to ReadMemory 0x865558A0[0x38]
12:13:07:828 2608 DetectCureTDL3: DRIVER_OBJECT: 86562D20
12:13:07:828 2608 KLMD_ReadMem: Trying to ReadMemory 0x86562D20[0xA8]
12:13:07:828 2608 KLMD_ReadMem: Trying to ReadMemory 0xE1569808[0x18]
12:13:07:828 2608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:13:07:828 2608 DetectCureTDL3: IrpHandler (0) addr: F7603BB0
12:13:07:828 2608 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (2) addr: F7603BB0
12:13:07:828 2608 DetectCureTDL3: IrpHandler (3) addr: F75FDD1F
12:13:07:828 2608 DetectCureTDL3: IrpHandler (4) addr: F75FDD1F
12:13:07:828 2608 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (9) addr: F75FE2E2
12:13:07:828 2608 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (14) addr: F75FE3BB
12:13:07:828 2608 DetectCureTDL3: IrpHandler (15) addr: F7601F28
12:13:07:828 2608 DetectCureTDL3: IrpHandler (16) addr: F75FE2E2
12:13:07:828 2608 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (22) addr: F75FFC82
12:13:07:828 2608 DetectCureTDL3: IrpHandler (23) addr: F760499E
12:13:07:828 2608 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:13:07:828 2608 TDL3_FileDetect: Processing driver: Disk
12:13:07:828 2608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:13:07:828 2608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:13:07:828 2608 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:13:07:828 2608
12:13:07:828 2608 DetectCureTDL3: DEVICE_OBJECT: 86555C68
12:13:07:828 2608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86555C68
12:13:07:828 2608 KLMD_ReadMem: Trying to ReadMemory 0x86555C68[0x38]
12:13:07:828 2608 DetectCureTDL3: DRIVER_OBJECT: 86562D20
12:13:07:828 2608 KLMD_ReadMem: Trying to ReadMemory 0x86562D20[0xA8]
12:13:07:828 2608 KLMD_ReadMem: Trying to ReadMemory 0xE1569808[0x18]
12:13:07:828 2608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:13:07:828 2608 DetectCureTDL3: IrpHandler (0) addr: F7603BB0
12:13:07:828 2608 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (2) addr: F7603BB0
12:13:07:828 2608 DetectCureTDL3: IrpHandler (3) addr: F75FDD1F
12:13:07:828 2608 DetectCureTDL3: IrpHandler (4) addr: F75FDD1F
12:13:07:828 2608 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (9) addr: F75FE2E2
12:13:07:828 2608 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (14) addr: F75FE3BB
12:13:07:828 2608 DetectCureTDL3: IrpHandler (15) addr: F7601F28
12:13:07:828 2608 DetectCureTDL3: IrpHandler (16) addr: F75FE2E2
12:13:07:828 2608 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (22) addr: F75FFC82
12:13:07:828 2608 DetectCureTDL3: IrpHandler (23) addr: F760499E
12:13:07:828 2608 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:13:07:828 2608 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:13:07:828 2608 TDL3_FileDetect: Processing driver: Disk
12:13:07:828 2608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:13:07:828 2608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:13:07:828 2608 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:13:07:828 2608
12:13:07:843 2608 DetectCureTDL3: DEVICE_OBJECT: 86558030
12:13:07:843 2608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86558030
12:13:07:843 2608 DetectCureTDL3: DEVICE_OBJECT: 865624E0
12:13:07:843 2608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 865624E0
12:13:07:843 2608 DetectCureTDL3: DEVICE_OBJECT: 8655C300
12:13:07:843 2608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8655C300
12:13:07:843 2608 DetectCureTDL3: DEVICE_OBJECT: 86563028
12:13:07:843 2608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86563028
12:13:07:843 2608 KLMD_ReadMem: Trying to ReadMemory 0x86563028[0x38]
12:13:07:843 2608 DetectCureTDL3: DRIVER_OBJECT: 865AC490
12:13:07:843 2608 KLMD_ReadMem: Trying to ReadMemory 0x865AC490[0xA8]
12:13:07:843 2608 KLMD_ReadMem: Trying to ReadMemory 0xE1023828[0x1C]
12:13:07:843 2608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
12:13:07:843 2608 DetectCureTDL3: IrpHandler (0) addr: F73AF706
12:13:07:843 2608 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (2) addr: F73AF706
12:13:07:843 2608 DetectCureTDL3: IrpHandler (3) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (4) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (9) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (14) addr: F73AC758
12:13:07:843 2608 DetectCureTDL3: IrpHandler (15) addr: F73A96AE
12:13:07:843 2608 DetectCureTDL3: IrpHandler (16) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (22) addr: F73A48EE
12:13:07:843 2608 DetectCureTDL3: IrpHandler (23) addr: F73A3B56
12:13:07:843 2608 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:13:07:843 2608 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:13:07:843 2608 TDL3_FileDetect: Processing driver: iaStor
12:13:07:843 2608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
12:13:07:843 2608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iaStor.sys
12:13:07:859 2608 TDL3_FileDetect: C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: Clean
12:13:07:859 2608 UtilityBootReinit: Reboot required for cure complete..
12:13:07:859 2608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
12:13:07:875 2608 UtilityBootReinit: KLMD drop success
12:13:07:875 2608 KLMD_ApplyPendList: Pending buffer(4854_3FD4, 1032) dropped successfully
12:13:07:875 2608 UtilityBootReinit: Cure on reboot scheduled successfully
12:13:07:875 2608
12:13:07:875 2608 Completed
12:13:07:875 2608
12:13:07:875 2608 Results:
12:13:07:875 2608 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:13:07:875 2608 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
12:13:07:875 2608 File objects infected / cured / cured on reboot: 6 / 0 / 6
12:13:07:875 2608
12:13:07:875 2608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:13:07:875 2608 UtilityDeinit: KLMD(ARK) unloaded successfully

broni · 2010/01/20

Very well

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

Scott Smith · 2010/01/20

Thank you for helping me Broni. This is the first one that ever stumped me.

ComboFix 10-01-19.08 - PHIL 01/20/2010 12:24:33.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.614 [GMT -6:00]
Running from: c:\documents and settings\PHIL\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100120-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-723572097-2801298171-3283528345-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\h8srtshsyst.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 00:40 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-20 00:40 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-20 00:40 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-20 00:40 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-20 00:40 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-20 00:40 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-20 00:40 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-20 00:40 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-20 00:40 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-20 00:40 . 2010-01-20 00:40 -------- d-----w- c:\program files\Alwil Software
2010-01-20 00:32 . 2010-01-20 18:19 -------- d-----w- C:\HijackThis
2010-01-18 23:57 . 2010-01-18 23:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-01-18 23:53 . 2006-12-07 16:45 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-01-18 23:33 . 2010-01-18 23:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-18 23:30 . 2006-12-07 16:45 3096576 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-01-18 23:30 . 2010-01-18 23:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-01-18 23:14 . 2006-12-11 16:20 180224 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2010-01-18 23:14 . 2006-12-11 16:20 983829 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
2010-01-18 23:14 . 2006-12-11 16:20 72192 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2010-01-18 23:14 . 2006-12-11 16:20 72192 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2010-01-18 23:14 . 2006-12-11 16:20 325 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\stopApp.bat
2010-01-18 23:14 . 2006-12-11 16:20 15 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\run_me.bat
2010-01-18 23:14 . 2006-12-11 16:20 40960 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\appstop.exe
2010-01-14 22:47 . 2010-01-14 22:47 0 ----a-w- c:\windows\nsreg.dat
2010-01-14 22:47 . 2010-01-14 22:47 -------- d-----w- c:\documents and settings\PHIL\Local Settings\Application Data\Mozilla
2010-01-14 12:25 . 2010-01-14 12:25 -------- d-----w- c:\documents and settings\PHIL\Local Settings\Application Data\Symantec
2010-01-14 12:01 . 2010-01-14 12:01 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2010-01-13 21:18 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 11:24 . 2009-12-07 18:05 -------- d-----w- c:\documents and settings\PHIL\Application Data\E-centives
2010-01-20 00:26 . 2009-04-06 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-20 00:25 . 2009-04-06 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-18 23:14 . 2009-10-31 16:39 -------- d-----w- c:\documents and settings\PHIL\Application Data\U3
2010-01-18 18:43 . 2009-08-18 06:44 -------- d-----w- c:\program files\Atheros
2010-01-18 18:38 . 2009-10-31 16:34 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-01-18 18:38 . 2009-10-31 16:34 -------- d-----w- c:\program files\ArcSoft
2010-01-18 18:38 . 2009-04-06 19:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 18:27 . 2009-10-31 16:34 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-01-14 21:13 . 2009-04-06 19:43 -------- d-----w- c:\program files\Google
2009-12-28 13:20 . 2009-04-06 19:22 -------- d-----w- c:\program files\TOSHIBA
2009-12-15 00:50 . 2009-10-16 16:45 830 ----a-w- c:\documents and settings\PHIL\Application Data\wklnhst.dat
2009-12-07 14:01 . 2009-12-06 15:21 -------- d-----w- c:\program files\AskBarDis
2009-11-27 13:52 . 2009-11-27 13:52 -------- d-----w- c:\documents and settings\PHIL\Application Data\KodakCredentialStore
2009-11-21 15:51 . 2009-04-06 19:46 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-31 16:29 . 2009-10-31 16:29 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-10-31 16:29 . 2009-10-31 16:29 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\***\finish.exe
2009-10-31 16:29 . 2009-10-31 16:29 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2009-10-31 16:28 . 2009-10-31 16:28 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2009-10-31 16:28 . 2009-10-31 16:28 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\***\start.exe
2009-10-31 16:28 . 2009-10-31 16:28 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_bc0cfd\EasyShrx.Dll
2009-10-31 16:27 . 2009-10-31 16:27 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.30.1.dll
2009-10-29 07:46 . 2009-04-06 19:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-04-06 19:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2009-04-06 19:46 17408 ----a-w- c:\windows\system32\corpol.dll
2009-09-06 00:14 . 2009-09-06 00:14 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-09-06 00:14 . 2009-09-06 00:14 3 --sh--r- c:\windows\system32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv "= "c:\windows\system32\thpsrv" [X]
"Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"ITSecMng "= "c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-20 83336]
"TPNF "= "c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-04-03 73728]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"CeEKEY "= "c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-03-18 827392]
"HWSetup "= "c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"TUSBSleepChargeSrv "= "c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-16 252288]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe "=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe "= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [8/21/2008 11:35 AM 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 11:14 AM 6528]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/19/2010 6:40 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/19/2010 6:40 PM 20560]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 1:22 PM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 1:15 PM 134016]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [8/18/2009 12:47 AM 48176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/6/2009 1:08 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [4/6/2009 1:09 PM 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWRDR
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
FF - ProfilePath - c:\documents and settings\PHIL\Application Data\Mozilla\Firefox\Profiles\pobcg8yi.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 12:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-20 12:30:42
ComboFix-quarantined-files.txt 2010-01-20 18:30

Pre-Run: 137,210,769,408 bytes free
Post-Run: 138,323,423,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4ABDAB63F87F9F8250ED008096736F54

Scott Smith · 2010/01/20

Logfile of HijackThis v1.99.1
Scan saved at 12:33:38 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

broni · 2010/01/20

Yeah, rootkits are really nasty...
You didn't use my link to download HJT. Your version is outdated. Please, re-do, while I'm looking at your Combofix log.

broni · 2010/01/20

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\documents and settings\PHIL\Application Data\wklnhst.dat


Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
c:\documents and settings\PHIL\Local Settings\Application Data\Symantec
c:\documents and settings\All Users\Symantec Temporary Files
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Symantec
c:\program files\AskBarDis


Driver::

Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Scott Smith · 2010/01/20

Thanks,
It will be a few hours before I get back to that computer.

broni · 2010/01/20

No problem

Scott Smith · 2010/01/20

Back again.

ComboFix 10-01-19.08 - PHIL 01/20/2010 14:47:27.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.667 [GMT -6:00]
Running from: c:\documents and settings\PHIL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\PHIL\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100120-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\PHIL\Application Data\wklnhst.dat "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
c:\documents and settings\Administrator\Local Settings\Application Data\Symantec\CEDUrl.txt
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fb\000002c2\cltLMS1.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fb\000002c2\cltLMS2.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fb\key.txt
c:\documents and settings\All Users\Application Data\Norton\symdata.xml
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\SubEng\platformid.dat
c:\documents and settings\All Users\Symantec Temporary Files
c:\documents and settings\All Users\Symantec Temporary Files\NIS09EN.exe
c:\documents and settings\PHIL\Application Data\wklnhst.dat
c:\documents and settings\PHIL\Local Settings\Application Data\Symantec
c:\documents and settings\PHIL\Local Settings\Application Data\Symantec\CEDUrl.txt
c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Cache\240C9E5E
c:\program files\AskBarDis\bar\Cache\240CA061
c:\program files\AskBarDis\bar\Cache\240CA17A.bin
c:\program files\AskBarDis\bar\Cache\240CA802.bin
c:\program files\AskBarDis\bar\Cache\240CA8CD.bin
c:\program files\AskBarDis\bar\Cache\240CA989.bin
c:\program files\AskBarDis\bar\Cache\240CAA73.bin
c:\program files\AskBarDis\bar\Cache\240CAB4E.bin
c:\program files\AskBarDis\bar\Cache\files.ini
c:\program files\AskBarDis\bar\History\search
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevcfg.htm
c:\program files\AskBarDis\PopSwatter\History\allowed
c:\program files\AskBarDis\PopSwatter\History\notallow
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 00:40 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-20 00:40 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-20 00:40 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-20 00:40 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-20 00:40 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-20 00:40 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-20 00:40 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-20 00:40 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-20 00:40 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-20 00:40 . 2010-01-20 00:40 -------- d-----w- c:\program files\Alwil Software
2010-01-20 00:32 . 2010-01-20 18:33 -------- d-----w- C:\HijackThis
2010-01-18 23:53 . 2006-12-07 16:45 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-01-18 23:33 . 2010-01-18 23:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-18 23:30 . 2006-12-07 16:45 3096576 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-01-18 23:30 . 2010-01-18 23:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-01-18 23:14 . 2006-12-11 16:20 180224 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2010-01-18 23:14 . 2006-12-11 16:20 983829 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
2010-01-18 23:14 . 2006-12-11 16:20 72192 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2010-01-18 23:14 . 2006-12-11 16:20 72192 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2010-01-18 23:14 . 2006-12-11 16:20 325 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\stopApp.bat
2010-01-18 23:14 . 2006-12-11 16:20 15 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\run_me.bat
2010-01-18 23:14 . 2006-12-11 16:20 40960 ----a-w- c:\documents and settings\PHIL\Application Data\U3\0000161CB273865D\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\appstop.exe
2010-01-14 22:47 . 2010-01-14 22:47 0 ----a-w- c:\windows\nsreg.dat
2010-01-14 22:47 . 2010-01-14 22:47 -------- d-----w- c:\documents and settings\PHIL\Local Settings\Application Data\Mozilla
2010-01-13 21:18 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 11:24 . 2009-12-07 18:05 -------- d-----w- c:\documents and settings\PHIL\Application Data\E-centives
2010-01-18 23:14 . 2009-10-31 16:39 -------- d-----w- c:\documents and settings\PHIL\Application Data\U3
2010-01-18 18:43 . 2009-08-18 06:44 -------- d-----w- c:\program files\Atheros
2010-01-18 18:38 . 2009-10-31 16:34 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-01-18 18:38 . 2009-10-31 16:34 -------- d-----w- c:\program files\ArcSoft
2010-01-18 18:38 . 2009-04-06 19:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 18:27 . 2009-10-31 16:34 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-01-14 21:13 . 2009-04-06 19:43 -------- d-----w- c:\program files\Google
2009-12-28 13:20 . 2009-04-06 19:22 -------- d-----w- c:\program files\TOSHIBA
2009-11-27 13:52 . 2009-11-27 13:52 -------- d-----w- c:\documents and settings\PHIL\Application Data\KodakCredentialStore
2009-11-21 15:51 . 2009-04-06 19:46 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-31 16:29 . 2009-10-31 16:29 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-10-31 16:29 . 2009-10-31 16:29 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\***\finish.exe
2009-10-31 16:29 . 2009-10-31 16:29 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2009-10-31 16:28 . 2009-10-31 16:28 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2009-10-31 16:28 . 2009-10-31 16:28 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\***\start.exe
2009-10-31 16:28 . 2009-10-31 16:28 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_bc0cfd\EasyShrx.Dll
2009-10-31 16:27 . 2009-10-31 16:27 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.30.1.dll
2009-10-29 07:46 . 2009-04-06 19:48 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-04-06 19:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2009-04-06 19:46 17408 ----a-w- c:\windows\system32\corpol.dll
2009-09-06 00:14 . 2009-09-06 00:14 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-09-06 00:14 . 2009-09-06 00:14 3 --sh--r- c:\windows\system32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-20_18.29.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-20 18:36 . 2010-01-20 18:36 16384 c:\windows\Temp\Perflib_Perfdata_7f0.dat
- 2010-01-20 18:15 . 2010-01-20 18:15 16384 c:\windows\Temp\Perflib_Perfdata_7f0.dat
+ 2010-01-20 18:36 . 2010-01-20 18:36 16384 c:\windows\Temp\Perflib_Perfdata_6c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv "= "c:\windows\system32\thpsrv" [X]
"Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"ITSecMng "= "c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-20 83336]
"TPNF "= "c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-04-03 73728]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"CeEKEY "= "c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-03-18 827392]
"HWSetup "= "c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"TUSBSleepChargeSrv "= "c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-16 252288]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe "=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe "= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [8/21/2008 11:35 AM 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 11:14 AM 6528]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/19/2010 6:40 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/19/2010 6:40 PM 20560]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 1:22 PM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 1:15 PM 134016]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [8/18/2009 12:47 AM 48176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/6/2009 1:08 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [4/6/2009 1:09 PM 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=TSNC&bmod=TSNC
FF - ProfilePath - c:\documents and settings\PHIL\Application Data\Mozilla\Firefox\Profiles\pobcg8yi.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 14:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-20 14:53:18
ComboFix-quarantined-files.txt 2010-01-20 20:53
ComboFix2.txt 2010-01-20 18:30

Pre-Run: 138,310,180,864 bytes free
Post-Run: 138,207,027,200 bytes free

- - End Of File - - EE5CECAF33F17F518A5A7D917CEEEE15

Scott Smith · 2010/01/20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:45 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PHIL\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 4348 bytes

broni · 2010/01/20

Very well

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Restart computer.

==================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Scott Smith · 2010/01/20

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/20/2010 at 03:37 PM

Application Version : 4.33.1000

Core Rules Database Version : 4498
Trace Rules Database Version: 2312

Scan type : Quick Scan
Total Scan Time : 00:13:13

Memory items scanned : 204
Memory threats detected : 0
Registry items scanned : 419
Registry threats detected : 1
File items scanned : 17543
File threats detected : 2

Adware.Gamevance
HKU\S-1-5-21-2892819343-3414940699-4275771036-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

Adware.CouponBar
C:\WINDOWS\CPNPRT2.CID
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

Scott Smith · 2010/01/20

Malwarebytes' Anti-Malware 1.44
Database version: 3605
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/20/2010 4:32:28 PM
mbam-log-2010-01-20 (16-32-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 149409
Time elapsed: 27 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1E452A8B-FF85-46AC-BB2A-069DD62D4A2E}\RP35\A0017485.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E452A8B-FF85-46AC-BB2A-069DD62D4A2E}\RP35\A0017534.sys (Malware.Trace) -> Quarantined and deleted successfully.

Scott Smith · 2010/01/20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:08 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 4543 bytes

broni · 2010/01/20

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

Scott Smith · 2010/01/20

KasPersky clean.
I guess we are good?

Log in or Sign up

Solved Infected: Packed.Win32.TDSS.aa

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Share This Page

Log in or Sign up

Solved Infected: Packed.Win32.TDSS.aa

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

Scott Smith Inactive Alumni Thread Starter

broni Moderator Malware Analyst

Scott Smith Inactive Alumni Thread Starter

Share This Page

Useful Searches