Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: 1 [2] 3 4  All   Go Down

Author Topic: Infected laptop  (Read 58702 times)

0 Members and 1 Guest are viewing this topic.

evilfantasy

  • Malware Removal Specialist
  • Moderator


    • Genius
  • Calm like a bomb
    • Thanked: 493
  • Experience: Experienced
  • OS: Windows 11
Re: Infected laptop
« Reply #15 on: March 26, 2008, 07:24:32 PM »
OK, we need to get something running here. Hopefully this is the one.

Please run the F-Secure Online Scanner

Note: This Scanner works with Internet Explorer Only!
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
      • If Automatic cleaning with Submit samples hangs, click
Cancel, then New Scan[/list]
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post.
If needed go to Start > Run > type Notepad.exe then press OK.
Paste the log into Notepad and save it to the desktop so it can easily be posted later.

This scan can take quite some time, so please be patient

Next post
F-Secure log
Logged

SuperDave

    Topic Starter
  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Infected laptop
« Reply #16 on: March 26, 2008, 09:50:42 PM »
Scanning Report
Wednesday, March 26, 2008 22:40:14 - 00:48:43
Computer name: DAVE-LAPTOP
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 2 malware found
Downloader.Win32.UltimateFix (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 26833
System: 3864
Not scanned: 22
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\DAVE'S COMPUTER\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{8DF45552-A3FD-432E-A576-F9D559F826DF}
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\BOOT\BCD

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-03-27
F-Secure AVP: 7.0.171, 2008-03-27
F-Secure Pegasus: 1.20.0, 2008-02-26
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

evilfantasy

  • Malware Removal Specialist
  • Moderator


    • Genius
  • Calm like a bomb
    • Thanked: 493
  • Experience: Experienced
  • OS: Windows 11
Re: Infected laptop
« Reply #17 on: March 26, 2008, 10:01:36 PM »
Quote
Disinfected: 0
Renamed: 0
Deleted: 0

You didn't have it clean the malware?

Run this scan, it will only take a few minutes. I may be able to find the files in here and we can delete them that way. You will probably need two posts for both logs.

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  •   When the scan is complete, two text files will open
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
    •   Add the contents of main.txt in your post.
    •   Also add extra.txt to your post.
    • The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.
    [/COLOR]
    What DSS will do:
    • Create a new System Restore point in Windows XP and Vista.
    • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    • Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
    Logged

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #18 on: March 27, 2008, 06:07:41 AM »
    I ran the scan again and nothing was found.  I'll try the other one now
    Thursday, March 27, 2008 08:18:13 - 09:03:03
    Computer name: DAVE-LAPTOP
    Scanning type: Scan system for malware, rootkits
    Target: C:\ D:\


    --------------------------------------------------------------------------------

    Result: 0 malware found

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 26859
    System: 3864
    Not scanned: 22
    Actions:
    Disinfected: 0
    Renamed: 0
    Deleted: 0
    None: 0
    Submitted: 0
    Files not scanned:
    C:\HIBERFIL.SYS
    C:\PAGEFILE.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    C:\WINDOWS\SYSTEM32\CONFIG\SAM
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
    C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
    C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
    C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
    C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
    C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
    C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
    C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
    C:\USERS\DAVE'S COMPUTER\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{8DF45552-A3FD-432E-A576-F9D559F826DF}
    C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
    C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
    C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
    C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

    --------------------------------------------------------------------------------
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #19 on: March 27, 2008, 06:18:56 AM »
    Deckard's System Scanner v20071014.68
    Run by Dave's computer on 2008-03-27 09:10:25
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- Last 5 Restore Point(s) --
    25: 2008-03-27 06:01:42 UTC - RP128 - Windows Update
    24: 2008-03-26 23:02:38 UTC - RP127 - Removed Java(TM) 6 Update 2
    23: 2008-03-26 11:46:44 UTC - RP126 - Windows Update
    22: 2008-03-26 01:54:11 UTC - RP125 - Installed SUPERAntiSpyware Free Edition
    21: 2008-03-25 21:43:33 UTC - RP124 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.


    -- First Restore Point --
    1: 2008-03-20 17:29:17 UTC - RP102 - Windows Update


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Dave's computer.exe) -------------------------------------

    Unable to find log (file not found); running clone.
    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-03-27 09:13:28
    Platform: Windows Vista  (6.00.6000)
    MSIE: Internet Explorer (7.00.6000.16386)
    Boot mode: Normal

    Running processes:
    C:\Windows\System32\dwm.exe
    C:\Windows\explorer.exe
    C:\Windows\System32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\ltmoh\ltmoh.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\System32\jshalgvu.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\Downloaded Program Files\gatelauncher.exe
    C:\Users\DAVE'S~1\AppData\Local\Temp\fsgk32.exe
    C:\Users\DAVE'S~1\AppData\Local\Temp\fssm32.exe
    C:\Users\Dave's computer\Desktop\dss.exe
    C:\Windows\System32\conime.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://exclusive.aliant.net/home.jsp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shoptoshiba.ca/welcome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #20 on: March 27, 2008, 06:25:06 AM »
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [gaiembcv] C:\Windows\system32\jshalgvu.exe
    O4 - HKCU\..\Run: [ngrmrzkm] C:\Windows\system32\hotwdkfg.exe
    O4 - HKCU\..\Run: [eucpwsvr] C:\Windows\system32\lqjsxmde.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\microsoft shared\Web Folders\PKMCDO.DLL
    O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\System32\agrsmsvc.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\System32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


    --
    End of file - 9262 bytes

    -- File Associations -----------------------------------------------------------

    .reg - regfile - shell\open\command - regedit.exe"%1" %*
    .scr - scrfile - shell\open\command - "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R3 F-Secure Standalone Minifilter - \??\c:\users\dave's~1\appdata\local\temp\onlinescanner\anti-virus\fsgk.sys
    R3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
    R2 rpcnet (Remote Procedure Call (RPC) Net) - c:\windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
    R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
    R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Scheduled Tasks -------------------------------------------------------------

    2008-03-21 21:28:47       508 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Dave's computer.job

    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #21 on: March 27, 2008, 06:28:01 AM »
    -- Files created between 2008-02-27 and 2008-03-27 -----------------------------

    2008-03-26 22:36:25         0 d-------- C:\fsaua.data
    2008-03-26 21:00:33         0 d-------- C:\Program Files\vanBasco's Karaoke Player
    2008-03-26 16:29:05         0 d-------- C:\Users\All Users\Malwarebytes
    2008-03-26 16:29:05         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-03-26 10:53:52         0 d-------- C:\Users\Dave's computer\.housecall6.6
    2008-03-26 10:53:20         0 d-------- C:\Windows\Sun
    2008-03-25 22:55:14         0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
    2008-03-25 22:54:28         0 d-------- C:\Program Files\SUPERAntiSpyware
    2008-03-25 16:28:00         0 d-------- C:\Users\All Users\SITEguard
    2008-03-25 16:24:46         0 d-------- C:\Program Files\Common Files\iS3
    2008-03-25 16:24:45         0 d-------- C:\Users\All Users\STOPzilla!
    2008-03-25 13:52:31     98304 --a------ C:\Windows\system32\lqjsxmde.exe
    2008-03-25 13:07:36     98304 --a------ C:\Windows\system32\hotwdkfg.exe
    2008-03-25 09:40:53         0 d-------- C:\Program Files\CCleaner
    2008-03-25 09:16:05    106496 --a------ C:\Windows\system32\jshalgvu.exe
    2008-03-24 22:28:05         0 d-------- C:\Program Files\Lavasoft
    2008-03-24 21:50:03         0 d-------- C:\Users\All Users\Lavasoft
    2008-03-24 20:05:30         0 d-a------ C:\Users\All Users\TEMP
    2008-03-24 20:05:27         0 d-------- C:\Program Files\SpywareBlaster
    2008-03-24 17:45:23    691545 --a------ C:\Windows\unins000.exe
    2008-03-24 17:45:23      2553 --a------ C:\Windows\unins000.dat
    2008-03-24 17:36:02         0 d-------- C:\Users\All Users\Spybot - Search & Destroy
    2008-03-24 16:20:45      4096 --a------ C:\Windows\userconfig9x.dll
    2008-03-24 16:20:45      4096 --a------ C:\Windows\system32winlogonpc.exe
    2008-03-24 16:20:45      4096 --a------ C:\Windows\system32taack.exe
    2008-03-24 16:20:45      4096 --a------ C:\Windows\system32taack.dat
    2008-03-24 16:20:45      4096 --a------ C:\Windows\system32sncntr.exe
    2008-03-24 16:20:45      4096 --a------ C:\Windows\system32mwin32.exe
    2008-03-24 16:20:45      4096 --a------ C:\Windows\system32hoproxy.dll
    2008-03-24 16:20:45      4096 --a------ C:\Windows\FVProtect.exe
    2008-03-24 16:20:45      4096 --a------ C:\Windows\a.bat
    2008-03-24 16:20:44      4096 --a------ C:\Windows\winsystem.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32WINWGPX.EXE
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32winsystem.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32vcatchpi.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32vbsys2.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32thun32.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32thun.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32temp#01.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32sysreq.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32ssvchost.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32ssvchost.com
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32ssurf022.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32Rundl1.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32regm64.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32regc64.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32psoft1.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32psof1.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32ps1.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32newsd32.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32netode.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32mtr2.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32msvchost.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32mssecu.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32msnbho.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32msgp.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32medup020.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32medup012.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32hxiwlgpm.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32hxiwlgpm.dat
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32emesx.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32dpcproxy.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32bsva-egihsg52.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32bdn.com
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32awtoolb.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32anticipator.dll
    2008-03-24 16:20:44      4096 --a------ C:\Windows\system32akttzn.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\mssecu.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\iTunesMusic.exe
    2008-03-24 16:20:44      4096 --a------ C:\Windows\bdn.com
    2008-03-24 16:20:44         0 d-------- C:\Users\Dave's computer\Desktopvirii
    2008-03-24 16:20:44      4096 --a------ C:\Users\Dave's computer\DesktopFWebdEditor.exe
    2008-03-24 16:20:44      4096 --a------ C:\Users\Dave's computer\Desktopfwebd.exe
    2008-03-24 16:20:44      4096 --a------ C:\Users\Dave's computer\Desktopfilemanagerclient.exe
    2008-03-24 16:20:35         0 d-------- C:\Users\All Users\mjwvapap
    2008-03-24 12:33:37         0 d-------- C:\Program Files\Microsoft ActiveSync
    2008-03-22 15:15:16         0 d-------- C:\New Folder
    2008-03-21 02:26:50         0 d-------- C:\Program Files\Atheros
    2008-03-21 02:26:36         0 d-------- C:\Users\All Users\Atheros
    2008-03-21 02:26:30     77824 --a------ C:\Windows\system32\tosmreg.exe <Not Verified; Toshiba Corporation; Tosmreg>
    2008-03-21 02:26:30     45056 --a------ C:\Windows\system32\csellang.dll
    2008-03-21 02:26:30    491520 --a------ C:\Windows\system32\cselect.exe <Not Verified; Toshiba Corporation; toshiba cselect>
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #22 on: March 27, 2008, 06:31:02 AM »
    2008-03-21 02:26:30     45056 --a------ C:\Windows\system32\csellang.dll
    2008-03-21 02:26:30    491520 --a------ C:\Windows\system32\cselect.exe <Not Verified; Toshiba Corporation; toshiba cselect>
    2008-03-21 02:26:30         0 d-------- C:\Program Files\ltmoh
    2008-03-21 02:26:08         0 d-------- C:\Windows\Options
    2008-03-21 02:26:00         0 d-------- C:\Program Files\Synaptics
    2008-03-21 02:25:25         0 d-------- C:\DOCS
    2008-03-21 02:25:18         0 d-------- C:\Program Files\Toshiba Registration
    2008-03-21 02:25:15         0 d-------- C:\Windows\Downloaded Installations
    2008-03-21 02:25:14         0 d-------- C:\Program Files\OnlinePlay
    2008-03-21 02:19:26         0 d--hs---- C:\System Volume Information
    2008-03-21 00:11:44         0 d-------- C:\Program Files\Norton Internet Security
    2008-03-21 00:10:26         0 d-------- C:\Program Files\Symantec
    2008-03-21 00:10:24         0 d-------- C:\Users\All Users\Symantec
    2008-03-21 00:10:02         0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-03-20 23:53:44         0 d-------- C:\Program Files\Camera Assistant Software for Toshiba
    2008-03-20 23:53:06         0 d-------- C:\Program Files\Common Files\Toshiba Shared
    2008-03-20 23:49:54         0 dr------- C:\Users\Dave's computer\Searches
    2008-03-20 23:49:41         0 dr------- C:\Users\Dave's computer\Contacts
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\Templates
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\Start Menu
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\SendTo
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\Recent
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\PrintHood
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\NetHood
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\My Documents
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\Local Settings
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\Cookies
    2008-03-20 23:49:34         0 d--hs---- C:\Users\Dave's computer\Application Data
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Videos
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Saved Games
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Pictures
    2008-03-20 23:49:33   2883584 --ahs---- C:\Users\Dave's computer\NTUSER.DAT
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Music
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Links
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Favorites
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Downloads
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Documents
    2008-03-20 23:49:33         0 dr------- C:\Users\Dave's computer\Desktop
    2008-03-20 23:49:33         0 d--h----- C:\Users\Dave's computer\AppData
    2008-03-20 23:43:40         0 d-------- C:\Windows\SoftwareDistribution
    2008-03-20 21:48:46     90112 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
    2008-03-20 21:48:33         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-20 21:48:30         0 d-------- C:\Psfonts
    2008-03-20 21:47:34         0 d-------- C:\Program Files\Finale 2006
    2008-03-20 21:34:32         0 d-------- C:\Program Files\coolpro2
    2008-03-20 14:39:26     47104 --a------ C:\Windows\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
    2008-03-20 14:38:57     47104 --a------ C:\Windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>


    -- Find3M Report ---------------------------------------------------------------

    2008-03-26 22:32:36     17408 --a------ C:\Windows\system32\rpcnetp.exe
    2008-03-26 22:32:32     17408 --a------ C:\Windows\system32\rpcnetp.dll
    2008-03-26 20:03:29         0 d-------- C:\Program Files\Java
    2008-03-26 16:29:08         0 d-------- C:\Users\Dave's computer\AppData\Roaming\Malwarebytes
    2008-03-25 22:54:28         0 d-------- C:\Users\Dave's computer\AppData\Roaming\SUPERAntiSpyware.com
    2008-03-25 18:35:02         0 d-------- C:\Users\Dave's computer\AppData\Roaming\Adobe
    2008-03-25 16:24:46         0 d-------- C:\Program Files\Common Files
    2008-03-23 15:23:14         0 d-------- C:\Users\Dave's computer\AppData\Roaming\Macromedia
    2008-03-22 15:44:40     31007 --a------ C:\Users\Dave's computer\AppData\Roaming\UserTile.png
    2008-03-22 15:44:40         0 d-------- C:\Users\Dave's computer\AppData\Roaming\PeerNetworking
    2008-03-21 15:06:23       174 --ahs---- C:\Program Files\desktop.ini
    2008-03-21 14:59:47         0 d-------- C:\Program Files\Windows Calendar
    2008-03-21 14:59:39         0 d-------- C:\Program Files\Windows Mail
    2008-03-21 14:59:35         0 d-------- C:\Program Files\Windows Sidebar
    2008-03-21 14:14:52         0 d-------- C:\Program Files\Microsoft SQL Server
    2008-03-20 23:53:44         0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-03-20 23:53:06         0 d-------- C:\Program Files\Toshiba
    2008-03-20 23:52:14         0 d-------- C:\Users\Dave's computer\AppData\Roaming\InstallShield
    2008-03-20 23:50:33         0 d-------- C:\Users\Dave's computer\AppData\Roaming\ATI
    2008-03-20 23:49:44         0 d-------- C:\Users\Dave's computer\AppData\Roaming\Identities
    2008-03-20 21:36:40         0 d-------- C:\Users\Dave's computer\AppData\Roaming\Syntrillium
    2008-03-20 15:38:09         0 d-------- C:\Users\Dave's computer\AppData\Roaming\Ulead Systems
    2008-03-20 15:27:10         0 d-------- C:\Users\Dave's computer\AppData\Roaming\toshiba


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [23/08/2007 03:44 PM]
    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 04:35 PM]
    "RtHDVCpl"="RtHDVCpl.exe" [09/08/2007 08:26 AM C:\Windows\RtHDVCpl.exe]
    "NDSTray.exe"="NDSTray.exe" []
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 07:06 AM]
    "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [15/08/2007 04:31 AM]
    "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [09/01/2007 03:23 AM]
    "TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [29/03/2007 10:39 AM]
    "HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07/12/2006 04:49 PM]
    "SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [15/06/2007 09:01 PM]
    "00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [22/05/2007 04:32 PM]
    "Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [22/05/2007 10:50 AM]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [24/10/2006 07:08 PM]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [26/10/2006 09:18 PM]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29/01/2008 05:38 PM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #23 on: March 27, 2008, 06:31:55 AM »
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [21/03/2008 02:03 PM]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [18/05/2007 07:43 AM]
    "gaiembcv"="C:\Windows\system32\jshalgvu.exe" [25/03/2008 09:16 AM]
    "ngrmrzkm"="C:\Windows\system32\hotwdkfg.exe" [25/03/2008 01:07 PM]
    "eucpwsvr"="C:\Windows\system32\lqjsxmde.exe" [25/03/2008 01:52 PM]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 04:03 PM]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"=2 (0x2)
    "EnableLUA"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @="Volume shadow copy"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
    @="IEEE 1394 Bus host controllers"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
    @="SBP2 IEEE 1394 Devices"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
    @="SecurityDevices"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalSystemNetworkRestricted   hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

    *Newly Created Service* - COMHOST
    *Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    C:\Windows\system32\unregmp2.exe /ShowWMP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



    -- Hosts -----------------------------------------------------------------------

    127.0.0.1   www.007guard.com
    127.0.0.1   007guard.com
    127.0.0.1   010402.com
    127.0.0.1   www.032439.com
    127.0.0.1   032439.com
    127.0.0.1   www.1001-search.info
    127.0.0.1   1001-search.info
    127.0.0.1   www.100888290cs.com
    127.0.0.1   100888290cs.com
    127.0.0.1   www.100sexlinks.com

    7934 more entries in hosts file.


    -- End of Deckard's System Scanner: finished at 2008-03-27 09:15:06 ------------

    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #24 on: March 27, 2008, 06:34:02 AM »
    -- System Information ----------------------------------------------------------

    Microsoft® Windows Vista™ Home Premium  (build 6000)
    Architecture: X86; Language: English

    CPU 0: AMD Turion(tm) 64 X2 Mobile Technology TL-60
    Percentage of Memory in Use: 51%
    Physical Memory (total/avail): 1917.44 MiB / 933.83 MiB
    Pagefile Memory (total/avail): 4072.06 MiB / 2626.33 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1924 MiB

    C: is Fixed (NTFS) - 173.27 GiB total, 130.34 GiB free.
    D: is Fixed (NTFS) - 6.01 GiB total, 5.84 GiB free.
    E: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - TOSHIBA MK2046GSX ATA Device - 186.31 GiB - 4 partitions
      \PARTITION0 - Unknown - 1500 MiB
      \PARTITION1 (bootable) - Installable File System - 173.27 GiB - C:
      \PARTITION2 - Installable File System - 6.01 GiB - D:
      \PARTITION3 - Unknown - 5.56 GiB



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is disabled.

    FW: Norton Internet Security v2007 (Symantec Corporation)
    AV: Norton Internet Security v2007 (Symantec Corporation)
    AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
    AS: SUPERAntiSpyware v4, 0, 0, 1154 (SUPERAntiSpyware.com)
    AS: Norton Internet Security v2007 (Symantec Corporation)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\ProgramData
    APPDATA=C:\Users\Dave's computer\AppData\Roaming
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=DAVE-LAPTOP
    ComSpec=C:\Windows\system32\cmd.exe
    configsetroot=C:\Windows\ConfigSetRoot
    FP_NO_HOST_CHECK=NO
    HKCU_S=\REGISTRY\CUSER\Software
    HKLM_S=\REGISTRY\MACHINE\Software
    HOMEDRIVE=C:
    HOMEPATH=\Users\Dave's computer
    LOCALAPPDATA=C:\Users\Dave's computer\AppData\Local
    LOGONSERVER=\\DAVE-LAPTOP
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\Program Files\Internet Explorer;;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\Program Files\Microsoft SQL Server\90\Tools\binn\
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 104 Stepping 2, AuthenticAMD
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=6802
    ProgramData=C:\ProgramData
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    PUBLIC=C:\Users\Public
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\Windows
    TEMP=C:\Users\DAVE'S~1\AppData\Local\Temp
    TMP=C:\Users\DAVE'S~1\AppData\Local\Temp
    USERDOMAIN=Dave-laptop
    USERNAME=Dave's computer
    USERPROFILE=C:\Users\Dave's computer
    windir=C:\Windows


    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #25 on: March 27, 2008, 06:35:57 AM »
    -- User Profiles ---------------------------------------------------------------

    Dave's computer (admin)


    -- Add/Remove Programs ---------------------------------------------------------

     --> "C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
     --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x9
     --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x9
    Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
    AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
    Atheros Driver Installation Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9  -removeonly
    AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
    Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
    Business Contact Manager for Outlook 2007 SP1 --> "C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
    Business Contact Manager for Outlook 2007 SP1 --> MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
    Camera Assistant Software for Toshiba --> C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\SETUP.exe -runfromtemp -l0x0009
    Catalyst Control Center - Branding --> MsiExec.exe /I{22543949-70E8-45D0-A938-F38143EB8BF8}
    ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
    CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
    CD/DVD Drive Acoustic Silencer --> C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\SETUP.exe -runfromtemp -l0x0009 -removeonly
    Cool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exe
    DVD MovieFactory for TOSHIBA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\SETUP.EXE" -l0x9
    Finale 2006 --> C:\Windows\unvise32.exe C:\Program Files\Finale 2006\uninstal.log
    HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
    Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
    LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
    Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
    Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office 2007 Primary Interop Assemblies --> MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
    Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
    Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
    Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
    Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
    Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
    Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
    Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
    MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
    MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
    MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
    Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
    Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
    Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
    Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}
    Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
    Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
    Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
    Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
    Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_1_0_26\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
    Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
    OnlinePlay 1.0 --> C:\Program Files\OnlinePlay\uninst.exe
    Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.exe -runfromtemp -l0x0009 -removeonly
    Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.exe" -l0x9  -removeonly
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\SETUP.EXE" -l0x9 anything
    SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
    Spybot - Search & Destroy 1.5.2.20 --> "C:\Windows\unins000.exe"
    SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
    SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
    Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
    TOSHIBA Assist --> C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\SETUP.exe -runfromtemp -l0x0009 -removeonly
    TOSHIBA ConfigFree --> C:\Program Files\InstallShield Installation Information\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}\setup.exe -runfromtemp -l0x0009 uninstall
    TOSHIBA Disc Creator --> MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
    TOSHIBA DVD PLAYER --> C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
    TOSHIBA Extended Tiles for Windows Mobility Center --> C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\SETUP.EXE -runfromtemp -l0x0409
    TOSHIBA Hardware Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BFC85CDC-BD7C-4FDD-9507-8D74B5A79404}\setup.exe" -l0x9
    TOSHIBA Recovery Disc Creator --> MsiExec.exe /X{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}
    Toshiba Registration --> MsiExec.exe /I{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}
    TOSHIBA SD Memory Utilities --> MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
    TOSHIBA Software Modem --> Tosmreg -U
    TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
    TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
    TOSHIBA Supervisor Password --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BDF38E0-1A7F-4220-B4B7-118DD45E5E13}\setup.exe" -l0x9
    TOSHIBA Value Added Package --> C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
    vanBasco's Karaoke Player --> C:\Program Files\vanBasco's Karaoke Player\uninst.exe
    Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
    Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #26 on: March 27, 2008, 06:36:47 AM »

    -- Application Event Log -------------------------------------------------------

    Event Record #/Type2782 / Error
    Event Submitted/Written: 03/26/2008 10:32:37 PM
    Event ID/Source: 5007 / WerSvc
    Event Description:
    The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

    Event Record #/Type2780 / Success
    Event Submitted/Written: 03/26/2008 10:32:33 PM
    Event ID/Source: 5617 / WinMgmt
    Event Description:


    Event Record #/Type2779 / Success
    Event Submitted/Written: 03/26/2008 10:32:32 PM
    Event ID/Source: 5615 / WinMgmt
    Event Description:


    Event Record #/Type2775 / Warning
    Event Submitted/Written: 03/26/2008 10:32:32 PM
    Event ID/Source: 3 / SQLBrowser
    Event Description:
    The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

    Event Record #/Type2770 / Success
    Event Submitted/Written: 03/26/2008 10:31:56 PM
    Event ID/Source: 902 / Software Licensing Service
    Event Description:
    The Software Licensing service has started.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type12912 / Warning
    Event Submitted/Written: 03/27/2008 09:14:12 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

    For more information please see the following:
    %Dave-laptop275

       Scan ID: {3058924D-3489-4BA1-9881-7AB323922195}

       User: Dave-laptop\Dave's computer

       Name: %Dave-laptop271

       ID: %Dave-laptop272

       Severity ID: %Dave-laptop273

       Category ID: %Dave-laptop274

       Path Found: %Dave-laptop276

       Alert Type: %Dave-laptop278

       Detection Type: 1.1.1505.02

    Event Record #/Type12911 / Warning
    Event Submitted/Written: 03/27/2008 09:14:12 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

    For more information please see the following:
    %Dave-laptop275

       Scan ID: {D2580365-694E-4198-A6EF-7377C6E76E56}

       User: Dave-laptop\Dave's computer

       Name: %Dave-laptop271

       ID: %Dave-laptop272

       Severity ID: %Dave-laptop273

       Category ID: %Dave-laptop274

       Path Found: %Dave-laptop276

       Alert Type: %Dave-laptop278

       Detection Type: 1.1.1505.02

    Event Record #/Type12910 / Warning
    Event Submitted/Written: 03/27/2008 09:14:10 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

    For more information please see the following:
    %Dave-laptop275

       Scan ID: {9190B177-6561-49C0-8B97-A7824C220668}

       User: Dave-laptop\Dave's computer

       Name: %Dave-laptop271

       ID: %Dave-laptop272

       Severity ID: %Dave-laptop273

       Category ID: %Dave-laptop274

       Path Found: %Dave-laptop276

       Alert Type: %Dave-laptop278

       Detection Type: 1.1.1505.02

    Event Record #/Type12909 / Warning
    Event Submitted/Written: 03/27/2008 09:14:09 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

    For more information please see the following:
    %Dave-laptop275

       Scan ID: {0C2BAD20-6B89-4CDA-81EA-1E607C84C395}

       User: Dave-laptop\Dave's computer

       Name: %Dave-laptop271

       ID: %Dave-laptop272

       Severity ID: %Dave-laptop273

       Category ID: %Dave-laptop274

       Path Found: %Dave-laptop276

       Alert Type: %Dave-laptop278

       Detection Type: 1.1.1505.02

    Event Record #/Type12908 / Warning
    Event Submitted/Written: 03/27/2008 09:14:09 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

    For more information please see the following:
    %Dave-laptop275

       Scan ID: {58FFEA37-4BEF-40DE-A762-FBA9C3AC80E9}

       User: Dave-laptop\Dave's computer

       Name: %Dave-laptop271

       ID: %Dave-laptop272

       Severity ID: %Dave-laptop273

       Category ID: %Dave-laptop274

       Path Found: %Dave-laptop276

       Alert Type: %Dave-laptop278

       Detection Type: 1.1.1505.02



    -- End of Deckard's System Scanner: finished at 2008-03-27 09:15:06 ------------

    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    evilfantasy

    • Malware Removal Specialist
    • Moderator


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: Infected laptop
    « Reply #27 on: March 27, 2008, 11:20:07 AM »
    OK, I know why we have been struggling. The Deckards log was very revealing. I need you to consider the below statements before we continue. Normally I would go ahead with cleaning at this point but the amount of infected files on this PC along with the severity of the damage they are capable of is severe. There are steps that need to be taken by you, especially if you do any banking or transactions of any sort online. (ebay, paypal, credit cards, etc.)


    Your computer is infected by at least one Keylogger and various Backdoor Trojans and Worms. Please read all of this carefully.

    Backdoor Trojans, IRCBots    , worms and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use Backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

    Read this article: Danger: Remote Access Trojans.

    If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

    Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

    When should I re-format? How should I reinstall?.
    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful.

    Should you have any questions, please feel free to ask.

    Please let me know what you have decided to do in your next post.
    Logged

    SuperDave

      Topic Starter
    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Infected laptop
    « Reply #28 on: March 27, 2008, 12:32:40 PM »
    I just purchased this computer about 2 weeks ago and the trial period runs out April 2/08. There is nothing personal except for a password to get on this forum. I was just loading some programs on it that I wish to use later on. As you possibly can assume, I don't have any disks so re-format is a remote possibility. If I can't get it cleaned, I'll return it.
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    evilfantasy

    • Malware Removal Specialist
    • Moderator


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: Infected laptop
    « Reply #29 on: March 27, 2008, 12:43:58 PM »
    I will work up a fix, but first we need to run another tool. It is a quick scan and the instructions are very important to be followed exactly. Please read through them before starting.

    Please download Combofix by sUBs from one of the below links.
    (Try all three if necessary)

    In the event you already have Combofix, please delete it as this is a new version.
    Very important You need to rename Combofix.exe as you download it.
    Please rename it to cf.exe
    It is very important that you save the newly renamed EXE file directly to your Desktop.

    You must rename Combofixe.exe as you download it and not after it is on your computer.

    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it.
    • Open Firefox
      • Click Tools > Options > Main
      • Under the downloads section check the button that says Always ask me where to save files
      • Click OK
    • For Internet Explorer:
      • Choose to Save, not Open the file.
      • When prompted save the file to your Desktop, and rename it cf.exe
    Important! Combofix MUST be saved to and ran from the Desktop.
    • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
    • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
      • Click this link to see a list of security programs that should be disabled and how to disable them.
      • If yours is not listed and you don't know how to disable it, please ask.
    • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
    • Double click on the renamed combofix.exe and follow the prompts.
        • From the keyboard select 1 and press Enter[/color]
        • When finished, it will produce a log for you.
        • Post that log in your next reply.
        Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
        • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
        • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
        If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above.

        ----------

        Next post
        Combofix log

    Logged
    Pages: 1 [2] 3 4  All   Go Up
    « previous next »