Hi!
I got hit with some form of trojan or virus yesterday. A fake Windows Security Essentials warning popped up asking me to load "Think Point AV" as my antivirus software. I rebooted into safe-mode and ThinkPoint popped up there too before even explorer.exe. To make a long story short I ended up pulling out my hard drive, slaving it to another computer and running malwarebytes on my drive. That at least allowed me to boot into safe mode where I again ran MBAM and cleaned up my registry there. At the height of my problems I could not boot into safe mode, standard mode, nor my recovery partition. Instead it would power on, bring up the XP black boot screen (or list of files being loaded when in safe-mode) and then BSOD and power down...lather rinse repeat. I thought I had it beat, but this morning MBAM caught 4 more infected objects. The latest MBAM run was clean.
Having run MBAM and TrendMicro I can now boot normally and do most of what I want. However I do have some lingering issues.
1) My Recovery partition still boots to BSOD.
2) Google Chrome (both installed and portable) loads, but just sits on a white tab not doing anything. (an ancient version of IE still works and I can browse the web/download/etc). I reinstalled Chrome and no luck, including having it delete all my personal data.
3) Firefox might load once after start up, but immediately crashes and will not fully load again. Instead firefox.exe will load into memory but not do any thing and just sit there eating about 7MB of ram. (incidentally copying notepad.exe to the desktop and renaming it firefox.exe and notepad still runs) Completely reinstalled firefox, no better.
4) I cannot boot with anything plugged into my USB ports. This is not a huge deal as it is a netbook (see below) however it is odd.
5) My Disk Management Console does not recognize any drives at all. There is 1 SATA hard drive plugged in partitioned into C D and a hidden partition for recovery. C and D are visible in Windows Explorer.
MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4892
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512
10/20/2010 11:59:02 AM
mbam-log-2010-10-20 (11-59-02).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 198163
Time elapsed: 49 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER Log:
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-20 12:11:54
Windows 5.1.2600 Service Pack 3
Running: x2e9dkz7.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgldapog.sys
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B3000A
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[1324] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EC000A
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864F0292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864F0292
Device \FileSystem\Cdfs \Cdfs A0AD6400
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVT-22ZCT0___________________11.01A11#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
DDS Log:
DDS (Ver_10-10-10.03) - NTFSx86
Run by Daniel at 12:13:12.14 on Wed 10/20/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.605 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CE\nmSvc.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\CE\nmFlt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Daniel\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\cidaemon.exe
E:\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.msi.com.tw/
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NMSVC] c:\program files\ce\nmSvc.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\daniel\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoTrayItemsDisplay = 00000000
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: CESpy.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\bcg3hauy.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\npnipp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2010-9-15 41336]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\dans\new\VCdRom.sys [2001-12-19 8576]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-8-21 182304]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 1334240]
S0 csqugxnw;csqugxnw; [x]
S3 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-11 814344]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-21 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-19 38224]
=============== Created Last 30 ================
2010-10-20 15:46:20 -------- d-----w- c:\docume~1\daniel\locals~1\applic~1\Deployment
2010-10-20 14:51:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-10-20 14:51:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-10-20 14:51:55 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-10-20 14:51:54 608448 ----a-w- c:\windows\system32\comctl32.ocx
2010-10-20 14:51:54 -------- d-----w- c:\program files\AML Products
2010-10-19 18:47:18 -------- d-----w- c:\program files\Marcos Velasco Security
2010-10-19 17:47:35 -------- d-----w- c:\windows\Cookies
2010-10-19 17:47:34 -------- d-----w- c:\windows\Recent
2010-10-19 17:20:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 17:20:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 17:20:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 16:51:12 -------- d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
2010-10-19 16:50:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-19 15:26:40 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-19 12:58:46 -------- d-----w- c:\windows\pss
2010-10-19 01:02:01 199 ----a-w- c:\docume~1\daniel\applic~1\13541.bat
2010-10-19 01:01:41 199 ----a-w- c:\docume~1\daniel\applic~1\10495.bat
2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Pihia
2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Iwhadu
2010-10-14 01:04:12 -------- d-----w- c:\docume~1\daniel\applic~1\.minecraft
2010-10-06 13:11:23 -------- d-----w- c:\program files\SpeedFan
2010-09-23 15:03:01 -------- d-----w- c:\docume~1\daniel\applic~1\Xerox
2010-09-22 23:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-22 16:05:28 -------- d-----w- c:\docume~1\daniel\applic~1\Novell
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 12:13:55.23 ===============
DDS Attach is attached.
I got hit with some form of trojan or virus yesterday. A fake Windows Security Essentials warning popped up asking me to load "Think Point AV" as my antivirus software. I rebooted into safe-mode and ThinkPoint popped up there too before even explorer.exe. To make a long story short I ended up pulling out my hard drive, slaving it to another computer and running malwarebytes on my drive. That at least allowed me to boot into safe mode where I again ran MBAM and cleaned up my registry there. At the height of my problems I could not boot into safe mode, standard mode, nor my recovery partition. Instead it would power on, bring up the XP black boot screen (or list of files being loaded when in safe-mode) and then BSOD and power down...lather rinse repeat. I thought I had it beat, but this morning MBAM caught 4 more infected objects. The latest MBAM run was clean.
Having run MBAM and TrendMicro I can now boot normally and do most of what I want. However I do have some lingering issues.
1) My Recovery partition still boots to BSOD.
2) Google Chrome (both installed and portable) loads, but just sits on a white tab not doing anything. (an ancient version of IE still works and I can browse the web/download/etc). I reinstalled Chrome and no luck, including having it delete all my personal data.
3) Firefox might load once after start up, but immediately crashes and will not fully load again. Instead firefox.exe will load into memory but not do any thing and just sit there eating about 7MB of ram. (incidentally copying notepad.exe to the desktop and renaming it firefox.exe and notepad still runs) Completely reinstalled firefox, no better.
4) I cannot boot with anything plugged into my USB ports. This is not a huge deal as it is a netbook (see below) however it is odd.
5) My Disk Management Console does not recognize any drives at all. There is 1 SATA hard drive plugged in partitioned into C D and a hidden partition for recovery. C and D are visible in Windows Explorer.
MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4892
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512
10/20/2010 11:59:02 AM
mbam-log-2010-10-20 (11-59-02).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 198163
Time elapsed: 49 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER Log:
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-20 12:11:54
Windows 5.1.2600 Service Pack 3
Running: x2e9dkz7.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgldapog.sys
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B3000A
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[1324] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EC000A
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864F0292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864F0292
Device \FileSystem\Cdfs \Cdfs A0AD6400
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVT-22ZCT0___________________11.01A11#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
DDS Log:
DDS (Ver_10-10-10.03) - NTFSx86
Run by Daniel at 12:13:12.14 on Wed 10/20/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.605 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CE\nmSvc.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\CE\nmFlt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Daniel\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\cidaemon.exe
E:\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.msi.com.tw/
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NMSVC] c:\program files\ce\nmSvc.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\daniel\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoTrayItemsDisplay = 00000000
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: CESpy.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\bcg3hauy.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\npnipp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2010-9-15 41336]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\dans\new\VCdRom.sys [2001-12-19 8576]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-8-21 182304]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 1334240]
S0 csqugxnw;csqugxnw; [x]
S3 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-11 814344]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-21 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-19 38224]
=============== Created Last 30 ================
2010-10-20 15:46:20 -------- d-----w- c:\docume~1\daniel\locals~1\applic~1\Deployment
2010-10-20 14:51:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-10-20 14:51:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-10-20 14:51:55 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-10-20 14:51:54 608448 ----a-w- c:\windows\system32\comctl32.ocx
2010-10-20 14:51:54 -------- d-----w- c:\program files\AML Products
2010-10-19 18:47:18 -------- d-----w- c:\program files\Marcos Velasco Security
2010-10-19 17:47:35 -------- d-----w- c:\windows\Cookies
2010-10-19 17:47:34 -------- d-----w- c:\windows\Recent
2010-10-19 17:20:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 17:20:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 17:20:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 16:51:12 -------- d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
2010-10-19 16:50:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-19 15:26:40 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-19 12:58:46 -------- d-----w- c:\windows\pss
2010-10-19 01:02:01 199 ----a-w- c:\docume~1\daniel\applic~1\13541.bat
2010-10-19 01:01:41 199 ----a-w- c:\docume~1\daniel\applic~1\10495.bat
2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Pihia
2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Iwhadu
2010-10-14 01:04:12 -------- d-----w- c:\docume~1\daniel\applic~1\.minecraft
2010-10-06 13:11:23 -------- d-----w- c:\program files\SpeedFan
2010-09-23 15:03:01 -------- d-----w- c:\docume~1\daniel\applic~1\Xerox
2010-09-22 23:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-22 16:05:28 -------- d-----w- c:\docume~1\daniel\applic~1\Novell
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 12:13:55.23 ===============
DDS Attach is attached.