Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.trogan.rx?


  • Please log in to reply
16 replies to this topic

#1 Stegy

Stegy

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 22 August 2007 - 06:16 PM

Okay, I don't know how I did it, but I guess I have the Win32.Trojan.RX Trojan/Virus on my computer. From the number of anti-spyware/adware programs on my computer, I am unable to effectively remove this problem.

Help? =(
===================================
HiJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:25 PM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msbind32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\5npidktm.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {696F148B-A739-88EB-4B66-FE8DBE57D4CD} - C:\WINDOWS\system32\vigd.dll
O2 - BHO: (no name) - {76A65355-9E20-4B15-B025-5283F40BCFCF} - (no file)
O2 - BHO: (no name) - {857580FC-134C-4BC9-B3C3-80EC892990C4} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8FE04936-E6F6-4470-94F9-68419A19D6E6} - (no file)
O2 - BHO: (no name) - {95C6A77C-9501-4011-AE1C-220EDBBF0F25} - (no file)
O2 - BHO: (no name) - {A6F4A49B-7643-429E-9BA4-9D272032EFDA} - (no file)
O2 - BHO: (no name) - {B0E6B979-2D54-4789-BE05-6FF3A88DBA3B} - \
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {DDEE1B53-5078-4982-AAFE-14F2D245A7F0} - (no file)
O2 - BHO: msscds32.msdn_hlp - {ED3912DF-EE05-4242-89D9-D31EFE9D4AF4} - C:\WINDOWS\system32\msscds32.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [aywgsxlA] C:\WINDOWS\aywgsxlA.exe
O4 - HKLM\..\Run: [rnycoosA] C:\WINDOWS\rnycoosA.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [yrlzshxA] C:\WINDOWS\yrlzshxA.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe" -nag
O4 - HKLM\..\Run: [{06-6B-B0-04-ZN}] C:\WINDOWS\TEMP\stdrun2.exe D4M001
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win34.tmp.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Ebtmw] C:\WINDOWS\system32\?dobe\n?tdde.exe
O4 - Startup: Epson all-in-one Registration.lnk = D:\EREG\EpsonReg.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: geeda - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 22 August 2007 - 11:31 PM

Bump. =\

#3 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 23 August 2007 - 12:27 PM

=(

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:41 AM

Posted 24 August 2007 - 04:02 AM

Hi and welcome.

Sorry for dealy.

You have several infections present.

1. Download this file and save it to your desktop.

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Disconnect from the internet!!

2. Click start> run> type:

%userprofile%\desktop\combofix.exe /killall

Hit enter.

You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next:

(you can connect to interent now)

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

Post also a new HIjackthis log.

There will be more work to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 24 August 2007 - 05:20 PM

Wow.
=======================
Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 24, 2007 6:16:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/08/2007
Kaspersky Anti-Virus database records: 389594
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51463
Number of viruses found: 12
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 00:58:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\aoxed.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\backups.zip.bac_a04004/backups/svhost.exe Infected: Trojan-Proxy.Win32.VB.x skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\backups.zip.bac_a04004 ZIP: infected - 1 skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\backups.zip.bac_a04004 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\ccxdg.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\dllh8jkd1q1.exe.bac_a04004 Infected: Email-Worm.Win32.Zhelatin.gy skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\esegk.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\gebcd.dll.vir.bac_a04004 Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\oiiaq.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\qrijm.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\retadpu1000106.exe.bac_a02472 Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\retadpu2000219.exe.bac_a02472 Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\rljpz.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\SB1065.exe.bac_a02472 Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\sbtar.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\ssttt.dll.vir.bac_a04004 Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\svhost.exe.bac_a04004 Infected: Trojan-Proxy.Win32.VB.x skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\svhost[1].exe.bac_a04004 Infected: Trojan-Proxy.Win32.VB.x skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\vtsqq.dll.vir.bac_a04004 Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\w0716.exe.bac_a04004 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\wwcoe.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\xmggpyui.exe.bac_a04004 Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\me\.housecall6.6\Quarantine\yasuw.exe.bac_a02472 Infected: Worm.Win32.Small.r skipped
C:\Documents and Settings\me\Application Data\CiscoCAA\event.log Object is locked skipped
C:\Documents and Settings\me\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\me\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\me\Local Settings\Temp\~DF323E.tmp Object is locked skipped
C:\Documents and Settings\me\Local Settings\Temp\~DFDBA5.tmp Object is locked skipped
C:\Documents and Settings\me\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\me\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\me\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\707235BB Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TOSHIBA-USER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LDLPGHQ\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\system32\efccccb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_5a0.dat Object is locked skipped
C:\WINDOWS\temp\ZLT074fc.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT074ff.TMP Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.


ComboFix
ComboFix 07-08-17.2 - "me" 2007-08-24 16:19:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.288 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\#SharedObjects\2PPNTGHX\www.broadcaster.com
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\Program Files\curity~1
C:\Program Files\curity~1\??curity\
C:\Program Files\dobe~1
C:\Program Files\poolsv
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\180ax.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\biprep.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\regedit.com
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\adeeg.bak1
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\crosof~1\??crosoft\
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\uni_eh44.exe
C:\WINDOWS\uninst1014.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


2007-08-23 15:20 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-23 15:20 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-23 15:20 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-23 15:20 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-23 15:20 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-23 15:20 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-23 15:20 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-23 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-23 15:20 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-20 22:59 6,473 ---hs---- C:\WINDOWS\system32\yccdd.bak1
2007-08-20 22:59 298,080 --a------ C:\WINDOWS\system32\ddccy.dll.vir
2007-08-20 20:43 6,473 ---hs---- C:\WINDOWS\system32\nnnmp.bak1
2007-08-20 16:22 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-20 16:20 43,542 --a------ C:\WINDOWS\system32\efccccb.dll.vir
2007-08-20 16:19 <DIR> d-------- C:\WINDOWS\system32\tmps7
2007-08-20 16:19 <DIR> d-------- C:\WINDOWS\system32\ICM23
2007-08-20 16:19 <DIR> d-------- C:\WINDOWS\system32\cofig1
2007-08-09 23:21 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-06 22:59 <DIR> d-------- C:\Program Files\Full Tilt Poker


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 14:08 --------- d-------- C:\DOCUME~1\me\APPLIC~1\Ruckus Network
2007-08-24 00:23 --------- d-------- C:\Program Files\Magic Workstation
2007-08-23 20:05 --------- d-------- C:\Program Files\Symantec
2007-08-23 20:05 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-23 19:46 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-23 15:11 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 14:21 --------- d-------- C:\Program Files\Enigma Software Group
2007-08-23 14:20 --------- d-------- C:\Program Files\Lavasoft
2007-08-23 14:20 --------- d-------- C:\DOCUME~1\me\APPLIC~1\Lavasoft
2007-08-22 20:45 4662 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-06 22:59 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 09:06 1972 --a------ C:\Program Files\installer.js
2007-07-21 23:26 6488 ---hs---- C:\WINDOWS\system32\dcbeg.bak1
2007-07-21 18:19 1792696 ---hs---- C:\WINDOWS\system32\bbeeg.bak2
2007-07-21 00:10 6489 ---hs---- C:\WINDOWS\system32\bbeeg.bak1
2007-07-20 19:29 6489 ---hs---- C:\WINDOWS\system32\srutv.bak1
2007-07-09 18:57 451072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-05-30 12:42 1541438 ---hs---- C:\WINDOWS\system32\cfhkj.bak2
2007-01-18 22:40 8 --a------ C:\DOCUME~1\me\APPLIC~1\usb.dat.bin


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{696F148B-A739-88EB-4B66-FE8DBE57D4CD}]
C:\WINDOWS\system32\vigd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76A65355-9E20-4B15-B025-5283F40BCFCF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857580FC-134C-4BC9-B3C3-80EC892990C4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FE04936-E6F6-4470-94F9-68419A19D6E6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95C6A77C-9501-4011-AE1C-220EDBBF0F25}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6F4A49B-7643-429E-9BA4-9D272032EFDA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0E6B979-2D54-4789-BE05-6FF3A88DBA3B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDEE1B53-5078-4982-AAFE-14F2D245A7F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-07-20 04:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 21:10]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 18:43]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 19:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 19:23]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-07-09 18:24]
"TPSMain"="TPSMain.exe" [2004-03-03 15:57 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 16:45]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-05 01:32]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 17:35]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-20 14:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-02 15:39]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 13:03 C:\WINDOWS\system32\P0620Pin.dll]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"aywgsxlA"="C:\WINDOWS\aywgsxlA.exe" []
"rnycoosA"="C:\WINDOWS\rnycoosA.exe" []
"ATIModeChange"="Ati2mdxx.exe" [2004-06-02 09:05 C:\WINDOWS\system32\Ati2mdxx.exe]
"yrlzshxA"="C:\WINDOWS\yrlzshxA.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-29 02:13]
"Ebtmw"="C:\WINDOWS\system32\?dobe\n?tdde.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geeda]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys


Contents of the 'Scheduled Tasks' folder
2007-08-15 07:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
2004-12-28 21:07:33 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-24 16:28:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-24 16:30:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-24 16:30

--- E O F ---

HiJackThis
Logfile of HijackThis v1.99.1
Scan saved at 6:18:46 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\5npidktm.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {696F148B-A739-88EB-4B66-FE8DBE57D4CD} - C:\WINDOWS\system32\vigd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {76A65355-9E20-4B15-B025-5283F40BCFCF} - (no file)
O2 - BHO: (no name) - {857580FC-134C-4BC9-B3C3-80EC892990C4} - (no file)
O2 - BHO: (no name) - {8FE04936-E6F6-4470-94F9-68419A19D6E6} - (no file)
O2 - BHO: (no name) - {95C6A77C-9501-4011-AE1C-220EDBBF0F25} - (no file)
O2 - BHO: (no name) - {A6F4A49B-7643-429E-9BA4-9D272032EFDA} - (no file)
O2 - BHO: (no name) - {B0E6B979-2D54-4789-BE05-6FF3A88DBA3B} - \
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {DDEE1B53-5078-4982-AAFE-14F2D245A7F0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [aywgsxlA] C:\WINDOWS\aywgsxlA.exe
O4 - HKLM\..\Run: [rnycoosA] C:\WINDOWS\rnycoosA.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [yrlzshxA] C:\WINDOWS\yrlzshxA.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [Ebtmw] C:\WINDOWS\system32\?dobe\n?tdde.exe
O4 - Startup: Epson all-in-one Registration.lnk = D:\EREG\EpsonReg.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: geeda - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:41 AM

Posted 25 August 2007 - 03:26 AM

Hi,

That was quite the mess of junk. :thumbsup:

Some of those items ComboFix removed have password stealing capabilities.
Any sensitive sites you sign into you will need to change all your passwords for.
If you do online banking or shopping then best to contact your bank & credit card companies to notify them.
they can check/watch your accounts for fraud activity.
Don't use this computer please for log-ins on sensitive sites till we are sure it is clean
Don't use this computer to change passwords.

---------------------------

More junk to go.

Empty contents of these folders:

C:\Documents and Settings\me\.housecall6.6\Quarantine
C:\Program Files\Norton AntiVirus\Quarantine

Empty recycle bin

Open notepad and copy/paste the text in the code box below into it:

File::
C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\ddccy.dll.vir
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\efccccb.dll.vir
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LDLPGHQ\xc60[1].exe 


Folder::
C:\Program Files\SpywareBot

DirLook::
C:\WINDOWS\system32\tmps7
C:\WINDOWS\system32\ICM23
C:\WINDOWS\system32\cofig1
C:\WINDOWS\.jagex_cache_32


Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{696F148B-A739-88EB-4B66-FE8DBE57D4CD}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76A65355-9E20-4B15-B025-5283F40BCFCF}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{857580FC-134C-4BC9-B3C3-80EC892990C4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8FE04936-E6F6-4470-94F9-68419A19D6E6}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95C6A77C-9501-4011-AE1C-220EDBBF0F25}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6F4A49B-7643-429E-9BA4-9D272032EFDA}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B0E6B979-2D54-4789-BE05-6FF3A88DBA3B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDEE1B53-5078-4982-AAFE-14F2D245A7F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aywgsxlA"=-
"rnycoosA"=-
"yrlzshxA"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ebtmw"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geeda]

Save this as CFScript.txt
As file types: All Files(*)
Save it to the desktop.

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please with new hijackthis log.

Next:

Run Panda's ActiveScan from here and perform a full system scan.

You will need to temporarily disable your Avast.
Please don't go surfing with your AV off!
Don't forget to turn Avast back on when you are done scan.

1. Once you are on the Panda site click the "Scan your PC" button
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
10. Click on "Local Disks" to start the scan
11. Once done click "see report" then "save report". Save the report someplace handy.
12. If it cleaned stuff please reboot.
13. Post Panda scan results in your next reply.

Let me know how the machine is running.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 25 August 2007 - 10:47 AM

Okay, this is before the Panda thing:

ComboFix:
ComboFix 07-08-17.2 - "me" 2007-08-25 11:42:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382 [GMT -4:00]
Command switches used :: C:\Documents and Settings\me\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\ddccy.dll.vir
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\efccccb.dll.vir
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LDLPGHQ\xc60[1].exe


((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))


2007-08-24 17:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-24 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-23 15:20 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-23 15:20 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-23 15:20 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-23 15:20 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-23 15:20 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-23 15:20 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-23 15:20 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-23 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-23 15:20 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-20 16:19 <DIR> d-------- C:\WINDOWS\system32\tmps7
2007-08-20 16:19 <DIR> d-------- C:\WINDOWS\system32\ICM23
2007-08-20 16:19 <DIR> d-------- C:\WINDOWS\system32\cofig1
2007-08-09 23:21 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-06 22:59 <DIR> d-------- C:\Program Files\Full Tilt Poker


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 23:00 --------- d-------- C:\DOCUME~1\me\APPLIC~1\Ruckus Network
2007-08-24 22:54 --------- d-------- C:\Program Files\Magic Workstation
2007-08-23 20:05 --------- d-------- C:\Program Files\Symantec
2007-08-23 20:05 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-23 19:46 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-23 15:11 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 14:21 --------- d-------- C:\Program Files\Enigma Software Group
2007-08-23 14:20 --------- d-------- C:\Program Files\Lavasoft
2007-08-23 14:20 --------- d-------- C:\DOCUME~1\me\APPLIC~1\Lavasoft
2007-08-22 20:45 4662 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-06 22:59 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-09 18:57 451072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-01-18 22:40 8 --a------ C:\DOCUME~1\me\APPLIC~1\usb.dat.bin


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\WINDOWS\system32\tmps7 ----


---- Directory of C:\WINDOWS\system32\ICM23 ----


---- Directory of C:\WINDOWS\system32\cofig1 ----


---- Directory of C:\WINDOWS\.jagex_cache_32 ----

2007-08-10 14:29 96 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx255
2007-08-10 14:29 9378 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx1
2007-08-10 14:29 6246 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx8
2007-08-10 14:29 6 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx9
2007-08-10 14:29 4920 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx13
2007-08-10 14:29 38141954 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.dat2
2007-08-10 14:29 3546 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx3
2007-08-10 14:29 24 --a------ C:\WINDOWS\.jagex_cache_32\random.dat
2007-08-10 14:29 22962 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx4
2007-08-10 14:29 2094 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx14
2007-08-10 14:29 1968 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx6
2007-08-10 14:29 165672 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx7
2007-08-10 14:29 1638 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx11
2007-08-10 14:29 156 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx2
2007-08-10 14:29 1536 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx15
2007-08-10 14:29 1248 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx12
2007-08-10 14:29 12 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx10
2007-08-10 14:29 11112 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx5
2007-08-10 14:29 10452 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx0
2007-08-09 23:21 255732 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.dat1
2007-08-09 23:21 19185 --a------ C:\WINDOWS\.jagex_cache_32\runescape\game_unpacker.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-07-20 04:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 21:10]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 18:43]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 19:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 19:23]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-07-09 18:24]
"TPSMain"="TPSMain.exe" [2004-03-03 15:57 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 16:45]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-05 01:32]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 17:35]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-20 14:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-02 15:39]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 13:03 C:\WINDOWS\system32\P0620Pin.dll]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"ATIModeChange"="Ati2mdxx.exe" [2004-06-02 09:05 C:\WINDOWS\system32\Ati2mdxx.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-29 02:13]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys


Contents of the 'Scheduled Tasks' folder
2004-12-28 21:07:33 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 11:44:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-25 11:44:56
C:\ComboFix-quarantined-files.txt ... 2007-08-25 11:44
C:\ComboFix2.txt ... 2007-08-25 11:37
C:\ComboFix3.txt ... 2007-08-24 16:30

--- E O F ---

HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:45:38 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\5npidktm.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Startup: Epson all-in-one Registration.lnk = D:\EREG\EpsonReg.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 25 August 2007 - 03:08 PM

Panda Scan

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.com.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\2vy38lwr.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\me\Cookies\me@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\me\Cookies\me@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\me\Cookies\me@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\me\Cookies\me@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\me\Cookies\me@doubleclick[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\me\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\me\Desktop\VirtumundoBeGone.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\smitRem\Process.exe
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINDOWS\uninst1014.exe.vir
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINDOWS\uni_eh44.exe.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:adware/ncase Not disinfected C:\WINDOWS\didduid.ini
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:41 AM

Posted 25 August 2007 - 05:35 PM

Hi,

Looking much better.
How are things running? OK?

You will have to make a decision what antivirus to keep. You have 2 installed (Norton & Avast) at the moment and this causes conflicts, slowdowns and can even lower your security because both AV are too busy fighting each other rather than protecting you.
Pick the one you like the best and uninstall the other.
If Norton is expired uninstall it.
Avast uses less resorces than Norton anyways.
If uninstalling Norton there are a few "Symantec" items in add/remove you will need to uninstall.

Let me know how the uninstall went and post the new Hijackthis.

Let me know how machine is running.
Let me know you understood my warning in my previous post regarding passwords.

We'll still have some cleanup to do so don't run away yet.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 26 August 2007 - 09:29 AM

Well, that Panda Scan thing said I had 29 Spyware Infections and 4 Rootkit Infections, so I'm kind of worried about that. O_O

I thought I had uninstalled Norton Antivirus a few days ago but I guess some of it is still here.

My computer runs fine. After I got avast! I managed to get rid of some of the junk that was bothering me.

#11 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 26 August 2007 - 05:29 PM

Shameless, shameless bump.

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:41 AM

Posted 26 August 2007 - 11:11 PM

Hi,

Sorry for delay. My own computer crashed.

Those detections from the Panda scan are mostly cookies and stuff that was quarentined by the tools we used to clean up.
We'll be cleaning all that stuff up once we are done.
Did you do another Panda scan where it found rootkit items?

I wanna clean up some of the junk we created and do another scan to see what is still around.
If we need those tools again I'll get you to download a new copy. They are updated very often.

Delete the following if still present:

Off desktop:

VirtumundoBeGone.exe
Combofix.exe
SDFix.exe
CFScript.txt

Others:

C:\SDFix <-- folder
C:\Qoobox <-- folder

C:\WINDOWS\didduid.ini
C:\windows\nircmd.exe

Please download ATF Cleaner by Atribune.
  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    Recycle bin
    Cookies (if desired)--(by empting cookies you loose saved password info to password protected login sites like this one)
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Reboot.

Run fresh scan at Panda site, save the log and post it here please.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Can you also post an uninstall list please?

Open Hijackthis
Click "open misc tools section"
Click "open uninstall manager"
Click "save list..."
Save the list and post it here.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 27 August 2007 - 05:17 PM

Well, Panda Scan didn't give me an option to save a log file. I scanned both My Computer and Local Disks and the scanner said I had no infected files.

Here's my HiJackThis Uninstall List:
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Shockwave Player
Advanced RealMedia Export Plug-in for Premiere 6.0
AOL Instant Messenger
ArcSoft Software Suite
ArcSoft Software Suite
Atheros Wireless LAN MiniPCI card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Antivirus
Belkin 802.11g Wireless Card
Bonjour Core for Windows
CD/DVD Drive Acoustic Silencer
Cda Product Service - shared component
Cisco Clean Access Agent
Creative Photo Manager
Creative WebCam Center
Creative WebCam Instant Driver (1.03.02.0425)
Creative WebCam Instant User's Guide (English)
DVD-RAM Driver
FinePixViewer Ver.4.2
FUJIFILM USB Driver
Full Tilt Poker
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
HP Image Zone Express
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
InterActual Player
InterVideo WinDVD for TOSHIBA
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_05
Java™ 6 Update 2
Java™ SE Runtime Environment 6
Kaspersky Online Scanner
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Magic Workstation 0.94f
Microsoft .NET Framework 1.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Works 7.0
MicroStaff WINASPI
Mozilla Firefox (2.0.0.6)
Netscape (7.2)
Norton WMI Update
Notebook Maximizer
Panda ActiveScan
PCI 1620 Cardbus Controller and Software
QuickTime
RAW FILE CONVERTER LE
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Roxio Burn Engine
Ruckus Player
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SMSC IrCC V5.1.3600.3 SP1
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy 1.4
SRS WOW XT Plug-In for Windows Media Player for Toshiba version 1.0.2
Symantec Script Blocking Installer
Synaptics Pointing Device Driver
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Fax Extension
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA Utilities
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
ZoneAlarm

#14 Stegy

Stegy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 28 August 2007 - 07:27 PM

Yet another shameless, shameless bump.

Also, I am unable to watch videos on YouTube via Firefox and Internet Explorer, but I am able to watch them with Netscape. I tried uninstalling and reinstalling Adobe Flash but it's not working.

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:41 AM

Posted 29 August 2007 - 07:19 AM

Hi,

Sorry for another delay. We had storms here all day.

You have a couple older versions of java that have security issues.
Best to uninstall them leaving you with the new version.

Go to add/remove programs and uninstall the following in order:

Java 2 Runtime Environment, SE v1.4.2_05
JavaÖ SE Runtime Environment 6
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Norton WMI Update
<-- this one should no longer exist after uninstalling above but check anyways.

Reboot when told.

Once restarted...

To deal with Flash... First check in SpywareBlaster options if you have it installed and make sure Flash is not disabled for IE.
If this is not the case... carry on.

Best to totally uninstall it and re-install it.
Follow instructions at this page to totally uninstall Flash:

http://kb.adobe.com/selfservice/viewConten...7&sliceId=2

You can re-install it here:

http://www.adobe.com/shockwave/download/do...=ShockwaveFlash

Uncheck the Google Toolbar option if you don't want it.

Post fresh hijackthis log and let me know how things are running.
Flash work?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users