Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Virtumonde, Jkkll.dll Removal


  • This topic is locked This topic is locked
15 replies to this topic

#1 pcrunk

pcrunk

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 14 October 2007 - 01:33 AM

My computer has been infected by virtumonde, trojanvundo, etc. I have used spysweeper and Vundofix to remove the viruses/adware,
yet they are unable to remove jkkll.dll, and in addition, I cannot open the "delete a file on reboot" option in Hijackthis(newest version). Additionally, when I run Super Anti-Spyware program, it removes the files, yet my computer always messes up on reboot, and has to revert back to an earlier saved settings format. My Spysweeper has also began to have numberous errors (I believe it is being attacked) and will shut down after start up, sometimes it won't even open and an error message occurs, and I am unable to delete, or reinstall the program and when I try numerous error beeps sound. In addition, even when Spysweeper isn't running, it shows that the file is still operating in task manager, and I cannot stop the process. I also cannot remove jkkll.dll manually through the command prompt, and it will not unregister. Pretty much, my comp is really messed up. Here is my Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:28 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.chosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyIm...pload_10217.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} (UlalaPhoto Control) - http://cyimg7.cyworld.nate.com/storyRoom/C...geResizeCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {65F474EB-B86A-465A-BE5E-0447CB2C6C1C} (AnycallMusicLauncher Control) - http://anycallmusic.mylisten.com/AnycallMu...sicLauncher.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_clu...lubmain1_11.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8798B2A-5EB1-424A-AB19-E38CFB69E295} (CywordMovieUp Control) - http://mptop.cyworld.nate.com/activex/CyworldMovieUp.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8438 bytes


In addition, here is my Vundofix log:


VundoFix V6.5.9

Checking Java version...

Scan started at 10:16:24 AM 10/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\hmctfcbp.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Scan started at 12:04:53 PM 10/13/2007

Listing files found while scanning....


VundoFix V6.5.9

Checking Java version...

Scan started at 12:46:39 PM 10/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\amppinmf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\amppinmf.dll
C:\WINDOWS\system32\amppinmf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Scan started at 10:09:24 PM 10/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\drrebpqu.dll
C:\WINDOWS\system32\dtkioupb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\drrebpqu.dll
C:\WINDOWS\system32\drrebpqu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\drrebpqu.dll
C:\WINDOWS\system32\drrebpqu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Scan started at 11:38:40 PM 10/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\drrebpqu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\drrebpqu.dll
C:\WINDOWS\system32\drrebpqu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\drrebpqu.dll
C:\WINDOWS\system32\drrebpqu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Scan started at 10:53:59 AM 10/14/2007

Listing files found while scanning....

No infected files were found.





Please help! Thank you^^

BC AdBot (Login to Remove)

 


#2 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 14 October 2007 - 01:36 AM

Oh, and I forgot to mention that I use Zoom Player very often to view my media files, and I can no longer open this application (I get a "Grphedt" error message, and these problems began after my computer was infected, but I don't know the connection). I even deleted and reinstalled this program, and it worked fine for a day or so after reinstalation, but now it's having the same problems. Thanks again!

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 15 October 2007 - 02:53 PM

Hello pcrunk,

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 16 October 2007 - 03:40 AM

First, I would like to thank you for taking the time to help me with this problem. Your help is greatly appreciated. I was about 10 minutes away from reinstalling my entire operating system^^
Here are the logs you asked for:

ComboFix 07-10-12.4 - Owner 2007-10-16 16:46:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.200 [GMT 9:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ISM
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\a12
C:\WINDOWS\system32\camgwbfw.dll
C:\WINDOWS\system32\civgkomc.dll
C:\WINDOWS\system32\cmokgvic.ini
C:\WINDOWS\system32\cxlrrxfr.ini
C:\WINDOWS\system32\ddnlvpcj.dll
C:\WINDOWS\system32\e1
C:\WINDOWS\system32\fopgvolo.ini
C:\WINDOWS\system32\gmghqqdh.dll
C:\WINDOWS\system32\hdqqhgmg.ini
C:\WINDOWS\system32\hpesmbwy.dll
C:\WINDOWS\system32\ihrnocsk.ini
C:\WINDOWS\system32\jcpvlndd.ini
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jldkvyjy.dll
C:\WINDOWS\system32\knycucrf.exe
C:\WINDOWS\system32\ksconrhi.dll
C:\WINDOWS\system32\lcqndmlu.dll
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\llkkj.tmp
C:\WINDOWS\system32\llkkj.tmp
C:\WINDOWS\system32\llkkj.tmp
C:\WINDOWS\system32\mqjnvkwn.dll
C:\WINDOWS\system32\mvpofsro.dll
C:\WINDOWS\system32\nwkvnjqm.ini
C:\WINDOWS\system32\olovgpof.dll
C:\WINDOWS\system32\orsfopvm.ini
C:\WINDOWS\system32\rfxrrlxc.dll
C:\WINDOWS\system32\ukpdpyiu.dll
C:\WINDOWS\system32\ulmdnqcl.tmp
C:\WINDOWS\system32\wfbwgmac.ini
C:\WINDOWS\system32\xtgwvqrq.dll
C:\WINDOWS\system32\yjyvkdlj.ini
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 16:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 21:46 389,184 --a------ C:\WINDOWS\system32\xfksmswe.exe
2007-10-15 21:46 339,968 --a------ C:\WINDOWS\system32\fdgpnbyh.dll
2007-10-14 17:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BSplayer Pro
2007-10-14 17:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BSplayer Pro
2007-10-14 17:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BSplayer
2007-10-14 17:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BSplayer
2007-10-14 16:33 <DIR> d-------- C:\Program Files\Zoom Player
2007-10-14 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 23:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-13 21:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-13 21:29 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-13 21:29 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-13 21:29 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-13 21:29 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-13 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-13 21:28 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-10-13 20:54 389,184 --a------ C:\WINDOWS\system32\dssgbwlb.exe
2007-10-13 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-10-12 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 10:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 10:51 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 10:16 <DIR> d-------- C:\VundoFix Backups
2007-10-10 08:22 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 20:10 <DIR> d--hs---- C:\WINDOWS\T3duZXI
2007-10-04 20:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\sas1
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\rev2
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\bc1
2007-10-04 20:09 <DIR> d-------- C:\Temp\xOe
2007-10-04 20:09 <DIR> d-------- C:\Temp
2007-09-18 02:51 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 07:33 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-13 16:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-11 14:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-14 20:32 --------- d-----w C:\Program Files\iTunes
2007-09-14 20:31 --------- d-----w C:\Program Files\iPod
2007-09-14 20:27 --------- d-----w C:\Program Files\QuickTime
2007-09-14 20:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-14 20:21 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-14 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 06:07 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-15 00:58 280,096 ----a-w C:\WINDOWS\system32\skcinst1.dll
2007-08-15 00:58 276,000 ----a-w C:\WINDOWS\system32\skcinst2.dll
2007-08-06 14:16 77,824 ----a-w C:\WINDOWS\system32\nod.dll
2007-07-30 10:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 10:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 10:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 10:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 10:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 10:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 10:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 10:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,380,352 2003-11-05 13:38:00 C:\Program Files\B's CLiP\Win2K\bak\BSCLIP.exe

----a-w 71,328 2006-03-09 15:47:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 71,328 2006-03-09 15:47:52 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

----a-w 708,608 2003-06-28 02:33:10 C:\Program Files\EzButton\bak\CplBTQ00.EXE

----a-w 278,528 2006-02-23 23:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-07 07:55:08 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 282,624 2006-06-08 00:35:51 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-28 21:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 638,976 2003-09-09 03:10:48 C:\Program Files\Toshiba\E-KEY\bak\CeEKey.exe

----a-w 135,168 2003-04-24 08:52:06 C:\Program Files\Toshiba\Power Management\bak\CePMTray.exe

----a-w 65,536 2003-09-05 11:24:46 C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe

----a-w 49,152 2003-06-12 01:46:38 C:\Program Files\Toshiba\TouchPad\bak\TPTray.exe

----a-w 94,208 2003-12-09 23:43:02 C:\Program Files\Toshiba Controls\bak\CpRmtKey.EXE

----a-w 159,744 2003-10-20 17:39:26 C:\TOSHIBA\Ivp\ISM\bak\pinger.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 40,960 2002-08-20 18:29:26 C:\WINDOWS\system32\bak\ezSP_Px.exe
----a-w 40,960 2002-08-20 20:29:26 C:\WINDOWS\system32\ezSP_Px.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{620396F4-0413-477E-8250-6DADF23560AA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-15 21:46 339968 --a------ C:\WINDOWS\system32\fdgpnbyh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fdgpnbyh.dll [2007-10-15 21:46 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{29D8D40A-45AA-11D5-9C81-110102657B27}"= C:\WINDOWS\system32\comzen101.dll [ ]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fdgpnbyh.dll [2007-10-15 21:46 339968]

[HKEY_CLASSES_ROOT\CLSID\{29D8D40A-45AA-11D5-9C81-110102657B27}]
[HKEY_CLASSES_ROOT\comzen101.DelSearch]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" []
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" []
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" []
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" []
"CplBTQ00"="C:\Program Files\EzButton\CplBTQ00.EXE" []
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 16:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-11-07 03:12 C:\WINDOWS\system32\nwiz.exe]
"CpRmtKey"="C:\Program Files\Toshiba Controls\CpRmtKey.EXE" []
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-10 00:47]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-08-16 15:09]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-21 05:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:56]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 11:05:26]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-07 06:23:32]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-10 06:56:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drrebpqu]
drrebpqu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdgpnbyh]
fdgpnbyh.dll 2007-10-15 21:46 339968 C:\WINDOWS\system32\fdgpnbyh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnljj]
nnnnljj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkll.dll

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 03:40:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-12 11:02:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
"2007-10-16 08:20:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 17:17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 17:24:54 - machine was rebooted
.
--- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:55 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.chosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {620396F4-0413-477E-8250-6DADF23560AA} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fdgpnbyh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fdgpnbyh.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyIm...pload_10217.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} (UlalaPhoto Control) - http://cyimg7.cyworld.nate.com/storyRoom/C...geResizeCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {65F474EB-B86A-465A-BE5E-0447CB2C6C1C} (AnycallMusicLauncher Control) - http://anycallmusic.mylisten.com/AnycallMu...sicLauncher.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_clu...lubmain1_11.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8798B2A-5EB1-424A-AB19-E38CFB69E295} (CywordMovieUp Control) - http://mptop.cyworld.nate.com/activex/CyworldMovieUp.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: drrebpqu - drrebpqu.dll (file missing)
O20 - Winlogon Notify: fdgpnbyh - C:\WINDOWS\SYSTEM32\fdgpnbyh.dll
O20 - Winlogon Notify: nnnnljj - nnnnljj.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9098 bytes




Thanks again!

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 16 October 2007 - 11:58 AM

Hi pcrunk,

Besides the Vundo infection, you also have an nasty AWF infetcion. :thumbsup: We shall deal with the AWF infection after we clean up the Vundo infection.

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\dssgbwlb.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:
C:\WINDOWS\WRSetup.dll
C:\WINDOWS\system32\clubbox.exe


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

*************************

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\xfksmswe.exe
C:\WINDOWS\system32\fdgpnbyh.dll



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply, a new HijackThis log and the results of the Virus Total scans. .
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 16 October 2007 - 11:06 PM

Here are the logs:

Virus Totals

File dssgbwlb.exe received on 10.17.2007 05:06:17 (CET)Antivirus Version Last Update Result

AhnLab-V3 2007.10.17.0 2007.10.16 -
AntiVir 7.6.0.23 2007.10.16 HEUR/Malware
Authentium 4.93.8 2007.10.17 -
Avast 4.7.1051.0 2007.10.17 -
AVG 7.5.0.488 2007.10.16 -
BitDefender 7.2 2007.10.17 -
CAT-QuickHeal 9.00 2007.10.16 -
ClamAV 0.91.2 2007.10.16 -
DrWeb 4.44.0.09170 2007.10.17 Trojan.Hammer
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5216 2007.10.17 -
Ewido 4.0 2007.10.16 -
FileAdvisor 1 2007.10.17 -
Fortinet 3.11.0.0 2007.10.16 -
F-Prot 4.3.2.48 2007.10.17 W32/Adware.YIG
F-Secure 6.70.13030.0 2007.10.17 -
Ikarus T3.1.1.12 2007.10.17 Trojan.Win32.Obfuscated.ex
Kaspersky 7.0.0.125 2007.10.17 not-a-virus:AdWare.Win32.SecToolBar.g
McAfee 5142 2007.10.16 -
Microsoft 1.2908 2007.10.16 -
NOD32v2 2596 2007.10.17 -
Norman 5.80.02 2007.10.16 -
Panda 9.0.0.4 2007.10.16 Spyware/Virtumonde
Prevx1 V2 2007.10.17 Trojan.Vundo
Rising 19.45.20.00 2007.10.17 -
Sophos 4.22.0 2007.10.17 Mal/Behav-010
Sunbelt 2.2.907.0 2007.10.16 -
Symantec 10 2007.10.17 -
TheHacker 6.2.8.093 2007.10.16 -
VBA32 3.12.2.4 2007.10.16 Trojan.Hammer
VirusBuster 4.3.26:9 2007.10.16 -
Webwasher-Gateway 6.6.1 2007.10.17 Heuristic.Malware

Additional information
File size: 389184 bytes
MD5: 4ab353efc5bae2287a3360b65e13b5e8
SHA1: 088c81124171bd731a7dfd59d3ca280ebf040375
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...5B6A600BFEE5F68



File WRSetup.dll received on 10.17.2007 05:15:41 (CET)Antivirus Version Last Update Result

AhnLab-V3 2007.10.13.1 2007.10.12 -
AntiVir 7.6.0.23 2007.10.16 -
Authentium 4.93.8 2007.10.17 -
BitDefender 7.2 2007.10.17 -
CAT-QuickHeal 9.00 2007.10.16 -
ClamAV 0.91.2 2007.10.16 -
DrWeb 4.44.0.09170 2007.10.17 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5216 2007.10.17 -
Ewido 4.0 2007.10.16 -
FileAdvisor 1 2007.10.17 -
Fortinet 3.11.0.0 2007.10.16 -
F-Secure 6.70.13030.0 2007.10.16 -
Ikarus T3.1.1.12 2007.10.17 -
Kaspersky 7.0.0.125 2007.10.17 -
McAfee 5142 2007.10.16 -
Microsoft 1.2908 2007.10.16 -
NOD32v2 2596 2007.10.17 -
Norman 5.80.02 2007.10.16 -
Panda 9.0.0.4 2007.10.16 -
Prevx1 V2 2007.10.17 -
Rising 19.45.12.00 2007.10.17 -
Sophos 4.22.0 2007.10.17 -
Sunbelt 2.2.907.0 2007.10.13 -
TheHacker 6.2.8.093 2007.10.16 -
VBA32 3.12.2.4 2007.10.16 -
VirusBuster 4.3.26:9 2007.10.16 -
Webwasher-Gateway 6.6.1 2007.10.17 -

Additional information
File size: 1521464 bytes
MD5: b7c4319c818c46e2e05756a77f922efa
SHA1: fcb1ca05c9f4f65a82c205768677ff6f8462b13a



File clubbox.exe received on 10.17.2007 05:22:06 (CET)Antivirus Version Last Update Result

AhnLab-V3 2007.10.17.0 2007.10.16 -
AntiVir 7.6.0.23 2007.10.16 -
Authentium 4.93.8 2007.10.17 -
Avast 4.7.1051.0 2007.10.17 -
AVG 7.5.0.488 2007.10.16 -
BitDefender 7.2 2007.10.17 -
CAT-QuickHeal 9.00 2007.10.16 -
ClamAV 0.91.2 2007.10.16 -
DrWeb 4.44.0.09170 2007.10.17 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5216 2007.10.17 -
Ewido 4.0 2007.10.16 -
FileAdvisor 1 2007.10.17 -
Fortinet 3.11.0.0 2007.10.16 -
F-Prot 4.3.2.48 2007.10.17 -
F-Secure 6.70.13030.0 2007.10.17 -
Ikarus T3.1.1.12 2007.10.17 -
Kaspersky 7.0.0.125 2007.10.17 -
McAfee 5142 2007.10.16 -
Microsoft 1.2908 2007.10.16 -
NOD32v2 2596 2007.10.17 -
Norman 5.80.02 2007.10.16 -
Panda 9.0.0.4 2007.10.16 -
Prevx1 V2 2007.10.17 Heuristic: Suspicious Backdoor
Rising 19.45.20.00 2007.10.17 -
Sophos 4.22.0 2007.10.17 -
Sunbelt 2.2.907.0 2007.10.16 -
Symantec 10 2007.10.17 -
TheHacker 6.2.8.093 2007.10.16 -
VBA32 3.12.2.4 2007.10.16 -
VirusBuster 4.3.26:9 2007.10.16 -
Webwasher-Gateway 6.6.1 2007.10.17 -

Additional information
File size: 1536000 bytes
MD5: e1d19b5acb03c982f7299e9fb585f62e
SHA1: 7a7b97dd7d7ea6d6f04cf958182ab0dcf2bc671b
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...7EA61005E4A8510


ComboFix

ComboFix 07-10-12.4 - Owner 2007-10-17 12:35:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT 9:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\fdgpnbyh.dll
C:\WINDOWS\system32\xfksmswe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fdgpnbyh.dll
C:\WINDOWS\system32\fdgpnbyh.dll
C:\WINDOWS\system32\xfksmswe.exe
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-16 16:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 16:33 <DIR> d-------- C:\Program Files\Zoom Player
2007-10-14 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 23:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-13 21:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-13 21:29 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-13 21:29 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-13 21:29 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-13 21:29 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-13 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-13 21:28 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-10-13 20:54 389,184 --a------ C:\WINDOWS\system32\dssgbwlb.exe
2007-10-13 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-10-12 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 10:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 10:51 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 10:16 <DIR> d-------- C:\VundoFix Backups
2007-10-10 08:22 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 20:10 <DIR> d--hs---- C:\WINDOWS\T3duZXI
2007-10-04 20:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\sas1
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\rev2
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\bc1
2007-10-04 20:09 <DIR> d-------- C:\Temp\xOe
2007-10-04 20:09 <DIR> d-------- C:\Temp
2007-09-18 02:51 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 07:33 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-13 16:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-11 14:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-14 20:32 --------- d-----w C:\Program Files\iTunes
2007-09-14 20:31 --------- d-----w C:\Program Files\iPod
2007-09-14 20:27 --------- d-----w C:\Program Files\QuickTime
2007-09-14 20:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-14 20:21 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-14 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 06:07 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-15 00:58 280,096 ----a-w C:\WINDOWS\system32\skcinst1.dll
2007-08-15 00:58 276,000 ----a-w C:\WINDOWS\system32\skcinst2.dll
2007-08-06 14:16 77,824 ----a-w C:\WINDOWS\system32\nod.dll
2007-07-30 10:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 10:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 10:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 10:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 10:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 10:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 10:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 10:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,380,352 2003-11-05 13:38:00 C:\Program Files\B's CLiP\Win2K\bak\BSCLIP.exe

----a-w 71,328 2006-03-09 15:47:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 71,328 2006-03-09 15:47:52 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

----a-w 708,608 2003-06-28 02:33:10 C:\Program Files\EzButton\bak\CplBTQ00.EXE

----a-w 278,528 2006-02-23 23:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-07 07:55:08 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 282,624 2006-06-08 00:35:51 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-28 21:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 638,976 2003-09-09 03:10:48 C:\Program Files\Toshiba\E-KEY\bak\CeEKey.exe

----a-w 135,168 2003-04-24 08:52:06 C:\Program Files\Toshiba\Power Management\bak\CePMTray.exe

----a-w 65,536 2003-09-05 11:24:46 C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe

----a-w 49,152 2003-06-12 01:46:38 C:\Program Files\Toshiba\TouchPad\bak\TPTray.exe

----a-w 94,208 2003-12-09 23:43:02 C:\Program Files\Toshiba Controls\bak\CpRmtKey.EXE

----a-w 159,744 2003-10-20 17:39:26 C:\TOSHIBA\Ivp\ISM\bak\pinger.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 40,960 2002-08-20 18:29:26 C:\WINDOWS\system32\bak\ezSP_Px.exe
----a-w 40,960 2002-08-20 20:29:26 C:\WINDOWS\system32\ezSP_Px.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{620396F4-0413-477E-8250-6DADF23560AA}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{29D8D40A-45AA-11D5-9C81-110102657B27}"= C:\WINDOWS\system32\comzen101.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{29D8D40A-45AA-11D5-9C81-110102657B27}]
[HKEY_CLASSES_ROOT\comzen101.DelSearch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" []
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" []
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" []
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" []
"CplBTQ00"="C:\Program Files\EzButton\CplBTQ00.EXE" []
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 16:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-11-07 03:12 C:\WINDOWS\system32\nwiz.exe]
"CpRmtKey"="C:\Program Files\Toshiba Controls\CpRmtKey.EXE" []
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-10 00:47]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-08-16 15:09]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-21 05:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:56]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 11:05:26]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-07 06:23:32]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-10 06:56:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drrebpqu]
drrebpqu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdgpnbyh]
fdgpnbyh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnljj]
nnnnljj.dll

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 03:40:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-12 11:02:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
"2007-10-17 03:55:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 12:47:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 12:56:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 17:24
.
--- E O F ---


HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:19 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.chosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {620396F4-0413-477E-8250-6DADF23560AA} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyIm...pload_10217.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} (UlalaPhoto Control) - http://cyimg7.cyworld.nate.com/storyRoom/C...geResizeCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {65F474EB-B86A-465A-BE5E-0447CB2C6C1C} (AnycallMusicLauncher Control) - http://anycallmusic.mylisten.com/AnycallMu...sicLauncher.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_clu...lubmain1_11.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8798B2A-5EB1-424A-AB19-E38CFB69E295} (CywordMovieUp Control) - http://mptop.cyworld.nate.com/activex/CyworldMovieUp.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: drrebpqu - drrebpqu.dll (file missing)
O20 - Winlogon Notify: fdgpnbyh - fdgpnbyh.dll (file missing)
O20 - Winlogon Notify: nnnnljj - nnnnljj.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8846 bytes

Edited by pcrunk, 16 October 2007 - 11:09 PM.


#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 17 October 2007 - 12:02 AM

Hi pcrunk,

We need to get rid of one malware file.


Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\dssgbwlb.exe


Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drrebpqu] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdgpnbyh] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnljj]



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

*****************************

You also have a nasty AWF infection.

Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 17 October 2007 - 12:11 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 17 October 2007 - 12:57 AM

Here are the new logs, and I included a new HijackThis log just in case you needed it:

ComboFix 07-10-12.4 - Owner 2007-10-17 14:34:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT 9:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\dssgbwlb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dssgbwlb.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-16 16:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 16:33 <DIR> d-------- C:\Program Files\Zoom Player
2007-10-14 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 23:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-13 21:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-13 21:29 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-13 21:29 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-13 21:29 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-13 21:29 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-13 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-13 21:28 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-10-13 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-10-12 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 10:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 10:51 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 10:16 <DIR> d-------- C:\VundoFix Backups
2007-10-10 08:22 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 20:10 <DIR> d--hs---- C:\WINDOWS\T3duZXI
2007-10-04 20:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\sas1
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\rev2
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\bc1
2007-10-04 20:09 <DIR> d-------- C:\Temp\xOe
2007-10-04 20:09 <DIR> d-------- C:\Temp
2007-09-18 02:51 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 07:33 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-13 16:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-11 14:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-14 20:32 --------- d-----w C:\Program Files\iTunes
2007-09-14 20:31 --------- d-----w C:\Program Files\iPod
2007-09-14 20:27 --------- d-----w C:\Program Files\QuickTime
2007-09-14 20:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-14 20:21 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-14 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 06:07 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-15 00:58 280,096 ----a-w C:\WINDOWS\system32\skcinst1.dll
2007-08-15 00:58 276,000 ----a-w C:\WINDOWS\system32\skcinst2.dll
2007-08-06 14:16 77,824 ----a-w C:\WINDOWS\system32\nod.dll
2007-07-30 10:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 10:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 10:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 10:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 10:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 10:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 10:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 10:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,380,352 2003-11-05 13:38:00 C:\Program Files\B's CLiP\Win2K\bak\BSCLIP.exe

----a-w 71,328 2006-03-09 15:47:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 71,328 2006-03-09 15:47:52 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

----a-w 708,608 2003-06-28 02:33:10 C:\Program Files\EzButton\bak\CplBTQ00.EXE

----a-w 278,528 2006-02-23 23:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-07 07:55:08 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 282,624 2006-06-08 00:35:51 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-28 21:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 638,976 2003-09-09 03:10:48 C:\Program Files\Toshiba\E-KEY\bak\CeEKey.exe

----a-w 135,168 2003-04-24 08:52:06 C:\Program Files\Toshiba\Power Management\bak\CePMTray.exe

----a-w 65,536 2003-09-05 11:24:46 C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe

----a-w 49,152 2003-06-12 01:46:38 C:\Program Files\Toshiba\TouchPad\bak\TPTray.exe

----a-w 94,208 2003-12-09 23:43:02 C:\Program Files\Toshiba Controls\bak\CpRmtKey.EXE

----a-w 159,744 2003-10-20 17:39:26 C:\TOSHIBA\Ivp\ISM\bak\pinger.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 40,960 2002-08-20 18:29:26 C:\WINDOWS\system32\bak\ezSP_Px.exe
----a-w 40,960 2002-08-20 20:29:26 C:\WINDOWS\system32\ezSP_Px.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{620396F4-0413-477E-8250-6DADF23560AA}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{29D8D40A-45AA-11D5-9C81-110102657B27}"= C:\WINDOWS\system32\comzen101.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{29D8D40A-45AA-11D5-9C81-110102657B27}]
[HKEY_CLASSES_ROOT\comzen101.DelSearch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" []
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" []
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" []
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" []
"CplBTQ00"="C:\Program Files\EzButton\CplBTQ00.EXE" []
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 16:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-11-07 03:12 C:\WINDOWS\system32\nwiz.exe]
"CpRmtKey"="C:\Program Files\Toshiba Controls\CpRmtKey.EXE" []
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-10 00:47]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-08-16 15:09]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-21 05:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:56]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 11:05:26]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-07 06:23:32]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-10 06:56:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 03:40:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-12 11:02:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
"2007-10-17 05:40:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 14:39:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 14:42:01
C:\ComboFix2.txt ... 2007-10-17 12:56
C:\ComboFix3.txt ... 2007-10-16 17:24
.
--- E O F ---




Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 10/17/2007
The current time is: 14:46:37.57


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EZBUTTON\BAK

06/28/2003 11:33 AM 708,608 CplBTQ00.EXE
1 File(s) 708,608 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/24/2006 08:45 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/08/2006 09:35 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\TOSHIB~2\BAK

12/10/2003 08:43 AM 94,208 CpRmtKey.EXE
1 File(s) 94,208 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 04:56 PM 15,360 ctfmon.exe
08/21/2002 03:29 AM 40,960 ezSP_Px.exe
2 File(s) 56,320 bytes

Directory of C:\PROGRA~1\B'SCLI~1\WIN2K\BAK

11/05/2003 10:38 PM 1,380,352 BSCLIP.exe
1 File(s) 1,380,352 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/10/2006 12:47 AM 71,328 ccApp.exe
1 File(s) 71,328 bytes

Directory of C:\PROGRA~1\TOSHIBA\E-KEY\BAK

09/09/2003 12:10 PM 638,976 CeEKey.exe
1 File(s) 638,976 bytes

Directory of C:\PROGRA~1\TOSHIBA\POWERM~1\BAK

04/24/2003 05:52 PM 135,168 CePMTray.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK

09/05/2003 08:24 PM 65,536 toscdspd.exe
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOUCHPAD\BAK

06/12/2003 10:46 AM 49,152 TPTray.exe
1 File(s) 49,152 bytes

Directory of C:\TOSHIBA\IVP\ISM\BAK

10/21/2003 02:39 AM 159,744 pinger.exe
1 File(s) 159,744 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

708608 Jun 28 2003 "C:\Program Files\EzButton\bak\CplBTQ00.EXE"
267064 Sep 7 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 24 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 15 2007 "C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe"
116024 Sep 7 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.1.2\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
282624 Jun 8 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
94208 Dec 10 2003 "C:\Program Files\Toshiba Controls\bak\CpRmtKey.EXE"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
40960 Aug 21 2002 "C:\DragnDrop.temp\ezSP_Px.exe"
40960 Aug 21 2002 "C:\WINDOWS\system32\ezSP_Px.exe"
40960 Aug 21 2002 "C:\WINDOWS\system32\bak\ezSP_Px.exe"
1380352 Nov 5 2003 "C:\Program Files\B's CLiP\Win2K\bak\BSCLIP.exe"
71328 Mar 10 2006 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
71328 Mar 10 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
638976 Sep 9 2003 "C:\Program Files\Toshiba\E-KEY\bak\CeEKey.exe"
135168 Apr 24 2003 "C:\Program Files\Toshiba\Power Management\bak\CePMTray.exe"
65536 Sep 5 2003 "C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
49152 Jun 12 2003 "C:\Program Files\Toshiba\TouchPad\bak\TPTray.exe"
159744 Oct 21 2003 "C:\TOSHIBA\Ivp\ISM\bak\pinger.exe"


end of report



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:32 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.chosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {620396F4-0413-477E-8250-6DADF23560AA} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyIm...pload_10217.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} (UlalaPhoto Control) - http://cyimg7.cyworld.nate.com/storyRoom/C...geResizeCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {65F474EB-B86A-465A-BE5E-0447CB2C6C1C} (AnycallMusicLauncher Control) - http://anycallmusic.mylisten.com/AnycallMu...sicLauncher.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_clu...lubmain1_11.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8798B2A-5EB1-424A-AB19-E38CFB69E295} (CywordMovieUp Control) - http://mptop.cyworld.nate.com/activex/CyworldMovieUp.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8636 bytes

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 17 October 2007 - 07:10 AM

Hi pcrunk,

Please dont post logs that I do not ask for, as it just clutters up the thread.

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\EzButton\bak\CplBTQ00.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Toshiba Controls\bak\CpRmtKey.EXE"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\ezSP_Px.exe"
"C:\Program Files\B's CLiP\Win2K\bak\BSCLIP.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Toshiba\E-KEY\bak\CeEKey.exe"
"C:\Program Files\Toshiba\Power Management\bak\CePMTray.exe"
"C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
"C:\Program Files\Toshiba\TouchPad\bak\TPTray.exe"
"C:\TOSHIBA\Ivp\ISM\bak\pinger.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 17 October 2007 - 12:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 17 October 2007 - 07:11 PM

Here's the log:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 10/18/2007
The current time is: 9:06:04.70


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EZBUTTON\BAK

06/28/2003 11:33 AM 708,608 CplBTQ00.EXE
1 File(s) 708,608 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/24/2006 08:45 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/08/2006 09:35 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\TOSHIB~2\BAK

12/10/2003 08:43 AM 94,208 CpRmtKey.EXE
1 File(s) 94,208 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 04:56 PM 15,360 ctfmon.exe
08/21/2002 03:29 AM 40,960 ezSP_Px.exe
2 File(s) 56,320 bytes

Directory of C:\PROGRA~1\B'SCLI~1\WIN2K\BAK

11/05/2003 10:38 PM 1,380,352 BSCLIP.exe
1 File(s) 1,380,352 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/10/2006 12:47 AM 71,328 ccApp.exe
1 File(s) 71,328 bytes

Directory of C:\PROGRA~1\TOSHIBA\E-KEY\BAK

09/09/2003 12:10 PM 638,976 CeEKey.exe
1 File(s) 638,976 bytes

Directory of C:\PROGRA~1\TOSHIBA\POWERM~1\BAK

04/24/2003 05:52 PM 135,168 CePMTray.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK

09/05/2003 08:24 PM 65,536 toscdspd.exe
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOUCHPAD\BAK

06/12/2003 10:46 AM 49,152 TPTray.exe
1 File(s) 49,152 bytes

Directory of C:\TOSHIBA\IVP\ISM\BAK

10/21/2003 02:39 AM 159,744 pinger.exe
1 File(s) 159,744 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

708608 Jun 28 2003 "C:\Program Files\EzButton\CplBTQ00.EXE"
708608 Jun 28 2003 "C:\Program Files\EzButton\bak\CplBTQ00.EXE"
278528 Feb 24 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 24 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 15 2007 "C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe"
116024 Sep 7 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.1.2\iTunesSetupAdmin.exe"
282624 Jun 8 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Jun 8 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
94208 Dec 10 2003 "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
94208 Dec 10 2003 "C:\Program Files\Toshiba Controls\bak\CpRmtKey.EXE"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
40960 Aug 21 2002 "C:\DragnDrop.temp\ezSP_Px.exe"
40960 Aug 21 2002 "C:\WINDOWS\system32\ezSP_Px.exe"
40960 Aug 21 2002 "C:\WINDOWS\system32\bak\ezSP_Px.exe"
1380352 Nov 5 2003 "C:\Program Files\B's CLiP\Win2K\BSCLIP.exe"
1380352 Nov 5 2003 "C:\Program Files\B's CLiP\Win2K\bak\BSCLIP.exe"
71328 Mar 10 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71328 Mar 10 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
638976 Sep 9 2003 "C:\Program Files\Toshiba\E-KEY\CeEKey.exe"
638976 Sep 9 2003 "C:\Program Files\Toshiba\E-KEY\bak\CeEKey.exe"
135168 Apr 24 2003 "C:\Program Files\Toshiba\Power Management\CePMTray.exe"
135168 Apr 24 2003 "C:\Program Files\Toshiba\Power Management\bak\CePMTray.exe"
65536 Sep 5 2003 "C:\Program Files\Toshiba\TOSCDSPD\toscdspd.exe"
65536 Sep 5 2003 "C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
49152 Jun 12 2003 "C:\Program Files\Toshiba\TouchPad\TPTray.exe"
49152 Jun 12 2003 "C:\Program Files\Toshiba\TouchPad\bak\TPTray.exe"
159744 Oct 21 2003 "C:\TOSHIBA\Ivp\ISM\pinger.exe"
159744 Oct 21 2003 "C:\TOSHIBA\Ivp\ISM\bak\pinger.exe"


end of report

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 17 October 2007 - 08:19 PM

Hi pcrunk,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\EzButton\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Toshiba Controls\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\B's CLiP\Win2K\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Toshiba\E-KEY\bak
C:\Program Files\Toshiba\Power Management\bak
C:\Program Files\Toshiba\TOSCDSPD\bak
C:\Program Files\Toshiba\TouchPad\bak
C:\TOSHIBA\Ivp\ISM\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 17 October 2007 - 09:19 PM

Here's the new log:



Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 10/18/2007
The current time is: 11:16:55.12


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 17 October 2007 - 09:46 PM

Hi pcrunk,

Now run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

**************************



1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.

Edited by SifuMike, 17 October 2007 - 09:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 pcrunk

pcrunk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 18 October 2007 - 12:30 AM

Here are the logs you asked for:

ComboFix 07-10-12.4 - Owner 2007-10-18 14:19:38.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.179 [GMT 9:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 11:22 2,397 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-16 16:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 16:33 <DIR> d-------- C:\Program Files\Zoom Player
2007-10-14 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 23:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-13 21:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-13 21:29 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-13 21:29 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-13 21:29 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-13 21:29 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-13 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-13 21:28 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-10-13 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-10-12 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-12 10:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 10:51 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 10:16 <DIR> d-------- C:\VundoFix Backups
2007-10-10 08:22 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 20:10 <DIR> d--hs---- C:\WINDOWS\T3duZXI
2007-10-04 20:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\sas1
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\rev2
2007-10-04 20:09 <DIR> d-------- C:\WINDOWS\system32\bc1
2007-10-04 20:09 <DIR> d-------- C:\Temp\xOe
2007-10-04 20:09 <DIR> d-------- C:\Temp
2007-09-18 02:51 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 02:16 --------- d-----w C:\Program Files\Toshiba Controls
2007-10-18 02:16 --------- d-----w C:\Program Files\QuickTime
2007-10-18 02:16 --------- d-----w C:\Program Files\iTunes
2007-10-18 02:16 --------- d-----w C:\Program Files\EzButton
2007-10-18 02:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-16 07:33 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-13 10:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-11 14:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-14 20:31 --------- d-----w C:\Program Files\iPod
2007-09-14 20:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-14 20:21 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-14 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-13 06:07 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-15 00:58 280,096 ----a-w C:\WINDOWS\system32\skcinst1.dll
2007-08-15 00:58 276,000 ----a-w C:\WINDOWS\system32\skcinst2.dll
2007-08-06 14:16 77,824 ----a-w C:\WINDOWS\system32\nod.dll
2007-07-30 10:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 10:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 10:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 10:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 10:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 10:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 10:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 10:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_17.19.20.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-08-20 20:29:26 40,960 ----a-w C:\WINDOWS\system32\ezSP_Px.exe
+ 2002-08-20 18:29:26 40,960 ----a-w C:\WINDOWS\system32\ezSP_Px.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{620396F4-0413-477E-8250-6DADF23560AA}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{29D8D40A-45AA-11D5-9C81-110102657B27}"= C:\WINDOWS\system32\comzen101.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{29D8D40A-45AA-11D5-9C81-110102657B27}]
[HKEY_CLASSES_ROOT\comzen101.DelSearch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-09-09 12:10]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-04-24 17:52]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-06-12 10:46]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 22:38]
"CplBTQ00"="C:\Program Files\EzButton\CplBTQ00.EXE" [2003-06-28 11:33]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 16:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-11-07 03:12 C:\WINDOWS\system32\nwiz.exe]
"CpRmtKey"="C:\Program Files\Toshiba Controls\CpRmtKey.EXE" [2003-12-10 08:43]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-21 02:39]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-10 00:47]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-08-16 15:09]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-21 03:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-08 09:35]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-24 08:45]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:56]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 20:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 11:05:26]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-07 06:23:32]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-10 06:56:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 03:40:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-12 11:02:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
"2007-10-18 05:25:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 14:24:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 14:27:44
C:\ComboFix2.txt ... 2007-10-17 14:42
C:\ComboFix3.txt ... 2007-10-17 12:56
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:04 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.chosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {620396F4-0413-477E-8250-6DADF23560AA} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CplBTQ00] "C:\Program Files\EzButton\CplBTQ00.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyIm...pload_10217.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} (UlalaPhoto Control) - http://cyimg7.cyworld.nate.com/storyRoom/C...geResizeCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {65F474EB-B86A-465A-BE5E-0447CB2C6C1C} (AnycallMusicLauncher Control) - http://anycallmusic.mylisten.com/AnycallMu...sicLauncher.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_clu...lubmain1_11.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8798B2A-5EB1-424A-AB19-E38CFB69E295} (CywordMovieUp Control) - http://mptop.cyworld.nate.com/activex/CyworldMovieUp.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8842 bytes

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:09 PM

Posted 22 October 2007 - 12:49 PM

Hi pcrunk,

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {620396F4-0413-477E-8250-6DADF23560AA} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users