Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Hijacker Problem


  • This topic is locked This topic is locked
12 replies to this topic

#1 R Boyce

R Boyce

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 24 March 2008 - 08:55 PM

What happened:
My daughter tried to dismiss a popup on FaceBook, was transported to a security sales website and voila! we have a desktop hijacker installed.

My desktop says "Warning spyware threat has been detected on your PC."
I get Toolbar popups and regular old popups.
IE opens itself to the website "about:security" (livesecuritycenter.com)

What I did:

Ran Ad-Aware multiple times and it was unable to handle:
Adware.180Solutions.SeekmoSearchAssistant
istbar

Ran SpyBot S&D and it had problems with
MSIXU.DLL
seekmohook.dll
2020search2.dll
bjam.dll

I scanned with TrendMicro House Call and it couldn't handle
ADW_PURITY.AA - rundll32.exe
ADW_CLICKSPRI.AM - chkdsk.exe

I have also run McAfee Stinger.

Any help greatly appreciated.

thanks,
Rachel

My HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:58 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\nkkrj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {44424cd8-1dd2-11b2-ae66-b9ed6d455809} - C:\WINDOWS\vmxydaho.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe "-ini:C:\Program Files\Common Files\PestPatrol\ppmcad.ini"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [polargns] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\polargns.dll"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [YMUdyr7miO] rundll32.exe "C:\WINDOWS\pgtivydm.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mrw.interscience.wiley.com/wfplayer/tdserver.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://sf-altiris/aspnet_client/Altiris_Ap...ib/mcsimenu.CAB
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hmi2.wileypub.com/iNotes6W.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://sf-altiris/aspnet_client/Altiris_Ap...lib/VSFlex8.CAB
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/wi...FreeInstall.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://india.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.wileynet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = northamerica.wileynet.net,wileynet.net,wiley.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O20 - AppInit_DLLs: AMINIT.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 17712 bytes

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 25 March 2008 - 07:02 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 R Boyce

R Boyce
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 25 March 2008 - 07:53 PM

Hi Sam, Here is the log...
thanks,
Rachel

ComboFix 08-03-24.2 - Administrator 2008-03-25 19:33:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
Findstr -MLF:temp01 -G:temp00
MTEE WowErr.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\rboyce\Application Data\MCROSO~1
C:\Documents and Settings\rboyce\Application Data\MCROSO~1\M?crosoft\
C:\Documents and Settings\rboyce\Application Data\MCROSO~1\rundll32.exe
C:\Documents and Settings\rboyce\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\rboyce\My Documents\SEMBLY~1
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\YMUdyr7miOwp.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\smbols~1
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ystem3~1

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
hxxp://sf
.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 19:40 . 2008-03-25 19:40 <DIR> d-------- C:\WINDOWS\PerfInfo
2008-03-24 20:51 . 2008-03-24 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 17:48 . 2008-03-24 20:06 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 17:47 . 2008-03-24 17:47 <DIR> d-------- C:\Program Files\180solutions
2008-03-24 11:53 . 2008-03-24 14:01 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\HouseCall 6.6
2008-03-24 10:30 . 2008-03-24 11:30 <DIR> d-------- C:\Documents and Settings\rboyce\.housecall6.6
2008-03-23 20:31 . 2008-03-23 20:31 <DIR> d-------- C:\Program Files\ToniArts
2008-03-23 20:31 . 2008-03-23 20:31 16,128 --a------ C:\WINDOWS\123messenger.per
2008-03-23 20:26 . 2008-03-23 20:26 <DIR> d-------- C:\Program Files\zango
2008-03-23 20:26 . 2008-03-23 20:26 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-23 20:26 . 2008-03-23 20:27 <DIR> d-------- C:\Program Files\180search assistant
2008-03-23 20:22 . 2008-03-23 20:22 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-23 20:22 . 2008-03-23 20:22 28,160 --a------ C:\WINDOWS\didduid.ini
2008-03-23 18:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-23 00:08 . 2008-03-23 00:08 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Apple Computer
2008-03-22 23:07 . 2008-03-23 19:28 7,938 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 23:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 23:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 23:06 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 23:06 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 23:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 23:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 15:54 . 2008-03-23 20:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 15:54 . 2008-03-23 20:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-22 15:33 . 2008-03-25 19:23 5,120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-22 15:25 . 2008-03-22 15:25 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-22 15:25 . 2008-03-22 15:25 <DIR> d-------- C:\Program Files\stc
2008-03-22 15:11 . 2008-03-22 15:11 <DIR> d-------- C:\WINDOWS\ecnjojel
2008-03-22 15:11 . 2008-03-22 15:11 188,928 --a------ C:\WINDOWS\pgtivydm.dll
2008-03-22 15:11 . 2008-03-22 15:11 53,760 --a------ C:\WINDOWS\vmxydaho.dll
2008-03-22 15:11 . 2008-03-22 15:11 53,760 --a------ C:\Documents and Settings\All Users\Application Data\polargns.dll
2008-03-22 15:11 . 2008-03-22 15:11 40,960 --a------ C:\WINDOWS\upcrufaf.exe
2008-03-22 15:11 . 2008-03-22 15:11 38,249 ---hs---- C:\WINDOWS\system32\drivers\spools.exe
2008-03-22 15:11 . 2008-03-25 19:23 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-03-22 15:11 . 2008-03-22 15:11 5,120 --a------ C:\Documents and Settings\rboyce\ftpdll.dll
2008-03-22 15:11 . 2008-03-22 15:11 298 --a------ C:\PPCleanDeleteAtReboot.bat
2008-03-18 16:43 . 2008-03-18 16:49 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Sites
2008-03-18 16:43 . 2008-03-18 18:10 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\SiteClasses
2008-03-18 16:43 . 2008-03-18 16:43 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Dynamic
2008-03-18 16:42 . 2008-03-18 16:42 <DIR> d-------- C:\Program Files\Visicom Media
2008-02-28 19:37 . 2006-09-18 20:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-28 19:37 . 2006-09-18 20:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-28 16:40 . 2008-02-28 16:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 16:40 . 2008-02-28 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 00:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-26 00:21 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2008-03-24 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:11 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-03-18 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-10 13:49 41 ----a-w C:\AClient.dat
2008-02-29 18:42 --------- d-----w C:\Documents and Settings\rboyce\Application Data\OpenOffice.org2
2008-02-29 00:37 --------- d-----w C:\Program Files\Symantec
2008-02-29 00:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-26 04:48 --------- d-----w C:\Documents and Settings\rboyce\Application Data\Creative
2008-02-23 00:32 --------- d-----w C:\Program Files\MSBuild
2008-02-23 00:30 --------- d-----w C:\Program Files\Reference Assemblies
2008-02-13 23:28 114,233,742 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-02-09 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 02:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-09 02:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 04:01 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-02-07 20:32 --------- d-----w C:\Documents and Settings\rboyce\Application Data\webex
2008-01-30 22:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-24 00:35 95,064 ----a-w C:\WINDOWS\system32\cdm.dll
2008-01-24 00:35 556,376 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-01-24 00:35 325,464 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-01-24 00:35 204,120 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-01-24 00:35 1,743,704 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-01-24 00:34 53,592 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-01-24 00:34 44,888 ----a-w C:\WINDOWS\system32\wups2.dll
2008-01-24 00:34 36,184 ----a-w C:\WINDOWS\system32\wups.dll
2005-11-15 21:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44424cd8-1dd2-11b2-ae66-b9ed6d455809}]
2008-03-22 15:11 53760 --a------ C:\WINDOWS\vmxydaho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-12-10 09:50 856135 C:\WINDOWS\system32\nview.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 13:01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-12-10 09:50 323584 C:\WINDOWS\system32\nwiz.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 19:16 172032]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46 192512]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-11-21 17:49 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2003-12-15 14:54 278528 C:\WINDOWS\system32\TPSMain.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2003-12-09 23:50 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2003-10-06 20:43 77824]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-01 17:56 86016]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-11 23:19 159744]
"TFNF5"="TFNF5.exe" [2003-11-17 22:42 73728 C:\WINDOWS\system32\TFNF5.exe]
"TFncKy"="TFncKy.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 15:26 131072]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-25 19:17 208972]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39 159744]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-03-25 19:43 184320]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 23:52 483328]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-06 07:10 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-06 07:10 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-06 07:10 49152]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-06 07:10 20530]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 12:37 475136]
"PPMCActiveDetection"="C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe" [2004-10-14 21:50 114688]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-30 22:06 143360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-18 17:12 180269]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 14:00 569413]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 17:30 864256]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 22:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 23:33 125168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-01-14 12:27:06 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"YMUdyr7miO"= rundll32.exe "C:\WINDOWS\pgtivydm.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= AMINIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\1\0]
"Script"=\\Sf-fileprint\SF\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-7861\Scripts\Logon\0\0]
"Script"=\\hb-dhcp1\NETLOGON\ptlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\1\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2007-05-29 19:55]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2002-09-26 16:15]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2005-06-22 17:17]
R2 Tmesbs;Tmesbs32;"C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service []
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-01-09 22:26]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-02-17 11:04]
S3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2003-12-16 23:08]
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 20:33]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2003-02-04 15:12]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 19:40:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\PerfInfo

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-03-25 19:46:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 00:46:08
.
2008-03-19 21:41:50 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 26 March 2008 - 06:10 AM

We're getting there, but we still have work to do.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Also post a new hijackthis log and a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 R Boyce

R Boyce
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 26 March 2008 - 10:19 PM

ok, I'm pasting in these logs:
1. Super Anti-Spyware
2. HijackThis
3. Combofix

thanks,
Rachel

1. Super Anti-Spyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2008 at 09:23 PM

Application Version : 4.0.1154

Core Rules Database Version : 3426
Trace Rules Database Version: 1418

Scan type : Complete Scan
Total Scan Time : 01:12:26

Memory items scanned : 646
Memory threats detected : 2
Registry items scanned : 6187
Registry threats detected : 31
File items scanned : 74108
File threats detected : 23

Worm.Rbot-LD
C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
[ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
[ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
[ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
C:\WINDOWS\Prefetch\SPOOLS.EXE-1394AE12.pf

Rogue.WinXPSpeedUp-Installer
C:\WINDOWS\PGTIVYDM.DLL
C:\WINDOWS\PGTIVYDM.DLL

Trojan.Unclassified/Spools-Fake
[autoload] C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE
[autoload] C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE
[autoload] C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE
C:\DOCUMENTS AND SETTINGS\RBOYCE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\RBOYCE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE.VIR

Trojan.Unclassified-Packed/Suspicious
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44424cd8-1dd2-11b2-ae66-b9ed6d455809}
HKCR\CLSID\{44424CD8-1DD2-11B2-AE66-B9ED6D455809}
HKCR\CLSID\{44424CD8-1DD2-11B2-AE66-B9ED6D455809}\InprocServer32
HKCR\CLSID\{44424CD8-1DD2-11B2-AE66-B9ED6D455809}\InprocServer32#ThreadingModel
HKCR\CLSID\{44424CD8-1DD2-11B2-AE66-B9ED6D455809}\InprocServer32#t
C:\WINDOWS\VMXYDAHO.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\POLARGNS.DLL

Adware.180solutions/ZangoSearch
C:\Program Files\Zango\zango.exe
C:\Program Files\Zango

Adware.Elite Media
HKLM\Software\elite
HKLM\Software\elite#check
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/elite.ocx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/elite.ocx#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/elite.ocx#{9AC54695-69A4-46F1-BE10-10C74F9520D5}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\Contains\Files#C:\WINDOWS\system32\ObjSafe.tlb
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\Contains\Files#C:\WINDOWS\Downloaded Program Files\elite.ocx
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9AC54695-69A4-46F1-BE10-10C74F9520D5}\InstalledVersion#LastModified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\elite.ocx [  ]

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Trojan.Unclassified/FTP-Fake
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\FTPDLL.DLL
C:\DOCUMENTS AND SETTINGS\RBOYCE\FTPDLL.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{40FDD344-1F5B-4507-9D23-440D675CD109}\RP1\A0000053.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{40FDD344-1F5B-4507-9D23-440D675CD109}\RP1\A0000054.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{40FDD344-1F5B-4507-9D23-440D675CD109}\RP1\A0000155.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{40FDD344-1F5B-4507-9D23-440D675CD109}\RP1\A0000156.DLL
C:\WINDOWS\SYSTEM32\FTPDLL.DLL

Adware.Tracking Cookie
C:\Documents and Settings\rboyce\Cookies\rboyce@ad.yieldmanager[2].txt

Rogue.WinPerformance
C:\QOOBOX\QUARANTINE\C\WINDOWS\PERFINFO\YMUDYR7MIOWP.EXE.VIR
C:\WINDOWS\PERFINFO\YMUDYR7MIOWP.EXE

Trojan.FakeDrop-180AX
C:\WINDOWS\FLEOK\180AX.EXE

Torjan.SecondThoughtInstaller
C:\WINDOWS\INSTALLER\ID53.EXE

2. HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:55 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44424cd8-1dd2-11b2-ae66-b9ed6d455809} - C:\WINDOWS\vmxydaho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe "-ini:C:\Program Files\Common Files\PestPatrol\ppmcad.ini"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [YMUdyr7miO] rundll32.exe "C:\WINDOWS\pgtivydm.dll",DllCleanServer
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mrw.interscience.wiley.com/wfplayer/tdserver.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://sf-altiris/aspnet_client/Altiris_Ap...ib/mcsimenu.CAB
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hmi2.wileypub.com/iNotes6W.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://sf-altiris/aspnet_client/Altiris_Ap...lib/VSFlex8.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/wi...FreeInstall.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://india.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.wileynet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = northamerica.wileynet.net,wileynet.net,wiley.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O20 - AppInit_DLLs: AMINIT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 15924 bytes


3. Combofix
ComboFix 08-03-24.2 - Administrator 2008-03-26 21:58:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.705 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\PerfInfo

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-24 20:51 . 2008-03-24 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 17:48 . 2008-03-24 20:06 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 17:47 . 2008-03-24 17:47 <DIR> d-------- C:\Program Files\180solutions
2008-03-24 11:53 . 2008-03-24 14:01 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\HouseCall 6.6
2008-03-24 10:30 . 2008-03-24 11:30 <DIR> d-------- C:\Documents and Settings\rboyce\.housecall6.6
2008-03-23 20:31 . 2008-03-23 20:31 <DIR> d-------- C:\Program Files\ToniArts
2008-03-23 20:31 . 2008-03-23 20:31 16,128 --a------ C:\WINDOWS\123messenger.per
2008-03-23 20:26 . 2008-03-23 20:26 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-23 20:26 . 2008-03-23 20:27 <DIR> d-------- C:\Program Files\180search assistant
2008-03-23 20:22 . 2008-03-26 21:32 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-23 20:22 . 2008-03-23 20:22 28,160 --a------ C:\WINDOWS\didduid.ini
2008-03-23 18:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-23 00:08 . 2008-03-23 00:08 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Apple Computer
2008-03-22 23:07 . 2008-03-23 19:28 7,938 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 23:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 23:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 23:06 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 23:06 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 23:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 23:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 15:54 . 2008-03-23 20:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 15:54 . 2008-03-23 20:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-22 15:25 . 2008-03-22 15:25 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-22 15:25 . 2008-03-22 15:25 <DIR> d-------- C:\Program Files\stc
2008-03-22 15:11 . 2008-03-22 15:11 <DIR> d-------- C:\WINDOWS\ecnjojel
2008-03-22 15:11 . 2008-03-22 15:11 53,760 --a------ C:\WINDOWS\vmxydaho.dll
2008-03-22 15:11 . 2008-03-22 15:11 53,760 --a------ C:\Documents and Settings\All Users\Application Data\polargns.dll
2008-03-22 15:11 . 2008-03-22 15:11 40,960 --a------ C:\WINDOWS\upcrufaf.exe
2008-03-22 15:11 . 2008-03-22 15:11 298 --a------ C:\PPCleanDeleteAtReboot.bat
2008-03-18 16:43 . 2008-03-18 16:49 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Sites
2008-03-18 16:43 . 2008-03-18 18:10 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\SiteClasses
2008-03-18 16:43 . 2008-03-18 16:43 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Dynamic
2008-03-18 16:42 . 2008-03-18 16:42 <DIR> d-------- C:\Program Files\Visicom Media
2008-02-28 19:37 . 2006-09-18 20:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-28 19:37 . 2006-09-18 20:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-28 16:40 . 2008-02-28 16:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 16:40 . 2008-02-28 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 02:37 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-27 00:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 00:19 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2008-03-24 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:11 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-03-18 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-10 13:49 41 ----a-w C:\AClient.dat
2008-02-29 18:42 --------- d-----w C:\Documents and Settings\rboyce\Application Data\OpenOffice.org2
2008-02-29 00:37 --------- d-----w C:\Program Files\Symantec
2008-02-29 00:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-26 04:48 --------- d-----w C:\Documents and Settings\rboyce\Application Data\Creative
2008-02-23 00:32 --------- d-----w C:\Program Files\MSBuild
2008-02-23 00:30 --------- d-----w C:\Program Files\Reference Assemblies
2008-02-13 23:28 114,233,742 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-02-09 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 02:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 04:01 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-02-07 20:32 --------- d-----w C:\Documents and Settings\rboyce\Application Data\webex
2008-01-30 22:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-24 00:35 95,064 ----a-w C:\WINDOWS\system32\cdm.dll
2008-01-24 00:35 556,376 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-01-24 00:35 325,464 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-01-24 00:35 204,120 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-01-24 00:35 1,743,704 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-01-24 00:34 53,592 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-01-24 00:34 44,888 ----a-w C:\WINDOWS\system32\wups2.dll
2008-01-24 00:34 36,184 ----a-w C:\WINDOWS\system32\wups.dll
2005-11-15 21:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_19.45.44.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 00:55:42 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-27 00:55:42 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-03-27 02:37:25 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_340.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44424cd8-1dd2-11b2-ae66-b9ed6d455809}]
2008-03-22 15:11 53760 --a------ C:\WINDOWS\vmxydaho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-12-10 09:50 856135 C:\WINDOWS\system32\nview.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 13:01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-12-10 09:50 323584 C:\WINDOWS\system32\nwiz.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 19:16 172032]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46 192512]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-11-21 17:49 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2003-12-15 14:54 278528 C:\WINDOWS\system32\TPSMain.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2003-12-09 23:50 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2003-10-06 20:43 77824]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-01 17:56 86016]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-11 23:19 159744]
"TFNF5"="TFNF5.exe" [2003-11-17 22:42 73728 C:\WINDOWS\system32\TFNF5.exe]
"TFncKy"="TFncKy.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 15:26 131072]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-25 19:17 208972]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39 159744]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-03-26 21:37 184320]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 23:52 483328]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-06 07:10 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-06 07:10 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-06 07:10 49152]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-06 07:10 20530]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 12:37 475136]
"PPMCActiveDetection"="C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe" [2004-10-14 21:50 114688]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-30 22:06 143360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-18 17:12 180269]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 14:00 569413]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 17:30 864256]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 22:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 23:33 125168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-01-14 12:27:06 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"YMUdyr7miO"= rundll32.exe "C:\WINDOWS\pgtivydm.dll",DllCleanServer

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= AMINIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\1\0]
"Script"=\\Sf-fileprint\SF\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-7861\Scripts\Logon\0\0]
"Script"=\\hb-dhcp1\NETLOGON\ptlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\1\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2007-05-29 19:55]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2002-09-26 16:15]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2005-06-22 17:17]
R2 Tmesbs;Tmesbs32;"C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service []
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-01-09 22:26]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-02-17 11:04]
S3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2003-12-16 23:08]
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 20:33]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2003-02-04 15:12]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 22:02:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-26 22:02:51
ComboFix-quarantined-files.txt 2008-03-27 03:02:42
ComboFix2.txt 2008-03-26 00:46:17
.
2008-03-19 21:41:50 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 27 March 2008 - 07:28 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\WINDOWS\ecnjojel

File::
C:\WINDOWS\123messenger.per
C:\WINDOWS\vmxydaho.dll
C:\Documents and Settings\All Users\Application Data\polargns.dll
C:\WINDOWS\upcrufaf.exe
C:\PPCleanDeleteAtReboot.bat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44424cd8-1dd2-11b2-ae66-b9ed6d455809}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"YMUdyr7miO"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 R Boyce

R Boyce
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 30 March 2008 - 11:53 PM

Hi Sam,

Sorry to say, the script seemed to stall when its blue window said "Deleting Files/Folders:"

I finally closed the window and restarted.

Just in case, I ran CombFix and HijackThis and their logs are below.

thanks,
Rachel

ComboxFix:
ComboFix 08-03-24.2 - Administrator 2008-03-30 23:41:21.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
Findstr -MIF:/ sursen
CF18164.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-29 10:44 . 2008-03-29 10:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ScanSoft
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-24 20:51 . 2008-03-24 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 17:48 . 2008-03-24 20:06 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 17:47 . 2008-03-24 17:47 <DIR> d-------- C:\Program Files\180solutions
2008-03-24 11:53 . 2008-03-24 14:01 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\HouseCall 6.6
2008-03-24 10:30 . 2008-03-24 11:30 <DIR> d-------- C:\Documents and Settings\rboyce\.housecall6.6
2008-03-23 20:31 . 2008-03-23 20:31 <DIR> d-------- C:\Program Files\ToniArts
2008-03-23 20:31 . 2008-03-23 20:31 16,128 --a------ C:\WINDOWS\123messenger.per
2008-03-23 20:26 . 2008-03-23 20:26 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-23 20:26 . 2008-03-23 20:27 <DIR> d-------- C:\Program Files\180search assistant
2008-03-23 20:22 . 2008-03-26 21:32 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-23 20:22 . 2008-03-23 20:22 28,160 --a------ C:\WINDOWS\didduid.ini
2008-03-23 18:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-23 00:08 . 2008-03-23 00:08 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Apple Computer
2008-03-22 23:07 . 2008-03-23 19:28 7,938 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 23:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 23:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 23:06 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 23:06 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 23:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 23:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 15:54 . 2008-03-23 20:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 15:54 . 2008-03-23 20:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-22 15:25 . 2008-03-22 15:25 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-22 15:25 . 2008-03-22 15:25 <DIR> d-------- C:\Program Files\stc
2008-03-22 15:11 . 2008-03-22 15:11 <DIR> d-------- C:\WINDOWS\ecnjojel
2008-03-22 15:11 . 2008-03-22 15:11 53,760 --a------ C:\WINDOWS\vmxydaho.dll
2008-03-22 15:11 . 2008-03-22 15:11 53,760 --a------ C:\Documents and Settings\All Users\Application Data\polargns.dll
2008-03-22 15:11 . 2008-03-22 15:11 40,960 --a------ C:\WINDOWS\upcrufaf.exe
2008-03-22 15:11 . 2008-03-22 15:11 298 --a------ C:\PPCleanDeleteAtReboot.bat
2008-03-18 16:43 . 2008-03-28 14:00 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Sites
2008-03-18 16:43 . 2008-03-28 14:00 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\SiteClasses
2008-03-18 16:43 . 2008-03-18 16:43 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Dynamic
2008-03-18 16:42 . 2008-03-18 16:42 <DIR> d-------- C:\Program Files\Visicom Media
2008-02-28 19:37 . 2006-09-18 20:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-28 19:37 . 2006-09-18 20:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-28 16:40 . 2008-02-28 16:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 16:40 . 2008-02-28 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 19:48 . 2006-10-04 03:48 215,552 -----c--- C:\WINDOWS\system32\dllcache\osk.exe
2008-02-22 19:48 . 2006-10-04 03:48 72,704 -----c--- C:\WINDOWS\system32\dllcache\magnify.exe
2008-02-22 19:48 . 2006-10-04 03:48 53,760 -----c--- C:\WINDOWS\system32\dllcache\narrator.exe
2008-02-22 19:48 . 2006-10-04 03:48 50,176 -----c--- C:\WINDOWS\system32\dllcache\utilman.exe
2008-02-22 19:48 . 2006-10-04 08:33 35,840 -----c--- C:\WINDOWS\system32\dllcache\umandlg.dll
2008-02-22 19:47 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-22 19:47 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-22 19:47 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-22 19:47 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-22 19:47 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-22 19:47 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-22 19:47 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-22 19:47 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-22 19:47 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-22 19:32 . 2008-02-22 19:32 <DIR> d-------- C:\Program Files\MSBuild
2008-02-22 19:30 . 2008-02-23 11:59 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-22 19:30 . 2008-02-22 19:30 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-22 19:29 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-20 00:33 . 2008-02-20 00:33 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-13 18:15 . 2008-02-13 18:15 114,676,852 --a------ C:\SYM_REGISTRY_BACKUP.old
2008-02-13 18:15 . 2008-02-13 18:28 114,233,742 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-02-12 14:47 . 2007-12-18 04:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-02-08 21:40 . 2008-02-08 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 04:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-28 20:43 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2008-03-27 00:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-24 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:11 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-03-18 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-10 13:49 41 ----a-w C:\AClient.dat
2008-02-29 18:42 --------- d-----w C:\Documents and Settings\rboyce\Application Data\OpenOffice.org2
2008-02-29 00:37 --------- d-----w C:\Program Files\Symantec
2008-02-29 00:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-26 04:48 --------- d-----w C:\Documents and Settings\rboyce\Application Data\Creative
2008-02-09 02:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 04:01 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-02-07 20:32 --------- d-----w C:\Documents and Settings\rboyce\Application Data\webex
2008-01-30 22:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-24 00:35 95,064 ----a-w C:\WINDOWS\system32\cdm.dll
2008-01-24 00:35 556,376 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-01-24 00:35 325,464 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-01-24 00:35 204,120 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-01-24 00:35 1,743,704 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-01-24 00:34 53,592 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-01-24 00:34 44,888 ----a-w C:\WINDOWS\system32\wups2.dll
2008-01-24 00:34 36,184 ----a-w C:\WINDOWS\system32\wups.dll
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2005-11-15 21:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_19.45.44.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 00:55:42 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-27 00:55:42 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-03-31 04:39:59 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44424cd8-1dd2-11b2-ae66-b9ed6d455809}]
2008-03-22 15:11 53760 --a------ C:\WINDOWS\vmxydaho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-12-10 09:50 856135 C:\WINDOWS\system32\nview.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 13:01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-12-10 09:50 323584 C:\WINDOWS\system32\nwiz.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 19:16 172032]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46 192512]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-11-21 17:49 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2003-12-15 14:54 278528 C:\WINDOWS\system32\TPSMain.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2003-12-09 23:50 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2003-10-06 20:43 77824]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-01 17:56 86016]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-11 23:19 159744]
"TFNF5"="TFNF5.exe" [2003-11-17 22:42 73728 C:\WINDOWS\system32\TFNF5.exe]
"TFncKy"="TFncKy.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 15:26 131072]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-25 19:17 208972]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39 159744]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-03-30 23:38 184320]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 23:52 483328]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-06 07:10 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-06 07:10 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-06 07:10 49152]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-06 07:10 20530]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 12:37 475136]
"PPMCActiveDetection"="C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe" [2004-10-14 21:50 114688]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-30 22:06 143360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-18 17:12 180269]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 14:00 569413]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 17:30 864256]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 22:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 23:33 125168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-01-14 12:27:06 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"YMUdyr7miO"= rundll32.exe "C:\WINDOWS\pgtivydm.dll",DllCleanServer

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= AMINIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\1\0]
"Script"=\\Sf-fileprint\SF\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-7861\Scripts\Logon\0\0]
"Script"=\\hb-dhcp1\NETLOGON\ptlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\1\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2007-05-29 19:55]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2002-09-26 16:15]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2005-06-22 17:17]
R2 Tmesbs;Tmesbs32;"C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service []
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-01-09 22:26]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-02-17 11:04]
S3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2003-12-16 23:08]
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 20:33]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2003-02-04 15:12]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 23:45:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 23:45:50
ComboFix-quarantined-files.txt 2008-03-31 04:45:34
ComboFix2.txt 2008-03-27 03:02:52
ComboFix3.txt 2008-03-26 00:46:17
.
2008-03-19 21:41:50 --- E O F ---


HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:15 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44424cd8-1dd2-11b2-ae66-b9ed6d455809} - C:\WINDOWS\vmxydaho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe "-ini:C:\Program Files\Common Files\PestPatrol\ppmcad.ini"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [YMUdyr7miO] rundll32.exe "C:\WINDOWS\pgtivydm.dll",DllCleanServer
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mrw.interscience.wiley.com/wfplayer/tdserver.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://sf-altiris/aspnet_client/Altiris_Ap...ib/mcsimenu.CAB
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hmi2.wileypub.com/iNotes6W.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://sf-altiris/aspnet_client/Altiris_Ap...lib/VSFlex8.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/wi...FreeInstall.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://india.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.wileynet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = northamerica.wileynet.net,wileynet.net,wiley.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = northamerica.wileynet.net
O20 - AppInit_DLLs: AMINIT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 15855 bytes

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 31 March 2008 - 06:19 AM

Let's try something a little different.
Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Now run this script through combofix in safe mode.


KillAll::

Folder::
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\WINDOWS\ecnjojel

File::
C:\WINDOWS\123messenger.per
C:\WINDOWS\vmxydaho.dll
C:\Documents and Settings\All Users\Application Data\polargns.dll
C:\WINDOWS\upcrufaf.exe
C:\PPCleanDeleteAtReboot.bat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44424cd8-1dd2-11b2-ae66-b9ed6d455809}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"YMUdyr7miO"=-


It should run and create a log just like before. Please post that log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 R Boyce

R Boyce
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 01 April 2008 - 12:03 AM

Sorry, Sam. I rebooted in Safe Mode and ran the script. It stalled again at the same place, "Deleting Files/Folders:"

Rachel

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 01 April 2008 - 07:08 AM

Ok, let's do it the hard way then. :thumbsup:

Go back into safe mode and delete these folders:

C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\WINDOWS\ecnjojel



Then delete these files:

C:\WINDOWS\123messenger.per
C:\WINDOWS\vmxydaho.dll
C:\Documents and Settings\All Users\Application Data\polargns.dll
C:\WINDOWS\upcrufaf.exe
C:\PPCleanDeleteAtReboot.bat



Don't worry if there are some that you can't find or delete. Just make a note of which ones and let me know in your next reply.
Once you've deleted these, run the script through Combofix again and let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 R Boyce

R Boyce
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 02 April 2008 - 07:08 PM

Hi Sam, I was able to delete all the files and folders on your list.

Here's the ComboFix log:
ComboFix 08-03-24.2 - Administrator 2008-04-02 17:53:56.8 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1017 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript2.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\polargns.dll
C:\PPCleanDeleteAtReboot.bat
C:\WINDOWS\123messenger.per
C:\WINDOWS\upcrufaf.exe
C:\WINDOWS\vmxydaho.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://sf
.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 08:12 . 2008-04-02 08:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-29 10:44 . 2008-03-29 10:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ScanSoft
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-24 20:51 . 2008-03-24 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 17:48 . 2008-03-24 20:06 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 11:53 . 2008-03-24 14:01 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\HouseCall 6.6
2008-03-24 10:30 . 2008-03-24 11:30 <DIR> d-------- C:\Documents and Settings\rboyce\.housecall6.6
2008-03-23 20:31 . 2008-03-23 20:31 <DIR> d-------- C:\Program Files\ToniArts
2008-03-23 20:22 . 2008-03-23 20:22 28,160 --a------ C:\WINDOWS\didduid.ini
2008-03-23 18:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-23 00:08 . 2008-03-23 00:08 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Apple Computer
2008-03-22 23:07 . 2008-03-23 19:28 7,938 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 23:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 23:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 23:06 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 23:06 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 23:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 23:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 15:54 . 2008-03-23 20:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 15:54 . 2008-03-23 20:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-18 16:43 . 2008-03-28 14:00 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Sites
2008-03-18 16:43 . 2008-03-28 14:00 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\SiteClasses
2008-03-18 16:43 . 2008-03-18 16:43 <DIR> d-------- C:\Documents and Settings\rboyce\Application Data\Dynamic
2008-03-18 16:42 . 2008-03-18 16:42 <DIR> d-------- C:\Program Files\Visicom Media
2008-03-12 13:10 . 2008-03-12 13:10 633,344 --------- C:\WINDOWS\system32\gpprefcl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 22:45 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-02 22:35 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2008-03-27 00:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-24 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:11 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-03-18 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-10 13:49 41 ----a-w C:\AClient.dat
2008-02-29 18:42 --------- d-----w C:\Documents and Settings\rboyce\Application Data\OpenOffice.org2
2008-02-29 00:37 --------- d-----w C:\Program Files\Symantec
2008-02-29 00:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 21:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-26 04:48 --------- d-----w C:\Documents and Settings\rboyce\Application Data\Creative
2008-02-23 00:32 --------- d-----w C:\Program Files\MSBuild
2008-02-23 00:30 --------- d-----w C:\Program Files\Reference Assemblies
2008-02-13 23:28 114,233,742 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-02-09 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 02:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 04:01 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-02-07 20:32 --------- d-----w C:\Documents and Settings\rboyce\Application Data\webex
2005-11-15 21:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_19.45.44.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 00:55:42 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-27 00:55:42 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2006-10-16 22:10:58 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-05 20:42:10 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-16 22:10:58 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-10-05 20:42:10 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-12-10 09:50 856135 C:\WINDOWS\system32\nview.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 13:01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-12-10 09:50 323584 C:\WINDOWS\system32\nwiz.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 19:16 172032]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46 192512]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-11-21 17:49 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2003-12-15 14:54 278528 C:\WINDOWS\system32\TPSMain.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2003-12-09 23:50 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2003-10-06 20:43 77824]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-01 17:56 86016]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-11 23:19 159744]
"TFNF5"="TFNF5.exe" [2003-11-17 22:42 73728 C:\WINDOWS\system32\TFNF5.exe]
"TFncKy"="TFncKy.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 15:26 131072]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-25 19:17 208972]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39 159744]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-04-02 07:56 184320]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 23:52 483328]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-06 07:10 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-06 07:10 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-06 07:10 49152]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-06 07:10 20530]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 12:37 475136]
"PPMCActiveDetection"="C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe" [2004-10-14 21:50 114688]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-30 22:06 143360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-18 17:12 180269]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 14:00 569413]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 17:30 864256]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 22:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 23:33 125168]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 02:56 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-01-14 12:27:06 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= AMINIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-23404\Scripts\Logon\1\0]
"Script"=\\Sf-fileprint\SF\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-7861\Scripts\Logon\0\0]
"Script"=\\hb-dhcp1\NETLOGON\ptlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-746137067-839522115-8683\Scripts\Logon\1\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2007-05-29 19:55]
S1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2002-09-26 16:15]
S2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2005-06-22 17:17]
S2 Tmesbs;Tmesbs32;"C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-02-17 11:04]
S3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2003-12-16 23:08]
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 20:33]
S3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-01-09 22:26]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2003-02-04 15:12]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 17:59:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-04-02 18:02:33 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-04-02 23:02:27
ComboFix2.txt 2008-03-31 04:45:50
ComboFix3.txt 2008-03-27 03:02:52
ComboFix4.txt 2008-03-26 00:46:17
.
2008-04-02 13:12:34 --- E O F ---

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 02 April 2008 - 07:19 PM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 21 April 2008 - 07:11 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users