Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Integrity Scan Wizard And Security System Warning Malware Problems


  • Please log in to reply
1 reply to this topic

#1 dsheuman

dsheuman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 31 March 2008 - 01:41 PM

Hi All,

I got the System Integrity Scan Wizard and Security System Warning popups the last few days. I've done the Safeboot and scan with Norton with no viruses so it's clearly the nuisance thing that many others have been plagued with.

I run both the SmitfraudFix.exe and ComboFix.exe programs. Here are the resulting log files.

Any ideas of how to remove these popups is welcome.

Thanks,
Danny


SmitfraudFix.exe
----------------------
SmitFraudFix v2.309

Scan done at 13:55:45.03, Mon 03/31/2008
Run from C:\temp\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ipmdsxen.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Danny Heuman


C:\Documents and Settings\Danny Heuman\Application Data


Start Menu


C:\DOCUME~1\DANNYH~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 172.23.200.6
DNS Server Search Order: 172.23.200.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{659DFB9C-8072-47FF-A7B6-B983CDF0AFED}: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{659DFB9C-8072-47FF-A7B6-B983CDF0AFED}: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS3\Services\Tcpip\..\{659DFB9C-8072-47FF-A7B6-B983CDF0AFED}: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=172.23.200.5 192.168.162.19
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=172.23.200.5 192.168.162.19
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=172.23.200.5 192.168.162.19


Scanning for wininet.dll infection


End


----------------------



ComboFix.exe
----------------------
ComboFix 08-03-30.3 - Danny Heuman 2008-03-31 12:35:03.1 - NTFSx86
Running from: C:\temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Danny Heuman\Desktopblackbird.jpg
C:\Documents and Settings\Danny Heuman\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Danny Heuman\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Danny Heuman\Desktopfilemanagerclient.exe
C:\Documents and Settings\Danny Heuman\Desktopfkwp1.5.exe
C:\Documents and Settings\Danny Heuman\Desktopfkwp2.0.exe
C:\Documents and Settings\Danny Heuman\Desktopfwebd.exe
C:\Documents and Settings\Danny Heuman\DesktopFWebdEditor.exe
C:\Documents and Settings\Danny Heuman\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Danny Heuman\Desktopvirii
C:\Documents and Settings\Danny Heuman\err.log
C:\Documents and Settings\Danny Heuman\g2mdlhlpx.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\Installer\{4b35219e-7d58-4d32-b74e-928a811d32fc}\ChkWin.dll
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\norlatmx.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 12:31 . 2008-03-31 12:31 1,603,483 --a------ C:\temp\ComboFix.exe
2008-03-31 11:33 . 2008-03-31 11:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-31 11:33 . 2008-03-31 11:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-31 11:33 . 2008-03-31 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-31 10:42 . 2008-03-31 10:42 <DIR> d-------- C:\RBC
2008-03-31 10:19 . 2008-03-31 11:16 <DIR> d-------- C:\temp\backups
2008-03-31 10:16 . 2008-03-31 10:16 1,308,216 --a------ C:\temp\HiJackThis_v2.exe
2008-03-31 09:38 . 2008-03-31 09:38 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-29 23:50 . 2008-03-29 23:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 09:35 . 2008-03-28 09:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 09:35 . 2008-03-28 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 09:35 . 2008-03-28 09:35 <DIR> d-------- C:\Documents and Settings\Danny Heuman\Application Data\SUPERAntiSpyware.com
2008-03-28 09:35 . 2008-03-28 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-28 09:07 . 2008-03-28 09:07 98,304 --a------ C:\WINDOWS\system32\ipmdsxen.exe
2008-03-27 16:51 . 2008-03-28 09:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rwbghiba
2008-03-27 16:51 . 2008-03-27 16:51 90,112 --a------ C:\WINDOWS\system32\rorcdwvc.exe
2008-03-27 16:50 . 2008-03-27 16:50 52 --a------ C:\xmp.bat
2008-03-26 12:21 . 2008-03-26 12:21 97,766 --a------ C:\PCCF2008-01-Unique_Enhanced_Sample.zip
2008-03-26 12:18 . 2008-03-26 12:19 25,600 --a------ C:\Concordance Tables 2008 - Variables.xls
2008-03-26 12:17 . 2008-03-26 12:18 78,848 --a------ C:\PCCF2008-01-Unique_Enhanced_Sample.xls
2008-03-24 14:48 . 2008-03-24 14:48 <DIR> d-------- C:\temp\attachments_2008_03_24
2008-03-24 14:32 . 2008-03-24 14:32 <DIR> d-------- C:\Documents and Settings\Danny Heuman\Downloads
2008-03-24 14:24 . 2008-03-24 14:24 28 --a------ C:\WINDOWS\DustKleen.INI
2008-03-24 14:21 . 2008-03-24 14:21 82 --a------ C:\WINDOWS\SuperUtil.ini
2008-03-20 13:41 . 2008-03-24 08:52 13,922,816 --a------ C:\Cara Update March 24 2008.ppt
2008-03-19 09:08 . 2008-03-31 10:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-19 09:08 . 2008-03-19 09:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-18 16:49 . 2008-03-18 16:51 <DIR> d-------- C:\temp\Life Insurance
2008-03-18 11:03 . 2008-03-18 11:03 1,356,800 --a------ C:\DA_DEP2008_Avginc.IND
2008-03-18 11:02 . 2008-03-18 11:03 188 --a------ C:\DA_DEP2008_Avginc.TAB
2008-03-18 11:01 . 2008-03-18 11:02 3,291,648 --a------ C:\DA_DEP2008_Avginc.xls
2008-03-14 16:11 . 2008-03-14 16:11 2,892,962 --a------ C:\temp\Census_CanPost_HH_APT-Comp_With_AllDAs_Including_TotalHHs.zip
2008-03-13 16:53 . 2008-03-13 16:53 <DIR> d-------- C:\Program Files\Spiderweb Software
2008-03-13 16:52 . 2008-03-13 16:52 <DIR> d-------- C:\Documents and Settings\Danny Heuman\Application Data\Downloaded Installations
2008-03-13 15:14 . 2008-03-13 15:14 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-03-12 16:58 . 2008-03-12 16:58 10,581 --a------ C:\WINDOWS\SETUP.LST
2008-03-12 12:40 . 2008-03-07 15:03 71,184 --a------ C:\Enhanced PCCF 200801 White Paper.pdf
2008-03-11 15:11 . 2008-03-13 16:29 <DIR> d-------- C:\Downtown Postal Code Boundary
2008-03-07 17:17 . 2008-03-07 17:17 1,143 --a------ C:\Downtown Postal Code Boundary.zip
2008-03-06 16:29 . 2008-03-06 16:29 4,566,755 --a------ C:\GPL Reference Guide.pdf
2008-03-06 16:26 . 2008-03-06 16:26 35,484 --a------ C:\R_PlugIn_Install_Instructions_win.pdf
2008-03-04 12:26 . 2008-03-04 12:19 691,545 --a------ C:\WINDOWS\unins002.exe
2008-03-04 12:26 . 2008-03-04 12:26 2,549 --a------ C:\WINDOWS\unins002.dat
2008-03-03 12:54 . 2008-03-03 12:57 92,569 --a------ C:\SV2004_2007_Prizmne.sav
2008-03-03 12:51 . 2008-03-03 12:51 56,915 --a------ C:\SV2004_Prizmne.sav
2008-03-03 12:48 . 2008-03-03 12:52 52,929 --a------ C:\SV2007_Prizmne.sav
2008-02-20 13:18 . 2008-02-20 13:18 36,352 --a------ C:\NCL-Alaska.doc
2008-02-19 13:33 . 2008-02-19 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{E1B5311E-0EB0-46BB-9EBF-25CBF3A20B8A}
2008-02-19 13:30 . 2008-02-19 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{FCC22282-EEF1-4A8B-BCD3-AB8861F775DD}
2008-02-15 12:39 . 2008-02-15 12:39 <DIR> d-------- C:\temp\MapInfo_Professional_9.0_Portable
2008-02-15 11:06 . 2008-02-15 11:06 3,701,333 --a------ C:\temp\Portable_eMule_048a.exe
2008-02-12 10:37 . 2008-02-12 10:37 545,241 --a------ C:\temp\Autoruns.zip
2008-02-07 13:01 . 2008-02-07 13:01 <DIR> d-------- C:\WINDOWS\NU_DATA
2008-02-06 17:26 . 2008-02-06 17:26 <DIR> d-------- C:\Program Files\WebEx
2008-02-06 16:31 . 2006-11-13 02:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-02-06 16:31 . 2006-11-13 02:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-02-06 16:31 . 2006-11-13 02:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-02-01 11:08 . 2008-02-01 10:33 20,660 --a------ C:\Coding_Variables.sps
2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 14:59 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\AdobeUM
2008-03-31 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-28 18:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-28 17:38 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\GrabIt
2008-03-26 15:00 --------- d-----w C:\Program Files\SPSS16
2008-03-24 18:30 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\Thinstall
2008-03-14 13:00 --------- d-----w C:\Program Files\UltraEdit
2008-03-13 16:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-13 15:58 0 ----a-w C:\Program Files\temp01
2008-03-04 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 19:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 21:01 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-29 21:01 --------- d-----w C:\Program Files\Creative
2008-02-26 18:55 --------- d-----w C:\Program Files\IrfanView
2008-02-12 14:11 --------- d-----w C:\Program Files\QuickTime
2008-02-12 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-08 17:01 183,361 ----a-w C:\WINDOWS\system32\atasnt40.dll
2008-02-05 17:38 --------- d-----w C:\Program Files\Agent
2008-01-31 20:50 --------- d-----w C:\Program Files\Apple Software Update
2008-01-31 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-30 20:43 --------- d-----w C:\Program Files\CardPlayer Poker
2008-01-30 19:41 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-01-30 19:41 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\SystemRequirementsLab
2008-01-30 17:05 --------- d-----w C:\Program Files\Java
2008-01-30 16:57 --------- d-----w C:\Program Files\Common Files\Java
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2008-02-08 17:00 34,384 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-02-08 17:00 94,872 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 09:13 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 18:12 851968]
"lnkvkhdr"="C:\WINDOWS\system32\rorcdwvc.exe" [2008-03-27 16:51 90112]
"epggcojz"="C:\WINDOWS\system32\ipmdsxen.exe" [2008-03-28 09:07 98304]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-28 09:37 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2005-03-01 03:43 245760]
"000StTHK"="000StTHK.exe" [2001-06-23 07:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-26 07:41 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="rundll32.exe" [2004-08-04 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40 196608]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-28 23:11 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-07-01 18:58 88201 C:\WINDOWS\agrsmmsg.exe]
"ThpSrv"="c:\WINDOWS\system32\thpsrv /logon" [ ]
"Kraidman"="C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe" [2005-07-29 19:26 1126483]
"TFNF5"="TFNF5.exe" [2005-06-29 02:35 507904 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"TPSMain"="TPSMain.exe" [2005-08-09 22:22 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2005-07-29 14:12 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2005-01-18 17:18 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2005-03-18 00:08 81920]
"TOSDCR"="TOSDCR.EXE" [2005-08-04 18:36 57344 C:\WINDOWS\system32\TOSDCR.exe]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"TAudEffect"="C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" [2005-07-08 17:59 344144]
"TFncKy"="TFncKy.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 08:33 122941]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2005-08-02 22:52 1863680]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-05-18 18:57 188416]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-05-31 23:46 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 02:31 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-05-31 23:50 356352]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 08:00 143360]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 11:50 29744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]

C:\Documents and Settings\DANNYS3\ASPNET\Start Menu\Programs\Startup\
IEHOME.LNK - C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat [2005-12-21 04:00:34 298]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-03-29 10:52:01 1445904]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-16 09:36:51 124912]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-05 17:16:26 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"hbgLUuK7uc"= C:\Documents and Settings\All Users\Application Data\rwbghiba\tqdsdsdm.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"hbgLUuK7uc"= C:\Documents and Settings\All Users\Application Data\rwbghiba\tqdsdsdm.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-05-31 23:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2005-08-02 22:36 49152 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Shiva\\Shiva VPN Client\\ICDESK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SPSS16\\spss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 KR10I;KR10I;C:\WINDOWS\system32\drivers\KR10I.sys [2005-06-28 10:35]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 02:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 15:24]
R1 ICsrvr;VPN Client Protocol;C:\WINDOWS\system32\DRIVERS\ICsrvr.sys [2003-06-06 18:15]
R1 ICtdi;VPN Client TDI Driver;C:\WINDOWS\system32\DRIVERS\ictdi.sys [2003-06-06 18:14]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 14:08]
R2 ICService;Shiva VPN Client;C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe [2003-06-06 18:31]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 08:00]
R3 ICvnic;VPN Client Virtual Adapter;C:\WINDOWS\system32\DRIVERS\ICvnic.sys [2003-06-06 18:14]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 00:26]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2005-07-15 00:15]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 11:50]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 18:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-18 13:09:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-20 01:03:12 C:\WINDOWS\Tasks\dannys differential backup.job"
- C:\WINDOWS\system32\ntbackup.exeRbackup
"2008-03-06 23:25:15 C:\WINDOWS\Tasks\dannys full backup.job"
- C:\WINDOWS\system32\ntbackup.exekbackup
"2008-03-31 16:30:03 C:\WINDOWS\Tasks\NOTEPAD.job"
- C:\WINDOWS\NOTEPAD.EXE
"2005-12-21 07:58:23 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-12-21 07:58:24 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 12:38:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-03-31 12:39:05
ComboFix-quarantined-files.txt 2008-03-31 16:38:48
Pre-Run: 8,637,935,616 bytes free
Post-Run: 8,624,447,488 bytes free
.
2008-03-20 13:02:49 --- E O F ---

BC AdBot (Login to Remove)

 


#2 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:11:15 AM

Posted 12 April 2008 - 05:08 AM

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
Unfortunately there are far more people needing help than there are helpers.

If you still require help, please can you do the following


Click here to download HJTinstall.exe
  • Save HJTinstall.exe to your desktop.
  • Double click on the HJTinstall.exe icon on your desktop.
  • By default it will install to C:\\Program Files\\Trend Micro\\Hijack This.
  • Click I accept
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt
Please post all logs in your reply
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users