Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning: Spyware Has Been Detected On Your Pc


  • This topic is locked This topic is locked
4 replies to this topic

#1 StupidVirus101

StupidVirus101

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 24 April 2008 - 03:48 PM

Here is my HijackThis log. I think it should be noted that I had this same virus on my system 3 days ago and to remedy the problem I reformatted, but it is now back.


Thanks for any help/advice that you can provide

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:50 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Chris Dolhan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5815 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:02 AM

Posted 25 April 2008 - 03:12 AM

Hello StupidVirus101 and welcome to BleepingComputer,

Print these instructions or save them to your Desktop as a text file,
since you'll need to reboot in safe mode (without networking support), so you'll be unable to connect here.

1. Download SDFix and save it to your Desktop.

Boot your computer in Safe Mode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows window appears, tap the F8 key continually;
  • Instead of loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Now run SDFix.exe
  • In Safe Mode, double click the SDFix.exe file. Click Install.
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to start SDFix.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply, with a new HijackThis log
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\[b]ComboFix.txt
) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 StupidVirus101

StupidVirus101
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 25 April 2008 - 09:59 AM

Thanks Thunder for getting back so quickly with some great advice right now it looks like everything has been removed, but I guess I'll let you decide. Here's my combofix log, and after it I decided to include the Hijackthis log
Cheers!

ComboFix 08-04-24.1 - Chris Dolhan 2008-04-25 10:32:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -4:00]
Running from: C:\Documents and Settings\Chris Dolhan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris Dolhan\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXOIbaa.dll
C:\WINDOWS\system32\hgGyvvuu.dll
C:\WINDOWS\system32\jklvbbdu.dll
C:\WINDOWS\system32\mgcmrgso.dll
C:\WINDOWS\system32\urqOHBqP.dll
C:\WINDOWS\system32\uuvvyGgh.ini
C:\WINDOWS\system32\uuvvyGgh.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 09:48 . 2008-04-25 09:48 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-25 09:47 . 2008-04-25 10:14 <DIR> d-------- C:\SDFix
2008-04-25 05:49 . 2008-04-25 10:22 109,747 --a------ C:\WINDOWS\BM1b307464.xml
2008-04-25 05:47 . 2008-04-25 05:47 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-24 15:55 . 2008-04-24 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-24 15:54 . 2008-04-24 16:29 <DIR> d-------- C:\Program Files\Bat
2008-04-24 15:53 . 2008-04-24 15:53 194 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-24 15:53 . 2008-04-25 09:33 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-24 15:53 . 2008-04-25 09:44 8 -r-hs---- C:\WINDOWS\megavid.cdt
2008-04-24 15:52 . 2008-04-24 16:00 <DIR> d-------- C:\Program Files\LimeWire
2008-04-24 15:47 . 2008-04-24 15:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-24 15:47 . 2008-04-24 15:47 <DIR> d-------- C:\Program Files\MSBuild
2008-04-24 15:46 . 2008-04-24 15:46 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-24 15:45 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-24 15:37 . 2008-04-24 15:37 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-24 09:37 . 2008-04-24 09:37 <DIR> d-------- C:\Program Files\CCleaner
2008-04-24 09:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-24 09:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-24 09:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-24 09:02 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-23 17:38 . 2008-04-23 17:38 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-23 17:10 . 2008-03-01 09:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-23 17:10 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-23 17:10 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-23 17:10 . 2008-03-01 09:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-23 17:10 . 2008-03-01 09:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-23 17:10 . 2008-03-01 09:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-23 17:10 . 2008-03-01 09:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-23 17:10 . 2008-03-01 09:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-23 17:10 . 2008-02-22 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-23 17:01 . 2008-04-23 17:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-23 17:01 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-23 17:00 . 2008-04-23 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-23 16:59 . 2008-04-24 16:49 <DIR> d-------- C:\Documents and Settings\Chris Dolhan\Application Data\Azureus
2008-04-23 16:52 . 2008-04-23 16:54 <DIR> d-------- C:\Program Files\Azureus
2008-04-23 16:51 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 16:51 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 16:51 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 16:36 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 16:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-23 16:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-23 16:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-22 13:30 . 2008-04-22 13:31 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 13:30 . 2008-04-22 13:30 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 13:29 . 2008-04-22 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 13:04 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-04-22 12:59 . 2008-04-22 12:59 <DIR> d-------- C:\Documents and Settings\Chris Dolhan\Application Data\Apple Computer
2008-04-22 12:59 . 2006-08-14 06:34 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-04-22 12:59 . 2008-04-25 10:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-22 12:59 . 2008-04-22 12:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 12:58 . 2008-04-22 12:58 <DIR> d-------- C:\Program Files\iPod
2008-04-22 12:57 . 2008-04-22 12:58 <DIR> d-------- C:\Program Files\iTunes
2008-04-22 12:55 . 2008-04-22 12:57 <DIR> d-------- C:\Program Files\QuickTime
2008-04-22 12:55 . 2008-04-22 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-22 12:54 . 2008-04-22 12:54 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-22 12:53 . 2008-04-22 12:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-22 12:53 . 2008-04-22 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-22 12:51 . 2008-04-22 12:51 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-22 12:39 . 2008-04-22 12:39 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-22 12:39 . 2008-04-22 12:39 <DIR> d-------- C:\WINDOWS\peernet
2008-04-22 12:34 . 2008-04-22 12:34 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-22 12:24 . 2008-04-22 12:24 <DIR> d-------- C:\WINDOWS\EHome
2008-04-22 12:19 . 2002-04-15 21:11 67,866 --a------ C:\WINDOWS\system32\drivers\netwlan5.img
2008-04-22 12:19 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-04-22 12:19 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-04-22 12:19 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-04-22 11:52 . 2008-04-22 11:52 <DIR> d--hs---- C:\Documents and Settings\Chris Dolhan\UserData
2008-04-22 11:35 . 2008-04-22 11:35 <DIR> d-------- C:\Documents and Settings\Chris Dolhan\Contacts
2008-04-22 11:32 . 2008-04-22 13:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 09:33 . 2008-04-22 09:33 <DIR> d-------- C:\Program Files\Linksys
2008-04-22 09:33 . 2002-02-02 00:00 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2008-04-22 09:33 . 2000-01-31 05:00 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2008-04-22 09:33 . 2003-07-16 22:43 94,208 --a------ C:\WINDOWS\system32\W32N50CT.dll
2008-04-22 09:33 . 2000-01-31 05:00 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2008-04-22 09:33 . 2003-07-16 22:28 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.sys
2008-04-22 09:33 . 1998-05-13 00:00 4,716 --a------ C:\WINDOWS\system32\VERSION.LIB
2008-04-22 09:32 . 2008-04-22 09:32 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-22 09:32 . 2008-04-22 09:32 <DIR> d-------- C:\Program Files\Funk Software
2008-04-22 09:32 . 2008-04-22 09:32 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2008-04-22 09:32 . 2003-05-14 16:01 62,673 -ra------ C:\WINDOWS\system32\drivers\odysseyIM3.sys
2008-04-22 09:13 . 2008-04-22 09:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-22 04:46 . 2003-07-17 04:40 265,728 --a------ C:\WINDOWS\system32\drivers\bcmwl5.sys
2008-04-22 04:40 . 2003-05-06 18:13 <DIR> d-------- C:\Documents and Settings\Chris Dolhan\Application Data\InterTrust
2008-04-22 04:40 . 2003-05-06 18:18 <DIR> d-------- C:\Documents and Settings\Chris Dolhan\Application Data\Drag'n Drop CD+DVD
2008-04-22 04:40 . 2008-04-22 11:52 <DIR> d-------- C:\Documents and Settings\Chris Dolhan
2008-04-22 04:40 . 2008-04-25 10:51 180,224 --ah----- C:\Documents and Settings\Chris Dolhan\ntuser.dat.LOG
2008-04-22 04:40 . 2008-04-22 04:40 0 -rahs---- C:\WINDOWS\system32\drivers\TOSHIBA_Satellite A20_S3A1382D001_PSA20C-02HKQP.MRK
2008-04-22 04:39 . 2008-04-22 04:39 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG
2008-04-22 04:39 . 2008-04-22 04:39 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-22 04:36 . 2008-04-22 04:36 <DIR> d-------- C:\WINDOWS\Options
2008-04-22 04:36 . 2008-04-22 04:36 <DIR> d-------- C:\Program Files\ltmoh
2008-04-22 04:36 . 2008-04-22 04:36 <DIR> d-------- C:\Program Files\DataLode
2008-04-22 04:36 . 2000-05-26 12:07 262,144 --a------ C:\WINDOWS\system32\SMBIOS.ocx
2008-04-22 04:36 . 2003-02-25 00:42 128,113 --a------ C:\WINDOWS\system32\csellang.ini
2008-04-22 04:36 . 2003-04-09 22:25 110,592 --a------ C:\WINDOWS\system32\cselect.exe
2008-04-22 04:36 . 2001-05-09 00:38 77,824 --a------ C:\WINDOWS\system32\tosmreg.exe
2008-04-22 04:36 . 2003-02-13 17:13 59,392 --------- C:\WINDOWS\agrsmdel.exe
2008-04-22 04:36 . 2000-12-13 08:25 45,056 --a------ C:\WINDOWS\system32\csellang.dll
2008-04-22 04:36 . 2003-04-10 19:49 9,150 --a------ C:\WINDOWS\system32\tosmreg.ini
2008-04-22 04:36 . 2003-02-25 01:01 7,671 --a------ C:\WINDOWS\system32\cseltbl.ini
2008-04-22 04:35 . 2002-01-24 17:43 6,528 --a------ C:\WINDOWS\system32\drivers\Tbiosdrv.sys
2008-04-22 02:05 . 2008-04-25 09:38 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-22 02:05 . 2004-08-04 03:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-04-22 02:05 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-22 02:05 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-22 02:05 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-22 02:05 . 2004-08-04 03:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-04-22 02:05 . 2004-08-04 03:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-04-22 02:04 . 2008-04-22 02:04 <DIR> d-------- C:\Documents and Settings\Chris Dolhan\Application Data\Talkback
2008-04-22 02:04 . 2008-04-22 02:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 01:56 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-22 01:56 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-22 01:56 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-22 01:56 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-04-22 01:56 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-04-22 01:56 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-04-22 01:56 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 14:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-22 13:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 08:40 --------- d-----w C:\Program Files\Toshiba
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 22:54 40960]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-01-17 13:41 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 17:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TFNF5"="TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TFncKy"="TFncKy.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-18 08:26 458752]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [2003-01-09 19:54 991232]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-22 17:54 184320]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-05-06 17:57:28 155648]
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2008-04-22 09:33:12 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\ALiAGP.sys [2002-09-02 16:16]
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 22:53]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2003-04-24 19:39]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-02-10 19:27]
S2 MsSecurity1.209.4;MsSecurity Updated;C:\WINDOWS\winself.exe service []
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 13:29]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2001-12-18 02:54]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 12:03]
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 11:29]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 16:55:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 10:50:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
.
**************************************************************************
.
Completion time: 2008-04-25 10:55:23 - machine was rebooted [Chris Dolhan]
ComboFix-quarantined-files.txt 2008-04-25 14:55:17

Pre-Run: 20,798,976,000 bytes free
Post-Run: 20,764,602,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

245 --- E O F --- 2008-04-25 13:44:30


Now for HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:58 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris Dolhan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5487 bytes

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:02 AM

Posted 26 April 2008 - 05:23 AM

Well done, StupdiVirus101,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINDOWS\wintst32.tmp
C:\WINDOWS\mainms.vpi
C:\WINDOWS\muotr.so
C:\WINDOWS\megavid.cdt
Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Bat
Driver::
MsSecurity1.209.4

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:02 AM

Posted 25 May 2008 - 05:04 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users