Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 dkelloway

dkelloway

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 27 April 2008 - 11:12 AM

Deckard's System Scanner v20071014.68
Run by Darrell on 2008-04-27 13:33:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Darrell.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:34 PM, on 27/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Darrell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKA1P0ET\dss[1].exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Darrell.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.futureproducers.com/forums/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {ca959eab-f75e-29c8-2214-aa56636b65ca} - {ac56b636-65aa-4122-8c92-e57fbae959ac} - C:\Windows\system32\paedwlln.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\Windows\rundll32.exe C:\Windows\system32\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [f44f3b13] rundll32.exe "C:\Windows\system32\gilbkeke.dll",b
O4 - HKLM\..\Run: [BMf77c088f] Rundll32.exe "C:\Windows\system32\mhcudbht.dll",s
O4 - HKLM\..\RunServices: [SSDPSRV] C:\Windows\system32\ssdpsrv.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9835 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 KORGUMDS (KORG USB-MIDI Driver for Windows XP) - c:\windows\system32\drivers\korgumds.sys <Not Verified; KORG Inc.; KORG USB-MIDI Driver for Windows XP>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0001
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #2
PNP Device ID: ROOT\*6TO4MP\0001
Service: tunnel


-- Scheduled Tasks -------------------------------------------------------------

2008-04-22 13:51:48 504 --a------ C:\Windows\Tasks\Norton Security Online - Run Full System Scan - Darrell.job


-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 13:25:13 0 d-------- C:\Program Files\Trend Micro
2008-04-26 12:41:01 107072 --a------ C:\Windows\system32\paedwlln.dll
2008-04-26 12:35:38 106048 --a------ C:\Windows\system32\mhcudbht.dll
2008-04-26 12:34:59 296889 --ahs---- C:\Windows\system32\gghjPqru.ini2
2008-04-26 12:34:58 283136 --a------ C:\Windows\system32\urqPjhgg.dll
2008-04-26 11:54:08 0 -rahs---- C:\MSDOS.SYS
2008-04-26 11:54:08 0 -rahs---- C:\IO.SYS
2008-04-25 17:18:07 171680808 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-04-25 14:32:13 345 --ahs---- C:\Windows\system32\KStvDNpo.ini2
2008-04-25 14:18:20 262144 --a------ C:\ntuser.dat
2008-04-25 13:51:40 0 d-------- C:\Windows\pss
2008-04-25 13:08:14 197090 --ahs---- C:\Windows\system32\LSCIknmp.ini2
2008-04-24 15:18:43 0 --a------ C:\Windows\nsreg.dat
2008-04-24 15:10:36 206600 --ahs---- C:\Windows\system32\GijmoUtv.ini2
2008-04-24 14:25:54 0 d-------- C:\Program Files\Common Files\iZotope
2008-04-24 13:29:26 0 d-------- C:\VundoFix Backups
2008-04-23 23:36:18 200703 --ahs---- C:\Windows\system32\rsYaccdd.ini2
2008-04-23 00:19:59 345 --ahs---- C:\Windows\system32\RXGgOXyb.ini2
2008-04-22 17:33:28 0 d-------- C:\Program Files\CCleaner
2008-04-22 17:20:30 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-22 12:17:35 0 d-------- C:\Program Files\Rogers
2008-04-22 12:08:18 0 d-------- C:\Users\All Users\Yahoo!
2008-04-22 12:08:18 0 d-------- C:\graphics
2008-04-22 12:07:03 0 d-------- C:\Users\All Users\Lavasoft
2008-04-22 12:04:49 0 d-------- C:\Program Files\Yahoo!
2008-04-22 03:19:50 195122 --ahs---- C:\Windows\system32\ayxwvGgh.ini2
2008-04-11 15:03:52 274432 --a------ C:\Windows\system32\NCTAudioPlayer.dll <Not Verified; NCT Company; NCTAudioPlayer ActiveX DLL>
2008-04-11 15:03:52 892928 --a------ C:\Windows\system32\NCTAudioInformation.dll <Not Verified; NCT Company; NCTAudioInformation ActiveX DLL>
2008-04-11 15:03:51 1703936 --a------ C:\Windows\system32\NCTAudioFile.dll <Not Verified; NCT Company; NCTAudioFile ActiveX DLL>
2008-04-11 15:03:51 233472 --a------ C:\Windows\system32\lame_enc.dll
2008-04-11 14:51:46 0 d-------- C:\Program Files\WAV to MP3 Encoder
2008-04-04 17:01:22 0 d-------- C:\Program Files\ASIO4ALL v2
2008-04-04 16:59:20 0 d-------- C:\Program Files\Outsim
2008-04-03 17:39:14 0 d-------- C:\Program Files\iPod
2008-04-03 17:39:00 0 d-------- C:\Program Files\iTunes
2008-04-03 17:37:13 0 d-------- C:\Program Files\QuickTime


-- Find3M Report ---------------------------------------------------------------

2008-04-26 16:12:13 0 d-------- C:\Program Files\Ares
2008-04-24 16:01:27 0 d-------- C:\Users\Darrell\AppData\Roaming\Adobe
2008-04-24 15:20:48 0 d-------- C:\Users\Darrell\AppData\Roaming\uTorrent
2008-04-24 15:18:38 0 d-------- C:\Users\Darrell\AppData\Roaming\Mozilla
2008-04-24 14:25:54 0 d-------- C:\Program Files\VstPlugins
2008-04-24 14:25:54 0 d-------- C:\Program Files\Common Files
2008-04-22 14:01:40 0 d-------- C:\Program Files\Symantec
2008-04-22 13:59:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-22 12:12:51 0 d-------- C:\Users\Darrell\AppData\Roaming\Yahoo!
2008-04-09 03:18:17 0 d-------- C:\Program Files\Windows Mail
2008-04-04 17:05:31 0 d-------- C:\Program Files\Image-Line
2008-03-29 12:34:16 0 d-------- C:\Program Files\Java
2008-03-25 11:40:05 0 d-------- C:\Program Files\Safari
2008-03-18 19:22:35 102364 --a------ C:\Windows\hpqins13.dat
2008-03-18 19:22:20 0 d-------- C:\Program Files\HP
2008-03-18 19:21:37 0 d-------- C:\Program Files\Common Files\HP


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ac56b636-65aa-4122-8c92-e57fbae959ac}]
26/04/2008 12:41 PM 107072 --a------ C:\Windows\system32\paedwlln.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/11/2007 06:35 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [25/05/2007 02:33 AM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [25/05/2007 02:33 AM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [25/05/2007 02:33 AM]
"RtHDVCpl"="RtHDVCpl.exe" [10/05/2007 05:40 AM C:\Windows\RtHDVCpl.exe]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [06/11/2006 09:44 PM]
"HWSetup"="\HWSetup.exe" []
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [23/03/2006 02:12 AM]
"NDSTray.exe"="NDSTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [10/04/2007 10:10 PM]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [29/03/2007 04:09 PM]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07/12/2006 10:19 PM]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [22/03/2007 05:16 PM]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [22/05/2007 10:02 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [11/09/2006 03:51 AM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [09/01/2007 02:53 AM]
"ICSDCLT"="C:\Windows\C:\Windows\system32\icsdclt.dll" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 07:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 11:16 PM]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [22/08/2007 04:31 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [26/10/2007 03:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 03:29 AM]
"f44f3b13"="C:\Windows\system32\gilbkeke.dll" []
"BMf77c088f"="C:\Windows\system32\mhcudbht.dll" [26/04/2008 12:35 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [09/01/2008 04:02 AM]
"TOSCDSPD"="TOSCDSPD.EXE" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 10:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SSDPSRV"=C:\Windows\system32\ssdpsrv.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LtMoh"=C:\Program Files\ltmoh\Ltmoh.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 5:35:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-27 13:37:10 ------------

Attached Files



BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:51 AM

Posted 28 April 2008 - 02:19 PM

Hello dkelloway,

Welcome to Bleeping Computer :thumbsup:

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 dkelloway

dkelloway
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 29 April 2008 - 10:29 AM

ComboFix 08-04-28.2 - Darrell 2008-04-29 12:43:12.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.889 [GMT -2.5:30]
Running from: C:\Users\Darrell\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url
C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url
C:\Windows\System32\ayxwvGgh.ini
C:\Windows\System32\ayxwvGgh.ini2
C:\Windows\system32\bedtcbsb.ini
C:\Windows\system32\dhgptyif.ini
C:\Windows\system32\fjuluhkr.ini
C:\Windows\System32\gghjPqru.ini
C:\Windows\System32\gghjPqru.ini2
C:\Windows\System32\GijmoUtv.ini
C:\Windows\System32\GijmoUtv.ini2
C:\Windows\system32\jvxeayjc.ini
C:\Windows\System32\KStvDNpo.ini
C:\Windows\System32\KStvDNpo.ini2
C:\Windows\System32\LSCIknmp.ini
C:\Windows\System32\LSCIknmp.ini2
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\paedwlln.dll
C:\Windows\System32\rsYaccdd.ini
C:\Windows\System32\rsYaccdd.ini2
C:\Windows\System32\RXGgOXyb.ini
C:\Windows\System32\RXGgOXyb.ini2
C:\Windows\system32\swxoxnlr.ini
C:\Windows\system32\urqPjhgg.dll
C:\Windows\system32\urvjarju.ini
C:\Windows\system32\wtienigw.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 15:11 --------- d-----w C:\Users\Darrell\AppData\Roaming\uTorrent
2008-04-29 14:48 --------- d-----w C:\Program Files\Apple Software Update
2008-04-27 15:55 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 18:42 --------- d-----w C:\Program Files\Ares
2008-04-26 14:26 262,144 ----a-w C:\ntuser.dat
2008-04-25 19:48 171,680,808 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-04-24 16:55 --------- d-----w C:\Program Files\VstPlugins
2008-04-24 16:55 --------- d-----w C:\Program Files\Common Files\iZotope
2008-04-22 20:06 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-22 20:03 --------- d-----w C:\Program Files\CCleaner
2008-04-22 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 19:00 --------- d-----w C:\ProgramData\Lavasoft
2008-04-22 16:31 --------- d-----w C:\Program Files\Symantec
2008-04-22 16:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 16:28 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-04-22 16:28 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-04-22 16:28 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-04-22 16:27 --------- d-----w C:\ProgramData\Symantec
2008-04-22 15:51 --------- d-----w C:\ProgramData\Yahoo!
2008-04-22 14:47 --------- d-----w C:\Program Files\Rogers
2008-04-22 14:42 --------- d-----w C:\Users\Darrell\AppData\Roaming\Yahoo!
2008-04-22 14:38 --------- d-----w C:\Program Files\Yahoo!
2008-04-11 17:26 --------- d-----w C:\Program Files\WAV to MP3 Encoder
2008-04-09 05:48 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 05:40 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-04 19:35 --------- d-----w C:\Program Files\Image-Line
2008-04-04 19:31 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-04-04 19:29 --------- d-----w C:\Program Files\Outsim
2008-04-03 20:09 --------- d-----w C:\Program Files\iTunes
2008-04-03 20:09 --------- d-----w C:\Program Files\iPod
2008-04-03 20:07 --------- d-----w C:\Program Files\QuickTime
2008-03-29 15:04 --------- d-----w C:\Program Files\Java
2008-03-25 14:10 --------- d-----w C:\Program Files\Safari
2008-03-18 21:52 --------- d-----w C:\Program Files\HP
2008-03-18 21:51 --------- d-----w C:\ProgramData\HP
2008-03-18 21:51 --------- d-----w C:\Program Files\Common Files\HP
2008-03-08 02:14 148,992 ----a-w C:\Windows\system32\drivers\ks.sys
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-14 02:50 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-13 06:42 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 06:37 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 06:37 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 06:36 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 06:36 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 06:36 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 06:36 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 06:36 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 06:36 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 06:36 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 06:36 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 06:36 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 06:36 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-01-29 14:32 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2007-11-11 15:02 174 --sha-w C:\Program Files\desktop.ini
2007-11-14 11:27 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-14 11:27 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-14 11:27 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 04:02 1232896]
"TOSCDSPD"="TOSCDSPD.EXE" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 10:05 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-11 06:35 1006264]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-05-25 02:33 142104]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-05-25 02:33 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-05-25 02:33 138008]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 05:40 4468736 C:\Windows\RtHDVCpl.exe]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 21:44 34352]
"HWSetup"="\HWSetup.exe" [ ]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 02:12 438272]
"NDSTray.exe"="NDSTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 22:10 413696]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 16:09 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 22:19 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 17:16 448632]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 22:02 538744]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006-09-11 03:51 180224]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-09 02:53 191552]
"ICSDCLT"="C:\Windows\C:\Windows\system32\icsdclt.dll" [ ]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 19:30 517768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 16:31 80896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 03:29 115816]
"f44f3b13"="C:\Windows\system32\gilbkeke.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SSDPSRV"="C:\Windows\system32\ssdpsrv.exe" [2001-07-21 15:30 55568]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-09 02:53 191552]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:35:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"midi1"= KORGUMDD.DRV
"midi2"= KORGUMDD.DRV
"midi3"= KORGUMDD.DRV

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{15D96786-EFE6-4374-8E51-76865B817B5E}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{75A53D15-6092-49D3-A822-CAD628C2F623}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{080AFD73-2DF3-42B2-89CC-C8FA16B7B9B6}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F940193A-075E-4561-BC28-3985595F3BDA}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{D0F0712F-A9A4-4A48-88B8-5C9985DEC688}C:\\program files\\ares\\ares.exe"= UDP:C:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{64F87EA6-BDBA-4199-BE51-3AEA7FF18DFB}C:\\program files\\ares\\ares.exe"= TCP:C:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{A4769EE5-6997-4156-9A1E-710D10CDDAE8}C:\\program files\\ares ultra\\ares ultra.exe"= UDP:C:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows
"UDP Query User{8E37F98C-12AC-45FD-BDD4-CB89ACAFD413}C:\\program files\\ares ultra\\ares ultra.exe"= TCP:C:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows
"{5250BA49-D420-4A8C-A491-6436E64E7E89}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{616F0100-0F7D-490A-8589-89B926A196A7}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 20:55]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-05-17 21:10]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080425.001\IDSvix86.sys [2008-04-04 17:47]
R2 RogersUpdateManager;Rogers Update Manager;C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe [2007-10-31 11:04]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-05-17 21:12]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-05-22 00:58]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 20:02]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 16:20]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 15:49]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\Windows\system32\Drivers\KORGUMDS.SYS [2005-12-19 22:37]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 22:42:00 C:\Windows\Tasks\Norton Security Online - Run Full System Scan - Darrell.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 12:46:34
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 13

**************************************************************************
.
Completion time: 2008-04-29 12:47:52
ComboFix-quarantined-files.txt 2008-04-29 15:17:38

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

222 --- E O F --- 2008-04-09 05:40:34

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:51 AM

Posted 29 April 2008 - 11:04 AM

Hello,

Could I see a new HijackThis log please? How is it running now? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 dkelloway

dkelloway
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 30 April 2008 - 08:27 AM

My system has actually been running a lot better lately, but just in case

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:23 AM, on 30/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.futureproducers.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\Windows\rundll32.exe C:\Windows\system32\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [f44f3b13] rundll32.exe "C:\Windows\system32\gilbkeke.dll",b
O4 - HKLM\..\RunServices: [SSDPSRV] C:\Windows\system32\ssdpsrv.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9915 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:51 AM

Posted 30 April 2008 - 09:35 AM

Hello,

Glad to know it, and it looks good. :thumbsup: Just a couple of lines to fix with HijackThis:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [f44f3b13] rundll32.exe "C:\Windows\system32\gilbkeke.dll",b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
<-----This is a resource hog.

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:51 AM

Posted 03 May 2008 - 11:16 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users