Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan Removal Help


  • This topic is locked This topic is locked
29 replies to this topic

#1 Rick Shanti

Rick Shanti

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 23 December 2008 - 02:51 PM

Hello...

I have gotten a Vundo Trojan on my computer and need help removing it. I was unable to run HiJackThis (it wouldn't install) but was able to run ComboFix (installed from a USB drive). I'm now able to get to the internet (wasn't able to before) but am still getting popups. I'll paste the log from ComboFix below. Please let me know what else I need to do.

Thanks in advance

ComboFix 08-12-23.01 - Mark Mulka 2008-12-23 11:02:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.161 [GMT -8:00]
Running from: c:\documents and settings\Mark Mulka\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Desktop\Online Security Guide.url
c:\documents and settings\All Users\Desktop\Security Troubleshooting.url
c:\documents and settings\All Users\Start Menu\Online Security Guide.url
c:\documents and settings\All Users\Start Menu\Security Troubleshooting.url
c:\documents and settings\Gregg Wright\svchost.exe
c:\documents and settings\Lisa Wright.DAPUTER\Favorites\Online Security Test.url
c:\documents and settings\Lisa Wright.DAPUTER\My Documents\My Documents.url
c:\documents and settings\Lisa Wright.DAPUTER\My Documents\My Music\My Music.url
c:\documents and settings\Lisa Wright.DAPUTER\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Lisa Wright.DAPUTER\My Documents\My Videos\My Video.url
c:\documents and settings\Lisa Wright.DAPUTER\svchost.exe
c:\program files\NetProject
c:\program files\NetProject\myd.ico
c:\program files\NetProject\mym.ico
c:\program files\NetProject\myp.ico
c:\program files\NetProject\myv.ico
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\BM031e4ca0.txt
c:\windows\BM031e4ca0.xml
c:\windows\cookies.ini
c:\windows\Downloaded Program Files\setup.inf
c:\windows\pskt.ini
c:\windows\system32\834668
c:\windows\system32\acwpjsak.dll
c:\windows\system32\aKUCJRqr.ini
c:\windows\system32\aKUCJRqr.ini2
c:\windows\system32\anjhadsw.dll
c:\windows\system32\bbifmmev.ini
c:\windows\system32\bqfmwptn.dll
c:\windows\system32\cmzfqv.dll
c:\windows\system32\cryonscj.dll
c:\windows\system32\dcdlgefd.dll
c:\windows\system32\ddeljmqu.dll
c:\windows\system32\dgganjas.dll
c:\windows\system32\dmujtjjh.dll
c:\windows\system32\drivers\core.cache(2).dsk
c:\windows\system32\drivers\core.cache(3).dsk
c:\windows\system32\efmmmisi.dll
c:\windows\system32\ekclsjut.dll
c:\windows\system32\ekuujhgb.ini
c:\windows\system32\evcgsbkp.ini
c:\windows\system32\evolpsjw.ini
c:\windows\system32\eyoaorjh.ini
c:\windows\system32\fbjmbjgr.ini
c:\windows\system32\fblbgffi.ini
c:\windows\system32\fhtitpul.dll
c:\windows\system32\gkxajsvo.dll
c:\windows\system32\gqxvkqie.dll
c:\windows\system32\gwjtagfh.dll
c:\windows\system32\gyoawbvr.dll
c:\windows\system32\hcxusmdg.dll
c:\windows\system32\hrqabtyt.ini
c:\windows\system32\huhoeygp.dll
c:\windows\system32\igybtbkt.dll
c:\windows\system32\ikyhbetp.ini
c:\windows\system32\ikyhbetp.ini2
c:\windows\system32\imikrpgg.dll
c:\windows\system32\iodsygvb.ini
c:\windows\system32\iousjelk.dll
c:\windows\system32\iqfoewim.dll
c:\windows\system32\ixtlerpc.dll
c:\windows\system32\jalyoykf.ini
c:\windows\system32\jcbrmhhs.dll
c:\windows\system32\jckthorj.dll
c:\windows\system32\jpiswxwl.dll
c:\windows\system32\jwvucaid.dll
c:\windows\system32\kafqytqd.dll
c:\windows\system32\kdapc.exe
c:\windows\system32\kdmctevm.dll
c:\windows\system32\kesaneue.dll
c:\windows\system32\kniymadg.dll
c:\windows\system32\lqhvwpwg.ini
c:\windows\system32\lsejixlv.dll
c:\windows\system32\mcenwlfh.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mdydtpvj.dll
c:\windows\system32\mxhdqceh.dll
c:\windows\system32\nkwjonqf.dll
c:\windows\system32\nnvbxwwr.ini
c:\windows\system32\odlxasve.ini
c:\windows\system32\oqxrirhy.dll
c:\windows\system32\orvtkcqe.dll
c:\windows\system32\OWGNonpo.ini
c:\windows\system32\OWGNonpo.ini2
c:\windows\system32\owwkvmph.ini
c:\windows\system32\owwkvmph.ini2
c:\windows\system32\owwkvmph.tmp
c:\windows\system32\oxphwohq.dll
c:\windows\system32\pcnohgqe.ini
c:\windows\system32\pqmguygm.dll
c:\windows\system32\puvjfweo.ini2
c:\windows\system32\puvjfweo.tmp
c:\windows\system32\qbotiqef.dll
c:\windows\system32\qgkxpipa.ini
c:\windows\system32\qntxmvjr.ini
c:\windows\system32\qqluvjip.dll
c:\windows\system32\rhfkoqew.dll
c:\windows\system32\rknbjuyo.dll
c:\windows\system32\rpdcabqj.dll
c:\windows\system32\rrxxihec.dll
c:\windows\system32\ruvhveug.dll
c:\windows\system32\rxlcuqay.dll
c:\windows\system32\rxxbpeet.ini
c:\windows\system32\sfyuleoj.ini
c:\windows\system32\siwbusxu.dll
c:\windows\system32\svoiqfwv.dll
c:\windows\system32\tbfybyrp.ini
c:\windows\system32\tguxlcmh.dll
c:\windows\system32\tlakyiid.dll
c:\windows\system32\txjdqkka.dll
c:\windows\system32\unkbibqu.dll
c:\windows\system32\vefntcsl.dll
c:\windows\system32\wautkbqc.dll
c:\windows\system32\wnpvudns.dll
c:\windows\system32\wntfvftq.dll
c:\windows\system32\xkqremng.dll
c:\windows\system32\xlaunk.dll
c:\windows\system32\xljubkgv.dll
c:\windows\system32\xpefgllu.dll
c:\windows\system32\yfkxlwcg.dll
c:\windows\system32\yhelvtbk.ini
c:\windows\system32\ykfaoqvj.dll
c:\windows\system32\ylufuqnr.dll
c:\windows\system32\ympytnix.dll
c:\windows\system32\yxwemnvr.ini
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-23 11:22 . 2008-12-23 11:22 <DIR> d-------- c:\temp\tn3
2008-12-22 20:59 . 2008-12-22 20:59 <DIR> d-------- c:\program files\Avira
2008-12-22 20:59 . 2008-12-22 20:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-12 16:45 . 2008-12-12 16:45 <DIR> d-------- c:\documents and settings\Gregg Wright\Application Data\Apple Computer
2008-12-03 08:32 . 2008-12-03 08:32 <DIR> d-------- c:\documents and settings\Lisa Wright.DAPUTER\Application Data\Apple Computer
2008-11-24 19:40 . 2008-05-01 06:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-24 19:39 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-24 19:39 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-24 19:39 . 2008-07-07 12:06 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2008-11-24 19:39 . 2008-06-24 08:23 74,240 -----c--- c:\windows\system32\dllcache\mscms.dll
2008-11-23 20:06 . 2008-11-28 07:31 <DIR> d-------- c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:19 932 ------w c:\windows\system32\drivers\core.cache.dsk
2008-12-23 18:53 --------- d-----w c:\program files\Trend Micro
2008-12-23 18:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-22 02:00 --------- d-----w c:\program files\Norton Security Scan
2008-12-07 04:48 --------- d-----w c:\program files\Apple Software Update
2008-12-07 04:42 --------- d-----w c:\program files\Safari
2008-11-28 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-28 00:15 --------- d-----w c:\program files\Microsoft Works
2008-11-05 06:41 --------- d-----w c:\documents and settings\Mark Mulka\Application Data\U3
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-05-25 03:20 1,334,134 ----a-w c:\program files\PaintDotNet_3_07_BetaNews.zip
2007-02-12 02:21 6,432 -c--a-w c:\documents and settings\Mark Mulka\Application Data\wklnhst.dat
2006-10-16 02:40 0 -c--a-w c:\documents and settings\Gregg Wright\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 68856]
"TrendSecure Remote File Lock"="c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2008-02-15 423248]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-27 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-27 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-27 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HostManager"="c:\program files\Common Files\AOL\1140083713\ee\AOLSoftware.exe" [2006-05-09 50760]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

c:\documents and settings\Mark Mulka\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xlaunk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aim6.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 tdtcpp;tdtcpp;c:\windows\system32\drivers\tdtcpp.sys [2008-04-24 86144]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-02-16 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-04-30 52240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b6f2c53-9e4d-11dd-b4b3-001302a7b350}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c051e3f7-570e-11db-b383-00038a000015}]
\Shell\AutoRun\command - E:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-22 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 04:08]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1a146ea5-a855-49a8-9397-4cc16d7a28b0} - c:\windows\system32\xlaunk.dll
BHO-{4fcb79a6-d3c7-4f68-8a9b-8404bdc309a0} - c:\windows\system32\cmzfqv.dll
BHO-{95D42333-B767-4CFD-BA16-D49A225D332A} - (no file)
BHO-{CD4413FF-BB8E-4F14-A3BC-1739350F38A2} - c:\windows\system32\opnoNGWO.dll
Notify-byXQGwTn - byXQGwTn.dll
Notify-opnonkJc - (no file)
Notify-vtUlMeba - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://internetsearchservice.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 11:23:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.5.0_09\bin\jucheck.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-23 11:39:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-23 19:39:11

Pre-Run: 43,329,032,192 bytes free
Post-Run: 43,335,114,752 bytes free

323 --- E O F --- 2008-11-28 15:12:12

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:46 PM

Posted 23 December 2008 - 10:56 PM

Hello Rick Shanti,

Posted Image

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\drivers\tdtcpp.sys
c:\windows\system32\drivers\core.cache.dsk

Driver::
tdtcpp

Folder::
c:\temp\tn3


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log, if you can download it now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 12:09 AM

Thanks for getting back to me Tea. Here are the combofix and hijackthis logs. It appears I can run hijackthis now. Please let me know if there is anything else I need to do to finish this Trojan removal.

Rick

ComboFix 08-12-23.01 - Mark Mulka 2008-12-23 20:45:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.152 [GMT -8:00]
Running from: c:\documents and settings\Mark Mulka\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Mulka\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\tdtcpp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\tdtcpp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDTCPP
-------\Service_tdtcpp


((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-12 16:45 . 2008-12-12 16:45 <DIR> d-------- c:\documents and settings\Gregg Wright\Application Data\Apple Computer
2008-12-03 08:32 . 2008-12-03 08:32 <DIR> d-------- c:\documents and settings\Lisa Wright.DAPUTER\Application Data\Apple Computer
2008-11-24 19:40 . 2008-05-01 06:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-24 19:39 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-24 19:39 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-24 19:39 . 2008-07-07 12:06 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2008-11-24 19:39 . 2008-06-24 08:23 74,240 -----c--- c:\windows\system32\dllcache\mscms.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-23 18:53 --------- d-----w c:\program files\Trend Micro
2008-12-23 18:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 04:48 --------- d-----w c:\program files\Apple Software Update
2008-12-07 04:42 --------- d-----w c:\program files\Safari
2008-11-28 00:15 --------- d-----w c:\program files\Microsoft Works
2008-11-05 06:41 --------- d-----w c:\documents and settings\Mark Mulka\Application Data\U3
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-05-25 03:20 1,334,134 ----a-w c:\program files\PaintDotNet_3_07_BetaNews.zip
2007-02-12 02:21 6,432 -c--a-w c:\documents and settings\Mark Mulka\Application Data\wklnhst.dat
2006-10-16 02:40 0 -c--a-w c:\documents and settings\Gregg Wright\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-23_11.37.04.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-27 03:49:48 1,011,488 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSDAIPP.DLL
+ 2006-10-27 03:49:46 970,528 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSONSEXT.DLL
+ 2006-10-27 23:00:12 1,751,904 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-27 23:00:10 576,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-27 23:00:06 47,976 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2006-10-27 23:00:08 191,360 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-27 04:13:34 338,800 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-27 04:13:44 629,616 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-27 04:13:28 207,736 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-27 04:13:32 279,352 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-27 04:13:08 15,160 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-27 04:13:08 15,160 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-27 04:13:08 15,160 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-27 04:13:12 15,160 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 23:00:06 387,960 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-27 04:13:38 392,048 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-27 04:13:30 260,976 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-27 04:13:32 289,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-27 04:13:20 56,120 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-27 04:13:38 551,800 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-27 04:13:30 224,104 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 04:13:34 371,568 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 23:41:04 399,640 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-27 03:59:24 205,616 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-27 03:48:14 439,568 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\DWDCW20.DLL
+ 2006-10-27 03:21:24 1,682,232 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 23:09:36 983,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-27 04:12:52 173,328 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-27 03:55:10 828,704 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-26 21:58:14 117,552 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSCONV97.DLL
+ 2006-10-27 22:59:06 161,080 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-27 03:48:12 14,664 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-27 04:12:58 428,816 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-27 05:13:36 26,936 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-27 04:00:08 6,635,320 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 21:56:36 436,520 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-26 21:56:40 505,136 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-27 03:55:12 832,800 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-27 03:55:06 538,904 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-27 04:12:30 65,824 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 23:14:34 14,151,456 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OART.DLL
+ 2006-10-27 04:06:54 232,816 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-27 04:14:06 7,033,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 04:00:08 274,744 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-27 04:00:12 998,208 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-27 04:00:10 285,008 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-27 04:07:04 6,536,992 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-07-27 02:53:56 459,080 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-27 05:30:44 482,088 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-10-27 05:13:38 38,168 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-27 04:13:00 503,624 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-27 04:06:58 439,600 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2007-05-10 00:19:48 2,585,936 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002119910000000000000000F01FEC\12.0.6215\VBE6.DLL
- 2007-01-31 06:10:22 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-12-23 23:00:19 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-11-28 01:17:05 20,240 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-12-23 22:58:38 20,240 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-28 01:17:06 217,864 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\misc.exe
+ 2008-12-23 22:58:38 217,864 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-28 01:17:06 18,704 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-12-23 22:58:38 18,704 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-28 01:17:06 35,088 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-12-23 22:58:38 35,088 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-28 01:17:05 272,648 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-12-23 22:58:38 272,648 ----a-r c:\windows\Installer\{91120000-0019-0000-0000-0000000FF1CE}\pubs.exe
- 2007-06-06 18:53:34 1,195,888 ----a-w c:\windows\system32\FM20.DLL
+ 2007-08-23 09:03:38 1,195,888 ----a-w c:\windows\system32\FM20.DLL
- 2007-09-06 02:50:42 17,474,680 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2007-08-23 08:18:08 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2007-08-23 08:18:08 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2007-08-23 08:18:08 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2007-08-23 08:18:08 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2007-08-23 08:18:08 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2007-08-23 08:18:08 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2007-08-23 08:18:08 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2007-08-23 08:18:08 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2007-08-23 08:18:08 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2007-08-23 08:18:08 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2007-08-23 08:18:08 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2007-08-23 08:18:08 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2007-08-23 08:18:08 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2007-08-23 08:18:08 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 68856]
"TrendSecure Remote File Lock"="c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2008-02-15 423248]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-27 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-27 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-27 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HostManager"="c:\program files\Common Files\AOL\1140083713\ee\AOLSoftware.exe" [2006-05-09 50760]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

c:\documents and settings\Mark Mulka\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xlaunk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aim6.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-04-30 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-02-16 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-30 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-04-30 488768]
R3 tmproxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-04-30 648456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b6f2c53-9e4d-11dd-b4b3-001302a7b350}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c051e3f7-570e-11db-b383-00038a000015}]
\Shell\AutoRun\command - E:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://internetsearchservice.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 20:53:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2008-12-23 21:00:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 04:59:58
ComboFix2.txt 2008-12-23 22:32:16
ComboFix3.txt 2008-12-23 19:39:18

Pre-Run: 42,806,779,904 bytes free
Post-Run: 42,792,628,224 bytes free

279 --- E O F --- 2008-12-23 23:02:10


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:26 PM, on 12/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: xlaunk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9968 bytes

#4 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 12:17 AM

Tea...

I guess I spoke too soon. After getting the logs off to you I attempted to start my TrendMicro Security Pro and now I'm locked out of the internet from the infected computer again. It looks like some part of the trojan is still active. I'm sending this post from another computer. Please check the logs as soon as you get a chance and let me know what was missed.

Thanks in advance...

Rick

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:46 PM

Posted 24 December 2008 - 12:24 AM

Hi Rick,

Thanks for getting the HijackThis log. That means progress, even if just a little. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
O20 - AppInit_DLLs: xlaunk.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Using Windows Explorer, locate the following file and delete it if still present:

xlaunk.dll


It *should* be in system32.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 12:11 PM

I think we're looking pretty good now. Here's the logs you requested. Let me know if there is anything else I need to do.

Thanks...

Rick

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:35 AM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9874 bytes


Malwarebytes' Anti-Malware 1.31
Database version: 1540
Windows 5.1.2600 Service Pack 2

12/24/2008 8:38:03 AM
mbam-log-2008-12-24 (08-38-02).txt

Scan type: Quick Scan
Objects scanned: 65376
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explsbsm.exelper Objects (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\bx4 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hn3 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pb1 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\566828 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#7 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 12:24 PM

Tea...

I guess I spoke too soon once again. After getting the logs off to you I attempted to start my TrendMicro Security Pro and now I'm once again locked out of the internet from the infected computer. It looks like some part of the trojan is still active. I'm sending this post from another computer

Please check the logs as soon as you get a chance and let me know what was missed. This is getting old :-(, but thanks for all the help. I really appreciate the efofrts you're making.

Rick

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:46 PM

Posted 24 December 2008 - 12:39 PM

Hi Rick,

Please go offline and disable all your protection programs, including TrendMicro, and run ComboFix. Post the report in your reply. :thumbsup: I'm doing my best, and I understand your frustration.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 01:24 PM

Oh, I hope you didn't take my last messaage wrong. I think you're doing a GREAT job. I'm just frstrated with these guys that expend all of their creative energy making something so malicious and anti-productive. Imagine what we could do with our computers if all of these malware-makers used their energy to make computing easier and more fun?

Being Xmas eve I may not do too much more after this post. WIll you be checking poists again on Friday (the 26th)?

Have a great holidays.

Rick

PS - I will post Combofix log will get posted as soon as it finishes

#10 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 01:40 PM

Here's the combofix log.

Thanks again and merry christmas :-)

ComboFix 08-12-23.01 - Mark Mulka 2008-12-24 10:21:07.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.209 [GMT -8:00]
Running from: c:\documents and settings\Mark Mulka\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-24 09:14 . 2008-12-24 09:14 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 09:14 . 2008-12-24 09:14 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-24 08:44 . 2008-12-24 08:44 <DIR> d--hs---- C:\found.000
2008-12-24 08:27 . 2008-12-24 08:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 08:27 . 2008-12-24 08:27 <DIR> d-------- c:\documents and settings\Mark Mulka\Application Data\Malwarebytes
2008-12-24 08:27 . 2008-12-24 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 08:27 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 08:27 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 16:45 . 2008-12-12 16:45 <DIR> d-------- c:\documents and settings\Gregg Wright\Application Data\Apple Computer
2008-12-03 08:32 . 2008-12-03 08:32 <DIR> d-------- c:\documents and settings\Lisa Wright.DAPUTER\Application Data\Apple Computer
2008-11-24 19:40 . 2008-05-01 06:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-24 19:39 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-24 19:39 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-24 19:39 . 2008-07-07 12:06 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2008-11-24 19:39 . 2008-06-24 08:23 74,240 -----c--- c:\windows\system32\dllcache\mscms.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 17:14 --------- d-----w c:\program files\Java
2008-12-23 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-23 18:53 --------- d-----w c:\program files\Trend Micro
2008-12-23 18:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 04:48 --------- d-----w c:\program files\Apple Software Update
2008-12-07 04:42 --------- d-----w c:\program files\Safari
2008-11-28 00:15 --------- d-----w c:\program files\Microsoft Works
2008-11-13 04:01 5,843 ----a-w c:\windows\system32\owjcxtdp.dll
2008-11-12 04:04 5,843 ----a-w c:\windows\system32\laginqso.dll
2008-11-12 03:58 5,845 ----a-w c:\windows\system32\xmhrxryx.dll
2008-11-10 23:04 5,843 ----a-w c:\windows\system32\urbknsyb.dll
2008-11-09 07:17 5,845 ----a-w c:\windows\system32\aqvrfawv.dll
2008-11-09 07:14 5,843 ----a-w c:\windows\system32\ufxfspyy.dll
2008-11-09 06:14 5,845 ----a-w c:\windows\system32\mpxveqqm.dll
2008-11-07 01:19 5,845 ----a-w c:\windows\system32\egffqnxv.dll
2008-11-07 01:16 5,843 ----a-w c:\windows\system32\gpaenocf.dll
2008-11-06 01:17 5,843 ----a-w c:\windows\system32\yukasoyc.dll
2008-11-06 01:15 5,845 ----a-w c:\windows\system32\igwjioar.dll
2008-11-05 06:41 --------- d-----w c:\documents and settings\Mark Mulka\Application Data\U3
2008-11-04 03:34 5,843 ----a-w c:\windows\system32\cuuwipqk.dll
2008-11-04 03:31 5,845 ----a-w c:\windows\system32\aajnaydr.dll
2008-11-03 03:31 5,845 ----a-w c:\windows\system32\ymbyyvum.dll
2008-11-03 03:29 5,843 ----a-w c:\windows\system32\hskouhtk.dll
2008-11-02 03:32 5,843 ----a-w c:\windows\system32\ocdmqduh.dll
2008-11-02 03:29 5,845 ----a-w c:\windows\system32\cbtgadbw.dll
2008-11-01 03:28 5,843 ----a-w c:\windows\system32\ycsvbrac.dll
2008-11-01 03:27 5,845 ----a-w c:\windows\system32\vkxgnxxe.dll
2008-10-30 22:48 5,843 ----a-w c:\windows\system32\kfmdwfkl.dll
2008-10-30 22:45 5,845 ----a-w c:\windows\system32\gnnlmrrj.dll
2008-10-30 22:42 5,845 ----a-w c:\windows\system32\cmuxvpqb.dll
2008-10-25 13:18 5,811 ----a-w c:\windows\system32\awjvymst.exe
2008-10-25 13:15 5,845 ----a-w c:\windows\system32\ccyrpusg.dll
2008-10-25 13:13 5,843 ----a-w c:\windows\system32\nynjotkh.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 05:57 5,845 ----a-w c:\windows\system32\fpvfaeas.dll
2008-10-24 05:54 5,811 ----a-w c:\windows\system32\mnpdqtgp.exe
2008-10-24 05:48 5,843 ----a-w c:\windows\system32\lrcuuntf.dll
2008-10-23 05:55 5,843 ----a-w c:\windows\system32\owounltn.dll
2008-10-23 05:52 5,811 ----a-w c:\windows\system32\grbhalxd.exe
2008-10-23 05:46 5,845 ----a-w c:\windows\system32\dqljghjo.dll
2008-10-22 05:52 5,845 ----a-w c:\windows\system32\hjblaonp.dll
2008-10-22 05:49 5,843 ----a-w c:\windows\system32\gykrpryu.dll
2008-10-22 05:46 5,811 ----a-w c:\windows\system32\xeneaxaq.exe
2008-10-21 02:50 5,843 ----a-w c:\windows\system32\uuanxwrh.dll
2008-10-21 02:47 5,845 ----a-w c:\windows\system32\lnbfhrpj.dll
2008-10-21 02:47 5,811 ----a-w c:\windows\system32\mkuvtyib.exe
2008-10-20 02:44 5,811 ----a-w c:\windows\system32\ladgfche.exe
2008-10-20 02:41 5,843 ----a-w c:\windows\system32\xounbfcs.dll
2008-10-20 02:38 5,845 ----a-w c:\windows\system32\kjadgbce.dll
2008-10-20 01:44 5,845 ----a-w c:\windows\system32\qwhsiwoc.dll
2008-10-18 14:19 5,843 ----a-w c:\windows\system32\cgmxaepk.dll
2008-10-18 14:16 5,845 ----a-w c:\windows\system32\mbygevjf.dll
2008-10-18 14:14 5,811 ----a-w c:\windows\system32\ncwbkaaf.exe
2008-10-17 05:41 5,843 ----a-w c:\windows\system32\nihtyrxd.dll
2008-10-17 05:38 5,811 ----a-w c:\windows\system32\ujnmcboi.exe
2008-10-17 05:35 5,845 ----a-w c:\windows\system32\lksjathe.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 05:35 5,811 ----a-w c:\windows\system32\xoiryxme.exe
2008-10-16 05:33 5,845 ----a-w c:\windows\system32\hkemfoki.dll
2008-10-16 05:33 5,843 ----a-w c:\windows\system32\vgdijwlb.dll
2008-10-15 05:39 5,843 ----a-w c:\windows\system32\wlpslhmb.dll
2008-10-15 05:36 5,811 ----a-w c:\windows\system32\kjmkybkx.exe
2008-10-15 05:33 5,845 ----a-w c:\windows\system32\xwknpieu.dll
2008-10-15 04:30 5,845 ----a-w c:\windows\system32\xbefkjnp.dll
2008-10-14 03:37 5,843 ----a-w c:\windows\system32\oitnrqwi.dll
2008-10-14 03:35 5,845 ----a-w c:\windows\system32\mrdskkmi.dll
2008-10-14 02:34 5,845 ----a-w c:\windows\system32\gmfxdcon.dll
2008-10-13 01:11 5,845 ----a-w c:\windows\system32\yyrbxubj.dll
2008-10-13 01:09 5,843 ----a-w c:\windows\system32\brnhnoxp.dll
2008-10-13 01:08 5,845 ----a-w c:\windows\system32\jrsjywyx.dll
2008-10-11 15:34 5,845 ----a-w c:\windows\system32\efdobfcj.dll
2008-10-11 15:32 5,843 ----a-w c:\windows\system32\abbkimrq.dll
2008-10-11 14:33 5,845 ----a-w c:\windows\system32\kfipytos.dll
2008-10-10 05:36 5,845 ----a-w c:\windows\system32\btxbqxko.dll
2008-10-10 05:33 5,843 ----a-w c:\windows\system32\gtlqitpb.dll
2008-10-10 04:37 5,843 ----a-w c:\windows\system32\woannhuw.dll
2008-10-10 04:34 5,845 ----a-w c:\windows\system32\xieyqfwm.dll
2008-10-08 03:54 5,845 ----a-w c:\windows\system32\tqtdquha.dll
2008-10-08 03:51 5,843 ----a-w c:\windows\system32\pololpob.dll
2008-10-07 03:51 5,843 ----a-w c:\windows\system32\mssgqlee.dll
2008-10-07 03:50 5,845 ----a-w c:\windows\system32\gfwtbwmr.dll
2008-10-06 04:29 5,845 ----a-w c:\windows\system32\hxajelue.dll
2008-10-05 03:51 5,843 ----a-w c:\windows\system32\cabsjrxs.dll
2008-10-05 03:48 5,845 ----a-w c:\windows\system32\pypckbbr.dll
2008-10-05 03:48 5,845 ----a-w c:\windows\system32\mqhirncq.dll
2008-10-04 03:53 5,843 ----a-w c:\windows\system32\okjelphn.dll
2008-10-04 03:50 5,845 ----a-w c:\windows\system32\omsfyuml.dll
2008-10-04 03:47 5,845 ----a-w c:\windows\system32\cytyrdqv.dll
2008-10-03 05:42 5,845 ----a-w c:\windows\system32\gjtqatbs.dll
2008-10-02 02:13 5,843 ----a-w c:\windows\system32\lyrclbys.dll
2008-10-02 02:12 5,845 ----a-w c:\windows\system32\ptrdjeqv.dll
.

((((((((((((((((((((((((((((( snapshot_2008-12-23_20.59.13.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-12 09:35:14 49,248 -c--a-w c:\windows\system32\java.exe
+ 2008-12-24 17:14:36 144,792 ----a-w c:\windows\system32\java.exe
- 2006-10-12 09:35:24 53,346 -c--a-w c:\windows\system32\javaw.exe
+ 2008-12-24 17:14:36 144,792 ----a-w c:\windows\system32\javaw.exe
- 2006-10-12 11:10:56 127,078 -c--a-w c:\windows\system32\javaws.exe
+ 2008-12-24 17:14:37 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-24 17:49:07 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-27 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-27 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-27 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HostManager"="c:\program files\Common Files\AOL\1140083713\ee\AOLSoftware.exe" [2006-05-09 50760]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"MSConfig"="c:\windows\system32\dllcache\msconfig.exe" [2004-08-10 158208]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

c:\documents and settings\Mark Mulka\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-02-16 01:01 492808 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrendSecure Remote File Lock]
--a------ 2008-02-15 03:53 423248 c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-07-29 14:52 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=3 (0x3)
"TmPfw"=3 (0x3)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aim6.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-04-30 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-02-16 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-30 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
S0 txdisgt;txdisgt;c:\windows\system32\drivers\fisndzq.sys []
S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-04-30 488768]
S4 tmproxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-04-30 648456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b6f2c53-9e4d-11dd-b4b3-001302a7b350}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c051e3f7-570e-11db-b383-00038a000015}]
\Shell\AutoRun\command - E:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 10:25:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-24 10:33:23
ComboFix-quarantined-files.txt 2008-12-24 18:32:40
ComboFix2.txt 2008-12-24 05:00:09
ComboFix3.txt 2008-12-23 22:32:16
ComboFix4.txt 2008-12-23 19:39:18

Pre-Run: 42,664,480,768 bytes free
Post-Run: 42,658,234,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

265 --- E O F --- 2008-12-23 23:02:10

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:46 PM

Posted 26 December 2008 - 03:49 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\xoiryxme.exe
c:\windows\system32\hkemfoki.dll
c:\windows\system32\vgdijwlb.dll
c:\windows\system32\wlpslhmb.dll
c:\windows\system32\kjmkybkx.exe
c:\windows\system32\xwknpieu.dll
c:\windows\system32\xbefkjnp.dll
c:\windows\system32\oitnrqwi.dll
c:\windows\system32\mrdskkmi.dll
c:\windows\system32\gmfxdcon.dll
c:\windows\system32\yyrbxubj.dll
c:\windows\system32\brnhnoxp.dll
c:\windows\system32\jrsjywyx.dll
c:\windows\system32\efdobfcj.dll
c:\windows\system32\abbkimrq.dll
c:\windows\system32\kfipytos.dll
c:\windows\system32\btxbqxko.dll
c:\windows\system32\gtlqitpb.dll
c:\windows\system32\woannhuw.dll
c:\windows\system32\xieyqfwm.dll
c:\windows\system32\tqtdquha.dll
c:\windows\system32\pololpob.dll
c:\windows\system32\mssgqlee.dll
c:\windows\system32\gfwtbwmr.dll
c:\windows\system32\hxajelue.dll
c:\windows\system32\cabsjrxs.dll
c:\windows\system32\pypckbbr.dll
c:\windows\system32\mqhirncq.dll
c:\windows\system32\okjelphn.dll
c:\windows\system32\omsfyuml.dll
c:\windows\system32\cytyrdqv.dll
c:\windows\system32\gjtqatbs.dll
c:\windows\system32\lyrclbys.dll
c:\windows\system32\ptrdjeqv.dll
c:\windows\system32\fpvfaeas.dll
c:\windows\system32\mnpdqtgp.exe
c:\windows\system32\lrcuuntf.dll
c:\windows\system32\owounltn.dll
c:\windows\system32\grbhalxd.exe
c:\windows\system32\dqljghjo.dll
c:\windows\system32\hjblaonp.dll
c:\windows\system32\gykrpryu.dll
c:\windows\system32\xeneaxaq.exe
c:\windows\system32\uuanxwrh.dll
c:\windows\system32\lnbfhrpj.dll
c:\windows\system32\mkuvtyib.exe
c:\windows\system32\ladgfche.exe
c:\windows\system32\xounbfcs.dll
c:\windows\system32\kjadgbce.dll
c:\windows\system32\qwhsiwoc.dll
c:\windows\system32\cgmxaepk.dll
c:\windows\system32\mbygevjf.dll
c:\windows\system32\ncwbkaaf.exe
c:\windows\system32\nihtyrxd.dll
c:\windows\system32\ujnmcboi.exe
c:\windows\system32\lksjathe.dll
c:\windows\system32\cuuwipqk.dll
c:\windows\system32\aajnaydr.dll
c:\windows\system32\ymbyyvum.dll
c:\windows\system32\hskouhtk.dll
c:\windows\system32\ocdmqduh.dll
c:\windows\system32\cbtgadbw.dll
c:\windows\system32\ycsvbrac.dll
c:\windows\system32\vkxgnxxe.dll
c:\windows\system32\kfmdwfkl.dll
c:\windows\system32\gnnlmrrj.dll
c:\windows\system32\cmuxvpqb.dll
c:\windows\system32\awjvymst.exe
c:\windows\system32\ccyrpusg.dll
c:\windows\system32\nynjotkh.dll
c:\windows\system32\owjcxtdp.dll
c:\windows\system32\laginqso.dll
c:\windows\system32\xmhrxryx.dll
c:\windows\system32\urbknsyb.dll
c:\windows\system32\aqvrfawv.dll
c:\windows\system32\ufxfspyy.dll
c:\windows\system32\mpxveqqm.dll
c:\windows\system32\egffqnxv.dll
c:\windows\system32\gpaenocf.dll
c:\windows\system32\yukasoyc.dll
c:\windows\system32\igwjioar.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 27 December 2008 - 11:47 AM

Hey Tea...

Here's the combofix loh and HJT log after our last combofix:

ComboFix 08-12-23.01 - Mark Mulka 2008-12-27 8:31:52.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.215 [GMT -8:00]
Running from: c:\documents and settings\Mark Mulka\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Mulka\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\aajnaydr.dll
c:\windows\system32\abbkimrq.dll
c:\windows\system32\aqvrfawv.dll
c:\windows\system32\awjvymst.exe
c:\windows\system32\brnhnoxp.dll
c:\windows\system32\btxbqxko.dll
c:\windows\system32\cabsjrxs.dll
c:\windows\system32\cbtgadbw.dll
c:\windows\system32\ccyrpusg.dll
c:\windows\system32\cgmxaepk.dll
c:\windows\system32\cmuxvpqb.dll
c:\windows\system32\cuuwipqk.dll
c:\windows\system32\cytyrdqv.dll
c:\windows\system32\dqljghjo.dll
c:\windows\system32\efdobfcj.dll
c:\windows\system32\egffqnxv.dll
c:\windows\system32\fpvfaeas.dll
c:\windows\system32\gfwtbwmr.dll
c:\windows\system32\gjtqatbs.dll
c:\windows\system32\gmfxdcon.dll
c:\windows\system32\gnnlmrrj.dll
c:\windows\system32\gpaenocf.dll
c:\windows\system32\grbhalxd.exe
c:\windows\system32\gtlqitpb.dll
c:\windows\system32\gykrpryu.dll
c:\windows\system32\hjblaonp.dll
c:\windows\system32\hkemfoki.dll
c:\windows\system32\hskouhtk.dll
c:\windows\system32\hxajelue.dll
c:\windows\system32\igwjioar.dll
c:\windows\system32\jrsjywyx.dll
c:\windows\system32\kfipytos.dll
c:\windows\system32\kfmdwfkl.dll
c:\windows\system32\kjadgbce.dll
c:\windows\system32\kjmkybkx.exe
c:\windows\system32\ladgfche.exe
c:\windows\system32\laginqso.dll
c:\windows\system32\lksjathe.dll
c:\windows\system32\lnbfhrpj.dll
c:\windows\system32\lrcuuntf.dll
c:\windows\system32\lyrclbys.dll
c:\windows\system32\mbygevjf.dll
c:\windows\system32\mkuvtyib.exe
c:\windows\system32\mnpdqtgp.exe
c:\windows\system32\mpxveqqm.dll
c:\windows\system32\mqhirncq.dll
c:\windows\system32\mrdskkmi.dll
c:\windows\system32\mssgqlee.dll
c:\windows\system32\ncwbkaaf.exe
c:\windows\system32\nihtyrxd.dll
c:\windows\system32\nynjotkh.dll
c:\windows\system32\ocdmqduh.dll
c:\windows\system32\oitnrqwi.dll
c:\windows\system32\okjelphn.dll
c:\windows\system32\omsfyuml.dll
c:\windows\system32\owjcxtdp.dll
c:\windows\system32\owounltn.dll
c:\windows\system32\pololpob.dll
c:\windows\system32\ptrdjeqv.dll
c:\windows\system32\pypckbbr.dll
c:\windows\system32\qwhsiwoc.dll
c:\windows\system32\tqtdquha.dll
c:\windows\system32\ufxfspyy.dll
c:\windows\system32\ujnmcboi.exe
c:\windows\system32\urbknsyb.dll
c:\windows\system32\uuanxwrh.dll
c:\windows\system32\vgdijwlb.dll
c:\windows\system32\vkxgnxxe.dll
c:\windows\system32\wlpslhmb.dll
c:\windows\system32\woannhuw.dll
c:\windows\system32\xbefkjnp.dll
c:\windows\system32\xeneaxaq.exe
c:\windows\system32\xieyqfwm.dll
c:\windows\system32\xmhrxryx.dll
c:\windows\system32\xoiryxme.exe
c:\windows\system32\xounbfcs.dll
c:\windows\system32\xwknpieu.dll
c:\windows\system32\ycsvbrac.dll
c:\windows\system32\ymbyyvum.dll
c:\windows\system32\yukasoyc.dll
c:\windows\system32\yyrbxubj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aajnaydr.dll
c:\windows\system32\abbkimrq.dll
c:\windows\system32\aqvrfawv.dll
c:\windows\system32\awjvymst.exe
c:\windows\system32\brnhnoxp.dll
c:\windows\system32\btxbqxko.dll
c:\windows\system32\cabsjrxs.dll
c:\windows\system32\cbtgadbw.dll
c:\windows\system32\ccyrpusg.dll
c:\windows\system32\cgmxaepk.dll
c:\windows\system32\cmuxvpqb.dll
c:\windows\system32\cuuwipqk.dll
c:\windows\system32\cytyrdqv.dll
c:\windows\system32\dqljghjo.dll
c:\windows\system32\efdobfcj.dll
c:\windows\system32\egffqnxv.dll
c:\windows\system32\fpvfaeas.dll
c:\windows\system32\gfwtbwmr.dll
c:\windows\system32\gjtqatbs.dll
c:\windows\system32\gmfxdcon.dll
c:\windows\system32\gnnlmrrj.dll
c:\windows\system32\gpaenocf.dll
c:\windows\system32\grbhalxd.exe
c:\windows\system32\gtlqitpb.dll
c:\windows\system32\gykrpryu.dll
c:\windows\system32\hjblaonp.dll
c:\windows\system32\hkemfoki.dll
c:\windows\system32\hskouhtk.dll
c:\windows\system32\hxajelue.dll
c:\windows\system32\igwjioar.dll
c:\windows\system32\jrsjywyx.dll
c:\windows\system32\kfipytos.dll
c:\windows\system32\kfmdwfkl.dll
c:\windows\system32\kjadgbce.dll
c:\windows\system32\kjmkybkx.exe
c:\windows\system32\ladgfche.exe
c:\windows\system32\laginqso.dll
c:\windows\system32\lksjathe.dll
c:\windows\system32\lnbfhrpj.dll
c:\windows\system32\lrcuuntf.dll
c:\windows\system32\lyrclbys.dll
c:\windows\system32\mbygevjf.dll
c:\windows\system32\mkuvtyib.exe
c:\windows\system32\mnpdqtgp.exe
c:\windows\system32\mpxveqqm.dll
c:\windows\system32\mqhirncq.dll
c:\windows\system32\mrdskkmi.dll
c:\windows\system32\mssgqlee.dll
c:\windows\system32\ncwbkaaf.exe
c:\windows\system32\nihtyrxd.dll
c:\windows\system32\nynjotkh.dll
c:\windows\system32\ocdmqduh.dll
c:\windows\system32\oitnrqwi.dll
c:\windows\system32\okjelphn.dll
c:\windows\system32\omsfyuml.dll
c:\windows\system32\owjcxtdp.dll
c:\windows\system32\owounltn.dll
c:\windows\system32\pololpob.dll
c:\windows\system32\ptrdjeqv.dll
c:\windows\system32\pypckbbr.dll
c:\windows\system32\qwhsiwoc.dll
c:\windows\system32\tqtdquha.dll
c:\windows\system32\ufxfspyy.dll
c:\windows\system32\ujnmcboi.exe
c:\windows\system32\urbknsyb.dll
c:\windows\system32\uuanxwrh.dll
c:\windows\system32\vgdijwlb.dll
c:\windows\system32\vkxgnxxe.dll
c:\windows\system32\wlpslhmb.dll
c:\windows\system32\woannhuw.dll
c:\windows\system32\xbefkjnp.dll
c:\windows\system32\xeneaxaq.exe
c:\windows\system32\xieyqfwm.dll
c:\windows\system32\xmhrxryx.dll
c:\windows\system32\xoiryxme.exe
c:\windows\system32\xounbfcs.dll
c:\windows\system32\xwknpieu.dll
c:\windows\system32\ycsvbrac.dll
c:\windows\system32\ymbyyvum.dll
c:\windows\system32\yukasoyc.dll
c:\windows\system32\yyrbxubj.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-27 08:32 . 2008-12-27 08:32 <DIR> d-------- c:\windows\LastGood
2008-12-24 09:14 . 2008-12-24 09:14 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 09:14 . 2008-12-24 09:14 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-24 08:44 . 2008-12-24 08:44 <DIR> d--hs---- C:\found.000
2008-12-24 08:27 . 2008-12-24 08:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 08:27 . 2008-12-24 08:27 <DIR> d-------- c:\documents and settings\Mark Mulka\Application Data\Malwarebytes
2008-12-24 08:27 . 2008-12-24 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 08:27 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 08:27 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 16:45 . 2008-12-12 16:45 <DIR> d-------- c:\documents and settings\Gregg Wright\Application Data\Apple Computer
2008-12-03 08:32 . 2008-12-03 08:32 <DIR> d-------- c:\documents and settings\Lisa Wright.DAPUTER\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 17:14 --------- d-----w c:\program files\Java
2008-12-23 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-23 18:53 --------- d-----w c:\program files\Trend Micro
2008-12-23 18:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 04:48 --------- d-----w c:\program files\Apple Software Update
2008-12-07 04:42 --------- d-----w c:\program files\Safari
2008-11-28 00:15 --------- d-----w c:\program files\Microsoft Works
2008-11-05 06:41 --------- d-----w c:\documents and settings\Mark Mulka\Application Data\U3
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-10-01 00:02 5,845 ----a-w c:\windows\system32\nlcdqahi.dll
2008-10-01 00:00 5,845 ----a-w c:\windows\system32\pipkccnm.dll
2008-09-29 22:08 5,845 ----a-w c:\windows\system32\llggodhw.dll
2008-09-29 04:43 5,845 ----a-w c:\windows\system32\jrmhsjor.dll
2008-09-29 04:39 5,845 ----a-w c:\windows\system32\deowjjbb.dll
2008-09-27 04:38 5,845 ----a-w c:\windows\system32\todwwdhl.dll
2008-09-27 04:35 5,845 ----a-w c:\windows\system32\btlqmncj.dll
2007-05-25 03:20 1,334,134 ----a-w c:\program files\PaintDotNet_3_07_BetaNews.zip
2007-02-12 02:21 6,432 -c--a-w c:\documents and settings\Mark Mulka\Application Data\wklnhst.dat
2006-10-16 02:40 0 -c--a-w c:\documents and settings\Gregg Wright\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot_2008-12-23_20.59.13.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-12 09:35:14 49,248 -c--a-w c:\windows\system32\java.exe
+ 2008-12-24 17:14:36 144,792 ----a-w c:\windows\system32\java.exe
- 2006-10-12 09:35:24 53,346 -c--a-w c:\windows\system32\javaw.exe
+ 2008-12-24 17:14:36 144,792 ----a-w c:\windows\system32\javaw.exe
- 2006-10-12 11:10:56 127,078 -c--a-w c:\windows\system32\javaws.exe
+ 2008-12-24 17:14:37 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-27 16:23:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-27 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-27 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-27 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HostManager"="c:\program files\Common Files\AOL\1140083713\ee\AOLSoftware.exe" [2006-05-09 50760]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"MSConfig"="c:\windows\system32\dllcache\msconfig.exe" [2004-08-10 158208]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

c:\documents and settings\Mark Mulka\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-02-16 01:01 492808 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrendSecure Remote File Lock]
--a------ 2008-02-15 03:53 423248 c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-07-29 14:52 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=3 (0x3)
"TmPfw"=3 (0x3)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aim6.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b6f2c53-9e4d-11dd-b4b3-001302a7b350}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c051e3f7-570e-11db-b383-00038a000015}]
\Shell\AutoRun\command - E:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 08:37:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-27 8:41:07
ComboFix-quarantined-files.txt 2008-12-27 16:39:59
ComboFix2.txt 2008-12-24 18:33:25
ComboFix3.txt 2008-12-24 05:00:09
ComboFix4.txt 2008-12-23 22:32:16
ComboFix5.txt 2008-12-27 16:30:38

Pre-Run: 42,648,514,560 bytes free
Post-Run: 42,631,487,488 bytes free

347 --- E O F --- 2008-12-23 23:02:10


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:14 AM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CF7125.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\Catchme.tmp
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\dllcache\msconfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9030 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:46 PM

Posted 27 December 2008 - 02:06 PM

Hi Rick,

One more time...looks like we had some sticky files. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\nlcdqahi.dll
c:\windows\system32\pipkccnm.dll
c:\windows\system32\llggodhw.dll
c:\windows\system32\jrmhsjor.dll
c:\windows\system32\deowjjbb.dll
c:\windows\system32\todwwdhl.dll
c:\windows\system32\btlqmncj.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Rick Shanti

Rick Shanti
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 27 December 2008 - 02:33 PM

Tea...

THe combofix appeared to finish properly, but the log file failed to get written (it errored out). I'm sending you a HJT log from after the combofix to see if that is of any use. Is there a way to rerun the log from combofix? If so, let me know and I'll re-run it.

I'm keeping the "bad" computer disconnected fom the net to try to keep the fix process as clean as possible. THe computer seems to be running better, but I didin't want to put it back on the net until it checked out clean. Is that sound right to you?

Let me know where we should go next...

Rick

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:50 AM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CF7045.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\Catchme.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140083713\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\dllcache\msconfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9031 bytes

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:46 PM

Posted 27 December 2008 - 02:45 PM

Hi,

Yes, that's a good thing to do until we know this one is clean again. :thumbsup: Look in the ComboFix folder and see if there isn't a .txt file in it. It should be the report.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users