Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Hijack/Virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 innocntbystndr22

innocntbystndr22

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 23 December 2008 - 09:10 PM

Hello,

Recently my computer has been running excessively slow and randomly when I click on a link while web browsing my window closes out and a message from windows explorer prompts me that I may have an infected computer and that I should immediately download and install Antivirus 2009. I haven't as it appears to be a hoax. Upon closing out the message I am brought to a webpage to download the program anyways. I cannot use the back button to get to my previous web address without getting the message prompt again.

Here is my Hijack This logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:53 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\nav\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\nav\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\nav\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\nav\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwlax.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\nav\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160728476593
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://antivirus.uwlax.edu/WebInst/WebInst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\nav\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\nav\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\nav\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10615 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 31 December 2008 - 02:59 PM

Hello.

Sorry for the wait.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Also include a new HijackThis log.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 06 January 2009 - 03:37 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 15 January 2009 - 03:13 PM

I've been away from my computer for a couple of weeks because of my job so I haven't been diligent in checking my topic...however I have followed your instructions and ran MBAM.

my MBAM log is as follows:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/15/2009 11:50:42 AM
mbam-log-2009-01-15 (11-50-42).txt

Scan type: Quick Scan
Objects scanned: 57050
Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 42
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\onxtxewr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yayxyabA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gvchncux.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ipifye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBqRigd.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68c7e999-e88b-4e7c-b2eb-c9c31060be83} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{68c7e999-e88b-4e7c-b2eb-c9c31060be83} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8fe40d03-4ca8-4d8f-8143-16ce078e2570} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8fe40d03-4ca8-4d8f-8143-16ce078e2570} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{68c7e999-e88b-4e7c-b2eb-c9c31060be83} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fe40d03-4ca8-4d8f-8143-16ce078e2570} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{518fcfca-2ff9-4837-ad4f-e4e054285b31} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5e684cfe-e366-4172-accd-5ee49a5bd8e6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebqrigd (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6ca49fdd-4aeb-4f08-a394-c0a1f82caa16} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{fcaba9a1-64f7-4aeb-860e-bc48003884e3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b69570bc-5929-4f0d-8e7e-384daa87ed73} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6ca49fdd-4aeb-4f08-a394-c0a1f82caa16} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{566c6071-fbb6-490c-a333-e489dde9424d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hnddjpls (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hnddjpls (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58878f6e (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{6ca49fdd-4aeb-4f08-a394-c0a1f82caa16} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayxyabA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yayxyabA.dllbox (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\c:\windows\system32\yayxyaba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\Abayxyay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Abayxyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipifye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\onxtxewr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rwextxno.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gvchncux.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBqRigd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rttennlv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\xzyiqvep.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Josh UWL\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Josh UWL\Local Settings\Temporary Internet Files\Content.IE5\OGVGDZFC\dd_1[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Josh UWL\Local Settings\Temporary Internet Files\Content.IE5\XOJ2RCT5\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Josh UWL\Local Settings\Temporary Internet Files\Content.IE5\Y17CTERC\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUnnlIX.dll (Trojan.vundo) -> Quarantined and deleted successfully.


and my new hijack log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:26 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\nav\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\nav\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\nav\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\nav\vpc32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwlax.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6BEE68F7-D30B-4702-9F06-519E161ADABC} - C:\WINDOWS\system32\yayxyabA.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\nav\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160728476593
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://antivirus.uwlax.edu/WebInst/WebInst.cab
O20 - AppInit_DLLs: ipifye.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\nav\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\nav\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\nav\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11020 bytes


Thank you Panda!



Innocntbystndr22


Hello.

Let's get up to date on the situation.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#5 innocntbystndr22

innocntbystndr22
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 17 January 2009 - 01:09 PM

Hello Panda,

I've run both the programs you suggested and the logs are posted below. As far as any updates on the current situation go, my firewall was turned off without my doing but I was able to turn it back on. My antivirus program was turned off, and I was able to get part of that back on again, I am unable to update virus definitions now. Lastly, my Windows Security Alerts are turned off and I cannot get that back on. Other than that the situation has not changed.

Here is my DSS log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Josh UWL at 7:05:18.15 on Fri 01/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.153 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\nav\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\nav\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\nav\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Josh UWL\Local Settings\Temporary Internet Files\Content.IE5\3P0XL2O9\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.uwlax.edu/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {6bee68f7-d30b-4702-9f06-519e161adabc} - c:\windows\system32\yayxyabA.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [EzButton] c:\program files\ezbutton\EzButton.EXE
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [CeEPOWER] c:\program files\toshiba\power management\CePMTray.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\nav\VPTray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: ipifye.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayxyabA

============= SERVICES / DRIVERS ===============

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [2004-5-6 4816]
R1 SAVRT;SAVRT;c:\nav\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\nav\Savrtpel.sys [2005-12-19 54968]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\naveng.sys [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\navex15.sys [2009-1-14 876112]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R4 SavRoam;SAVRoam;c:\nav\SavRoam.exe [2006-3-17 115952]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-15 24652]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\nav\Rtvscan.exe [2006-3-17 1799408]
S4 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-01-15 11:36 <DIR> --d----- c:\docume~1\joshuw~1\applic~1\Malwarebytes
2009-01-15 11:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-15 11:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 11:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-15 11:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 11:27 2,204 a------- c:\windows\hnddjpls
2009-01-14 18:04 44,544 a------- c:\windows\system32\geBuUnnn.dll

==================== Find3M ====================

2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2003-08-27 16:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll
2008-09-25 17:41 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat

============= FINISH: 7:06:10.71 ===============


and now my GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-17 12:02:09
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 84A4A508 ZwAlertResumeThread
SSDT 84A4A5C8 ZwAlertThread
SSDT 84A4AE28 ZwAllocateVirtualMemory
SSDT 84A626F0 ZwConnectPort
SSDT 84A4A2C8 ZwCreateMutant
SSDT 84A4B3F8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF05F5CB0]
SSDT 84A4AC98 ZwFreeVirtualMemory
SSDT 84A4A388 ZwImpersonateAnonymousToken
SSDT 84A4A448 ZwImpersonateThread
SSDT 84A55958 ZwMapViewOfSection
SSDT 84A4A208 ZwOpenEvent
SSDT 84A4AEF8 ZwOpenProcessToken
SSDT 84A4A9D0 ZwOpenThreadToken
SSDT 84A4A138 ZwQueryValueKey
SSDT 84A59498 ZwResumeThread
SSDT 84A4A910 ZwSetContextThread
SSDT 84A4AA90 ZwSetInformationProcess
SSDT 84A4A850 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF05F5F10]
SSDT 84A4A078 ZwSuspendProcess
SSDT 84A4A6D0 ZwSuspendThread
SSDT 84A4B4C8 ZwTerminateProcess
SSDT 84A4A790 ZwTerminateThread
SSDT 84A4AB50 ZwUnmapViewOfSection
SSDT 84A4AD58 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? ortu.sys The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2916] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.14 ----


I've also attatched the attatch.txt file

Thanks for your time!

Innocntbystndr22

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 17 January 2009 - 01:20 PM

Hello innocntbystndr22.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
With Regards,
The Panda

#7 innocntbystndr22

innocntbystndr22
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 18 January 2009 - 03:43 AM

Hello Panda,

The post is too big to attatch or post, what would you like me to do?

Innocntbystndr22

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 18 January 2009 - 11:01 AM

Hello Innocntbystndr22 .

Please upload the log to me.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/188911/possible-hijackvirus/
  • Under Browse to the file you want to submit, input:
    C:\ComboFix.txt
  • Under the comments section, say that the file was too large.
Post back here when it is uploaded please.

With Regards,
The Panda

#9 innocntbystndr22

innocntbystndr22
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 18 January 2009 - 01:17 PM

Hello Panda,

The file should be there now.

Innocntbystndr22

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 18 January 2009 - 04:02 PM

ComboFix 09-01-17.03 - Josh UWL 2009-01-17 16:59:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.159 [GMT -6:00]
Running from: c:\documents and settings\Josh UWL\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\geBuUnnn.dll
c:\windows\Tasks\pyffikvl.job

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 11:49 . 2009-01-17 11:49 250 --a------ c:\windows\gmer.ini
2009-01-15 11:36 . 2009-01-15 11:36 <DIR> d-------- c:\documents and settings\Josh UWL\Application Data\Malwarebytes
2009-01-15 11:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-15 11:35 . 2009-01-15 11:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 11:35 . 2009-01-15 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-15 11:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 11:27 . 2009-01-15 11:52 2,204 --a------ c:\windows\hnddjpls

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 23:36 --------- d-----w c:\program files\Zune
2008-11-19 18:45 --------- d-----w c:\program files\AIM6
2008-11-19 18:44 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-19 18:44 --------- d-----w c:\program files\AIM Toolbar
2008-11-19 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-19 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-19 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2003-08-27 22:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
2008-09-25 23:41 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-26 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"EzButton"="c:\program files\EzButton\EzButton.EXE" [2004-05-14 712704]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 638976]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 53248]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 135168]
"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\nav\VPTray.exe" [2006-03-17 124656]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-08 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-15 271672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 c:\windows\agrsmmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ipifye.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\myTunesRedux\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [2004-05-06 4816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-10 99376]
R4 SavRoam;SAVRoam;c:\nav\SavRoam.exe [2006-03-17 115952]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-15 24652]
S4 mrtRate;mrtRate; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55e5342-a562-11dd-a7fe-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6BEE68F7-D30B-4702-9F06-519E161ADABC} - c:\windows\system32\yayxyabA.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uwlax.edu/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\WebInst.Dll - O16 -: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC}
hxxps://antivirus.uwlax.edu/WebInst/WebInst.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 17:05:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Toshiba\Power Management\CeEPwrSvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\nav\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\toshiba\Ivp\Swupdate\swupdtmr.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\nav\DoScan.exe
c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-17 17:14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 23:14:03
ComboFix2.txt 2008-04-15 22:10:09

Pre-Run: 4,192,608,256 bytes free
Post-Run: 4,162,351,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

9790 --- E O F --- 2009-01-14 13:10:43

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 18 January 2009 - 04:08 PM

Hello.

Do you still have Symantec installed?

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\hnddjpls
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Post back with:
-the ComboFix log
-the F-Secure log
-a new DDS.txt log (do this last)

How is it running now?

With Regards,
The Panda

#12 innocntbystndr22

innocntbystndr22
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 19 January 2009 - 05:37 PM

Hello Panda,

I do still have Symantec Antivirus, however I cannot seem to turn it off for any of this. So I ran them all with Symantec still running however everytime I start my computer up a warning pops up saying that Auto-Protect is disabled. I have opened Symantec up and looked to see if it shows itself being disabled but it is not. Other than that I have been seeing my computer performing at faster speeds and I haven't been redirected to an antivirus pop up while browsing the internet. Okay onto the logs:

Combofix

ComboFix 09-01-17.03 - Josh UWL 2009-01-19 14:18:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.83 [GMT -6:00]
Running from: c:\documents and settings\Josh UWL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh UWL\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\hnddjpls
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\hnddjpls

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-17 11:49 . 2009-01-17 11:49 250 --a------ c:\windows\gmer.ini
2009-01-15 11:36 . 2009-01-15 11:36 <DIR> d-------- c:\documents and settings\Josh UWL\Application Data\Malwarebytes
2009-01-15 11:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-15 11:35 . 2009-01-15 11:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 11:35 . 2009-01-15 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-15 11:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 23:36 --------- d-----w c:\program files\Zune
2008-11-19 18:45 --------- d-----w c:\program files\AIM6
2008-11-19 18:44 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-19 18:44 --------- d-----w c:\program files\AIM Toolbar
2008-11-19 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-19 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-19 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-10 18:23 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe
2008-11-10 18:23 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 18:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 18:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 18:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 18:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 18:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 18:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2003-08-27 22:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
2008-09-25 23:41 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-26 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"EzButton"="c:\program files\EzButton\EzButton.EXE" [2004-05-14 712704]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 638976]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 53248]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 135168]
"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\nav\VPTray.exe" [2006-03-17 124656]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-08 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-15 271672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 c:\windows\agrsmmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-02 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\myTunesRedux\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [2004-05-06 4816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-10 99376]
R4 SavRoam;SAVRoam;c:\nav\SavRoam.exe [2006-03-17 115952]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-15 24652]
S4 mrtRate;mrtRate; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55e5342-a562-11dd-a7fe-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uwlax.edu/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\WebInst.Dll - O16 -: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC}
hxxps://antivirus.uwlax.edu/WebInst/WebInst.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 14:22:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-19 14:25:03
ComboFix-quarantined-files.txt 2009-01-19 20:24:58
ComboFix2.txt 2009-01-17 23:14:15
ComboFix3.txt 2008-04-15 22:10:09

Pre-Run: 4,162,424,832 bytes free
Post-Run: 4,146,720,768 bytes free

139 --- E O F --- 2009-01-14 13:10:43

Now the F-Secure Log

Scanning Report
Monday, January 19, 2009 14:55:28 - 16:10:41
Computer name: JOSH
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 45143
System: 3337
Not scanned: 63
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
C:\WINDOWS\$NTUNINSTALLKB830680$\KEYMGR.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL
C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLMP.EXE
C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLPA.EXE
C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRPAMP.EXE
C:\WINDOWS\$NTUNINSTALLKB828012$\NTOSKRNL.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPT32.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPTSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\HH.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\HHCTRL.OCX
C:\WINDOWS\$NTUNINSTALLKB826939$\HHSETUP.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\HTML32.CNV
C:\WINDOWS\$NTUNINSTALLKB826939$\ITSS.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\LOCATOR.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\MAGNIFY.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\MIGWIZ.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\MRXSMB.SYS
C:\WINDOWS\$NTUNINSTALLKB826939$\NARRATOR.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\NEWDEV.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\NTDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\NTKRNLPA.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\NTOSKRNL.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\OLE32.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\OSK.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\PCHSHELL.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\RASPPTP.SYS
C:\WINDOWS\$NTUNINSTALLKB826939$\RPCRT4.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\RPCSS.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\SHDOCVW.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\SHELL32.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\SHMEDIA.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\SRRSTR.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\SRV.SYS
C:\WINDOWS\$NTUNINSTALLKB826939$\URLMON.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\WINSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\ZIPFLDR.DLL
C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
C:\WINDOWS\$NTUNINSTALLKB824141$\WIN32K.SYS

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-19
F-Secure AVP: 7.0.171, 2009-01-19
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

and lastly the DSS logfile:

Deckard's System Scanner v20071014.68
Run by Josh UWL on 2009-01-19 16:25:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 88% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).
System Drive C: has 3.65 GiB (less than 15%) free.


-- HijackThis (run as Josh UWL.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:01 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\nav\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\nav\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\nav\VPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\JOSHUW~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\JOSHUW~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Documents and Settings\Josh UWL\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JOSHUW~1.EXE
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwlax.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\nav\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160728476593
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://antivirus.uwlax.edu/WebInst/WebInst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\nav\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\nav\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\nav\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11175 bytes

-- Files created between 2008-12-19 and 2009-01-19 -----------------------------

2009-01-19 14:48:34 0 d-------- C:\fsaua.data
2009-01-19 13:22:09 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2009-01-17 16:57:04 0 drahs---- C:\cmdcons
2009-01-17 16:50:10 68096 --a------ C:\WINDOWS\zip.exe
2009-01-17 16:50:10 161792 --a------ C:\WINDOWS\SWREG.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2009-01-17 16:50:10 98816 --a------ C:\WINDOWS\sed.exe
2009-01-17 16:50:10 80412 --a------ C:\WINDOWS\grep.exe
2009-01-17 16:50:09 49152 --a------ C:\WINDOWS\VFIND.exe
2009-01-17 16:50:09 212480 --a------ C:\WINDOWS\SWXCACLS.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2009-01-17 16:50:09 136704 --a------ C:\WINDOWS\SWSC.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2009-01-17 16:50:09 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2009-01-15 11:36:45 0 d-------- C:\Documents and Settings\Josh UWL\Application Data\Malwarebytes
2009-01-15 11:35:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-15 11:35:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2009-01-19 14:40:21 0 d-------- C:\Program Files\Java
2009-01-19 14:29:32 0 d-------- C:\Program Files\Common Files
2008-12-20 11:06:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-12-08 17:36:10 0 d-------- C:\Program Files\Zune
2008-11-19 12:45:10 0 d-------- C:\Program Files\AIM6
2008-11-19 12:44:54 0 d-------- C:\Program Files\Common Files\Software Update Utility
2008-11-19 12:44:45 0 d-------- C:\Program Files\AIM Toolbar


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
10/07/2008 01:09 PM 1275176 --a------ C:\Program Files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
01/19/2009 02:40 PM 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
01/19/2009 02:40 PM 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{61539ECD-CC67-4437-A03C-9AACCBD14326}"= C:\Program Files\AIM Toolbar\aimtb.dll [10/07/2008 01:09 PM 1275176]

[-HKEY_CLASSES_ROOT\CLSID\{61539ECD-CC67-4437-A03C-9AACCBD14326}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/21/2004 11:10 PM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [09/26/2003 05:43 PM]
"AGRSMMSG"="AGRSMMSG.exe" [02/20/2004 05:00 PM C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/30/2003 06:46 PM]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [05/14/2004 12:29 PM]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [05/06/2004 03:12 PM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [03/15/2004 01:17 PM]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [02/03/2004 04:47 PM]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [05/20/2004 11:21 AM]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [03/17/2005 03:37 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/07/2006 02:02 PM]
"vptray"="C:\nav\VPTray.exe" [03/17/2006 07:34 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [01/14/2005 12:05 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/08/2006 06:37 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 07:15 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 09:16 PM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [11/10/2008 12:23 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [01/19/2009 02:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 05:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 06:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [12/7/2007 5:12:50 PM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [8/6/2003 3:23:32 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [12/2/2003 4:45:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55e5342-a562-11dd-a7fe-00038a000015}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER
*Newly Created Service* - JAVAQUICKSTARTERSERVICE



-- End of Deckard's System Scanner: finished at 2009-01-19 16:26:42 ------------

Thanks for all the help!

Innocntbystndr22

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 19 January 2009 - 06:35 PM

Ah.. a DSS log. Haven't seen one of those in awhile.

I meant to ask for a DDS log, but it works too.

DSS has been pulled because a certain infection causes it to damage machines. Please delete your copy of it.
---
Logs look good.

Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Reset clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear the System Restore cache and create new a restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 25 January 2009 - 10:40 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users