Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Vundo (MS JUAN)


  • This topic is locked This topic is locked
12 replies to this topic

#1 xkellenx

xkellenx

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 27 December 2008 - 07:54 AM

I can't seem to delete the trojan.vundo (ms juan) from my computer. I've tried running ad-ware, super anti-spyware, and malwarebytes anti-malware. Everytime after I am finished running these programs, a detection occurs and I am asked to remove the trojan. However, every time I check my registry keys again both "MS Juan" and "MS Track System" reappear. I've continuously run these programs to try and remove the trojan, yet it won't delete from my registry keys. It seems that the only time pop-ups appear is when doing a google search.



DDS (Version 1.1.0) - NTFSx86
Run by ngo at 7:35:37.50 on Sat 12/27/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.496 [GMT -5:00]

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Console\Kraidman.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ngo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {036f0ec3-cd72-49eb-9bd0-fa51b4a9eb6d} - c:\windows\system32\ddcBSLBr.dll
BHO: {8ddfb807-76b6-2179-cee4-e4e1c5205711}: {1175025c-1e4e-4eec-9712-6b67708bfdd8} - c:\windows\system32\dvpayb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TOSHIBA Picture Enhancement Utility] c:\program files\toshiba\toshiba picture enhancement utility\TosPEHK.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TFncKy] TFncKy.exe
mRun: [Kraidman] c:\program files\toshiba\toshiba raid\console\Kraidman.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [Notebook Maximizer] c:\program files\notebook maximizer\maximizer_startup.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: ncdadd.dll dvpayb.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ngo\applic~1\mozilla\firefox\profiles\1919fvnx.default\
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-25 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-25 18:37 <DIR> --d----- C:\VundoFix Backups
2008-12-25 16:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-25 16:19 <DIR> --d----- c:\docume~1\ngo\applic~1\SUPERAntiSpyware.com
2008-12-25 03:23 7,518,240 a------- c:\program files\Firefox Setup 3.0.5.exe
2008-12-23 17:09 130,048 a------- c:\windows\system32\dvpayb.dll
2008-12-23 17:09 130,048 a------- c:\windows\system32\ltkxlltk.dll
2008-11-27 15:11 23,510,720 a------- c:\program files\dotnetfx.exe

==================== Find3M ====================

2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-20 03:12 2,372,472 a------- c:\program files\mbam-setup.exe
2008-11-19 21:57 88,372 a------- c:\windows\system32\mwvvsgaawwduexq.dll-uninst.exe
2008-11-19 16:27 23,804,784 a------- c:\program files\aaw2008.exe
2008-11-19 04:32 153,484 a------- c:\windows\system32\g12.exe
2008-11-07 14:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 16:20 7,508,608 a------- c:\program files\Firefox Setup 3.0.3.exe
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-05-25 00:50 318,904 ac------ c:\program files\wmpfirefoxplugin.exe
2008-01-30 21:07 15,786 ac------ c:\docume~1\ngo\applic~1\wklnhst.dat
2008-01-12 17:51 21,321,008 ac------ c:\program files\QuickTimeInstaller.exe
2007-10-16 21:26 23,402,288 ac------ c:\program files\AdbeRdr810_en_US.exe
2007-10-02 22:40 51,422,520 ac------ c:\program files\iTunes743Setup.exe
2007-07-17 00:24 2,139,213 ac------ c:\program files\ac3filter_1_30b.exe
2007-06-23 22:45 2,380,016 ac------ c:\program files\DivXWebPlayerInstaller.exe
2007-06-09 01:41 304,957 ac------ c:\program files\hjsplit.zip
2007-06-09 00:25 1,207,026 ac------ c:\program files\wrar370.exe
2007-04-18 22:17 1,163,592 ac------ c:\program files\install_flash_player.exe
2005-09-24 21:32 4,878,136 ac------ c:\program files\Firefox Setup 1.0.7.exe
2005-09-24 15:02 8,715,352 ac------ c:\program files\Install_AIM.exe
2003-08-27 17:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll

============= FINISH: 7:38:15.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 07 January 2009 - 10:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system, please.
Please Hold on it may take us a day or so to get back with you.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 xkellenx

xkellenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 08 January 2009 - 03:12 AM

lusitano, thank you for the reply, and no complaints on my part for the delay. Since my last post the issue still has not been resolved. Here is the log after running DDS.



DDS (Ver_09-01-07.01) - NTFSx86
Run by ngo at 3:03:40.27 on Thu 01/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.468 [GMT -5:00]

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Console\Kraidman.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ngo\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {036f0ec3-cd72-49eb-9bd0-fa51b4a9eb6d} - c:\windows\system32\ddcBSLBr.dll
BHO: {8ddfb807-76b6-2179-cee4-e4e1c5205711}: {1175025c-1e4e-4eec-9712-6b67708bfdd8} - c:\windows\system32\dvpayb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Search panel: {11a2dfce-6531-0b22-04a0-7b1e037d7c20} - c:\windows\system32\mwvvsgaawwduexq.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TOSHIBA Picture Enhancement Utility] c:\program files\toshiba\toshiba picture enhancement utility\TosPEHK.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TFncKy] TFncKy.exe
mRun: [Kraidman] c:\program files\toshiba\toshiba raid\console\Kraidman.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [Notebook Maximizer] c:\program files\notebook maximizer\maximizer_startup.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: ncdadd.dll dvpayb.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ngo\applic~1\mozilla\firefox\profiles\1919fvnx.default\
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-6 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-7 11904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-13 197752]
R3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\navapsvc.exe [2004-8-18 176768]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060201.021\NAVENG.Sys [2006-2-1 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060201.021\NavEx15.Sys [2006-2-1 750952]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2004-7-23 335504]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;c:\windows\system32\drivers\ttv200x.sys [2005-1-6 828672]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-13 164984]
R4 CD_Proxy;XCP CD Proxy;c:\windows\CDProxyServ.exe [2004-6-22 167936]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-13 78968]
S3 oflpydin;oflpydin;\??\c:\docume~1\ngo\locals~1\temp\oflpydin.sys --> c:\docume~1\ngo\locals~1\temp\oflpydin.sys [?]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2004-7-23 197864]
S4 $sys$DRMServer;Plug and Play Device Manager;c:\windows\system32\$sys$filesystem\$sys$drmserver.exe --> c:\windows\system32\$sys$filesystem\$sys$DRMServer.exe [?]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-18 66688]

=============== Created Last 30 ================

2008-12-25 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-25 18:37 <DIR> --d----- C:\VundoFix Backups
2008-12-25 16:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-25 16:19 <DIR> --d----- c:\docume~1\ngo\applic~1\SUPERAntiSpyware.com
2008-12-25 03:23 7,518,240 a------- c:\program files\Firefox Setup 3.0.5.exe
2008-12-23 17:09 130,048 a------- c:\windows\system32\dvpayb.dll
2008-12-23 17:09 130,048 a------- c:\windows\system32\ltkxlltk.dll

==================== Find3M ====================

2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-27 15:13 23,510,720 a------- c:\program files\dotnetfx.exe
2008-11-20 03:12 2,372,472 a------- c:\program files\mbam-setup.exe
2008-11-19 21:57 88,372 a------- c:\windows\system32\mwvvsgaawwduexq.dll-uninst.exe
2008-11-19 16:27 23,804,784 a------- c:\program files\aaw2008.exe
2008-11-19 04:32 153,484 a------- c:\windows\system32\g12.exe
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 16:20 7,508,608 a------- c:\program files\Firefox Setup 3.0.3.exe
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-05-25 00:50 318,904 ac------ c:\program files\wmpfirefoxplugin.exe
2008-01-30 21:07 15,786 ac------ c:\docume~1\ngo\applic~1\wklnhst.dat
2008-01-12 17:51 21,321,008 ac------ c:\program files\QuickTimeInstaller.exe
2007-10-16 21:26 23,402,288 ac------ c:\program files\AdbeRdr810_en_US.exe
2007-10-02 22:40 51,422,520 ac------ c:\program files\iTunes743Setup.exe
2007-07-17 00:24 2,139,213 ac------ c:\program files\ac3filter_1_30b.exe
2007-06-23 22:45 2,380,016 ac------ c:\program files\DivXWebPlayerInstaller.exe
2007-06-09 01:41 304,957 ac------ c:\program files\hjsplit.zip
2007-06-09 00:25 1,207,026 ac------ c:\program files\wrar370.exe
2007-04-18 22:17 1,163,592 ac------ c:\program files\install_flash_player.exe
2005-09-24 21:32 4,878,136 ac------ c:\program files\Firefox Setup 1.0.7.exe
2005-09-24 15:02 8,715,352 ac------ c:\program files\Install_AIM.exe
2003-08-27 17:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll

============= FINISH: 3:04:22.90 ===============

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 08 January 2009 - 05:14 AM

Hello,

I see you have the Viewpoint products. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest that you remove the Viewpoint products; however, decide for yourself and let me know about your decision in your next reply.


We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 xkellenx

xkellenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 08 January 2009 - 06:49 PM

Hello,

I went ahead with your suggestion and removed all of the Viewpoint products. Next, I ran ComboFix and here is my log. Thanks in advance.






ComboFix 09-01-08.01 - ngo 2009-01-08 6:33:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.624 [GMT -5:00]
Running from: c:\documents and settings\ngo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ngo\Application Data\IUpd721
c:\documents and settings\ngo\Application Data\IUpd721\Logs\scns.log
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\system32\dvpayb.dll
c:\windows\system32\ltkxlltk.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY
-------\Service_$sys$DRMServer
-------\Service_CD_Proxy


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2008-12-25 18:37 . 2008-12-25 18:37 <DIR> d-------- C:\VundoFix Backups
2008-12-25 18:37 . 2008-12-25 18:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-25 16:19 . 2009-01-02 03:00 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 16:19 . 2008-12-25 16:19 <DIR> d-------- c:\documents and settings\ngo\Application Data\SUPERAntiSpyware.com
2008-12-25 03:23 . 2008-12-25 03:23 7,518,240 --a------ c:\program files\Firefox Setup 3.0.5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-08 11:38 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2008-12-25 23:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 21:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 07:13 --------- d-----w c:\documents and settings\ngo\Application Data\U3
2008-12-13 13:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-11 10:21 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-27 20:13 23,510,720 ----a-w c:\program files\dotnetfx.exe
2008-11-22 00:22 --------- d-----w c:\program files\Apple Software Update
2008-11-22 00:18 --------- d-----w c:\program files\iTunes
2008-11-22 00:18 --------- d-----w c:\program files\iPod
2008-11-22 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 00:16 --------- d-----w c:\program files\QuickTime
2008-11-21 23:53 --------- d-----w c:\program files\Bonjour
2008-11-20 08:13 --------- d-----w c:\documents and settings\ngo\Application Data\Malwarebytes
2008-11-20 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 08:12 2,372,472 ----a-w c:\program files\mbam-setup.exe
2008-11-19 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 21:34 --------- d-----w c:\program files\Lavasoft
2008-11-19 21:27 23,804,784 ----a-w c:\program files\aaw2008.exe
2008-10-16 21:20 7,508,608 ----a-w c:\program files\Firefox Setup 3.0.3.exe
2008-05-25 05:50 318,904 -c--a-w c:\program files\wmpfirefoxplugin.exe
2008-01-31 02:07 15,786 -c--a-w c:\documents and settings\ngo\Application Data\wklnhst.dat
2008-01-12 22:51 21,321,008 -c--a-w c:\program files\QuickTimeInstaller.exe
2007-10-17 02:26 23,402,288 -c--a-w c:\program files\AdbeRdr810_en_US.exe
2007-10-03 03:40 51,422,520 -c--a-w c:\program files\iTunes743Setup.exe
2007-07-17 05:24 2,139,213 -c--a-w c:\program files\ac3filter_1_30b.exe
2007-06-24 03:45 2,380,016 -c--a-w c:\program files\DivXWebPlayerInstaller.exe
2007-06-09 06:41 304,957 -c--a-w c:\program files\hjsplit.zip
2007-06-09 05:25 1,207,026 -c--a-w c:\program files\wrar370.exe
2007-04-19 03:17 1,163,592 -c--a-w c:\program files\install_flash_player.exe
2005-09-25 02:32 4,878,136 -c--a-w c:\program files\Firefox Setup 1.0.7.exe
2005-09-24 20:02 8,715,352 -c--a-w c:\program files\Install_AIM.exe
2003-08-27 22:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-13 5509120]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-01-28 18:06 245760]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"TOSHIBA Picture Enhancement Utility"="c:\program files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-08-17 638976]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 73728]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-05 184320]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"Kraidman"="c:\program files\Toshiba\TOSHIBA RAID\Console\Kraidman.exe" [2005-01-27 1126483]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 147456]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-08 185784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2005-01-13 c:\windows\system32\nwiz.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 c:\windows\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-28 c:\windows\system32\TFNF5.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-21 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-12-27 c:\windows\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2004-12-27 c:\windows\system32\TPSODDCtl.exe]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-03-10 483328]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-03-08 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 14:27 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ncdadd.dll dvpayb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-08-13 16:17 58488 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)
"SBService"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\ngo\\My Documents\\filelib\\ohsnizzapkev\\mbaltloan_files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-06 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-07 11904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;c:\windows\system32\drivers\ttv200x.sys [2005-01-06 828672]
S3 oflpydin;oflpydin;\??\c:\docume~1\ngo\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\ngo\LOCALS~1\Temp\oflpydin.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1a1fd6f-4eef-11dd-90e3-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-03 c:\windows\Tasks\Norton AntiVirus - Scan my computer - ngo.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 03:44]

2009-01-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 20:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{036F0EC3-CD72-49EB-9BD0-FA51B4A9EB6D} - c:\windows\system32\ddcBSLBr.dll
BHO-{1175025c-1e4e-4eec-9712-6b67708bfdd8} - c:\windows\system32\dvpayb.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ngo\Application Data\Mozilla\Firefox\Profiles\1919fvnx.default\
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 06:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
"LBL"=hex:00,00,00,00,00,00,00,00
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:7e,0b,8c,6e,0a,6a,c9,01
"CDY"=hex:4a,39,05,05,06,6a,c9,01
"CNT"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:4a,39,05,05,06,6a,c9,01
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000014

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\dllhost.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-08 6:42:04 - machine was rebooted [ngo]
ComboFix-quarantined-files.txt 2009-01-08 11:40:47

Pre-Run: 494,182,400 bytes free
Post-Run: 1,564,467,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

286 --- E O F --- 2008-12-19 08:01:34

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 09 January 2009 - 05:22 AM

Hello,

One or more of the identified infections is a XCP DRM Rootkit, but the ComboFix remove the infection. :thumbsup:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 xkellenx

xkellenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 09 January 2009 - 03:47 PM

Thanks once again.


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.



Before I continue with running another ComboFix, I was wondering if the statement I quoted was directed at me or as a general warning towards anybody viewing the thread? Was there something in my log that showed I was still running any of those types of programs? I thought I had disabled all of those programs before I advanced with running ComboFix. In my system tray, the only icon showing is Norton Antivirus and I had disabled the auto-protect. Next, I went and ran "services.msc" to manually disable any type of programs associated with Norton or Symantec. Should I repeat the process of manually disabling the programs like I had done before or just disable the auto-protect of Norton Antivirus in my system tray and continue with ComboFix?

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 10 January 2009 - 04:56 AM

Hi Kellen

Thats my canned fix for all the post i made for the combofix. Just disable the auto-protect of Norton Antivirus in your system and thats fine to run the combofix tool.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 xkellenx

xkellenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 11 January 2009 - 06:12 AM

Hello lusitano,

I updated my Java and once again ran ComboFix. Here is the new log that was produced. I think the problem has been resolved. I no longer have any issues with pop-ups, however, when I checked my Registry Editor I still notice that the MS Juan folder is still there. I'm just wondering if the folder should be deleted or will it continue to show in my Registry Editor? Thanks.





ComboFix 09-01-10.03 - ngo 2009-01-11 5:53:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.616 [GMT -5:00]
Running from: c:\documents and settings\ngo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ngo\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Viewpoint

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-08 19:49 . 2009-01-08 19:49 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-08 19:49 . 2009-01-08 19:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-08 19:19 . 2009-01-08 19:22 16,168,344 --a------ c:\program files\jre-6u11-windows-i586-p.exe
2008-12-25 18:37 . 2008-12-25 18:37 <DIR> d-------- C:\VundoFix Backups
2008-12-25 18:37 . 2008-12-25 18:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-25 16:19 . 2009-01-02 03:00 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 16:19 . 2008-12-25 16:19 <DIR> d-------- c:\documents and settings\ngo\Application Data\SUPERAntiSpyware.com
2008-12-25 03:23 . 2008-12-25 03:23 7,518,240 --a------ c:\program files\Firefox Setup 3.0.5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-01-10 04:08 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-09 00:49 --------- d-----w c:\program files\Java
2008-12-25 23:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 21:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 07:13 --------- d-----w c:\documents and settings\ngo\Application Data\U3
2008-12-13 13:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-27 20:13 23,510,720 ----a-w c:\program files\dotnetfx.exe
2008-11-22 00:22 --------- d-----w c:\program files\Apple Software Update
2008-11-22 00:18 --------- d-----w c:\program files\iTunes
2008-11-22 00:18 --------- d-----w c:\program files\iPod
2008-11-22 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 00:16 --------- d-----w c:\program files\QuickTime
2008-11-21 23:53 --------- d-----w c:\program files\Bonjour
2008-11-20 08:13 --------- d-----w c:\documents and settings\ngo\Application Data\Malwarebytes
2008-11-20 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 08:12 2,372,472 ----a-w c:\program files\mbam-setup.exe
2008-11-20 02:57 88,372 ----a-w c:\windows\system32\mwvvsgaawwduexq.dll-uninst.exe
2008-11-19 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 21:34 --------- d-----w c:\program files\Lavasoft
2008-11-19 21:27 23,804,784 ----a-w c:\program files\aaw2008.exe
2008-11-19 09:32 153,484 ----a-w c:\windows\system32\g12.exe
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:20 7,508,608 ----a-w c:\program files\Firefox Setup 3.0.3.exe
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-05-25 05:50 318,904 -c--a-w c:\program files\wmpfirefoxplugin.exe
2008-01-31 02:07 15,786 -c--a-w c:\documents and settings\ngo\Application Data\wklnhst.dat
2008-01-12 22:51 21,321,008 -c--a-w c:\program files\QuickTimeInstaller.exe
2007-10-17 02:26 23,402,288 -c--a-w c:\program files\AdbeRdr810_en_US.exe
2007-10-03 03:40 51,422,520 -c--a-w c:\program files\iTunes743Setup.exe
2007-07-17 05:24 2,139,213 -c--a-w c:\program files\ac3filter_1_30b.exe
2007-06-24 03:45 2,380,016 -c--a-w c:\program files\DivXWebPlayerInstaller.exe
2007-06-09 06:41 304,957 -c--a-w c:\program files\hjsplit.zip
2007-06-09 05:25 1,207,026 -c--a-w c:\program files\wrar370.exe
2007-04-19 03:17 1,163,592 -c--a-w c:\program files\install_flash_player.exe
2005-09-25 02:32 4,878,136 -c--a-w c:\program files\Firefox Setup 1.0.7.exe
2005-09-24 20:02 8,715,352 -c--a-w c:\program files\Install_AIM.exe
2003-08-27 22:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-08_ 6.39.54.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-03-08 20:30:22 49,245 -c--a-w c:\windows\system32\java.exe
+ 2009-01-09 00:49:25 144,792 ----a-w c:\windows\system32\java.exe
- 2005-03-08 20:30:22 49,247 -c--a-w c:\windows\system32\javaw.exe
+ 2009-01-09 00:49:25 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-03-08 20:30:22 127,075 -c--a-w c:\windows\system32\javaws.exe
+ 2009-01-09 00:49:26 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-11 09:32:50 16,384 ----atw c:\windows\temp\Perflib_Perfdata_524.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-13 5509120]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-01-28 18:06 245760]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"TOSHIBA Picture Enhancement Utility"="c:\program files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-08-17 638976]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 73728]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-05 184320]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"Kraidman"="c:\program files\Toshiba\TOSHIBA RAID\Console\Kraidman.exe" [2005-01-27 1126483]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 147456]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-08 185784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"nwiz"="nwiz.exe" [2005-01-13 c:\windows\system32\nwiz.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 c:\windows\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-28 c:\windows\system32\TFNF5.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-21 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-12-27 c:\windows\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2004-12-27 c:\windows\system32\TPSODDCtl.exe]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-03-10 483328]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-03-08 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 14:27 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-08-13 16:17 58488 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\ngo\\My Documents\\filelib\\ohsnizzapkev\\mbaltloan_files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-06 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-07 11904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;c:\windows\system32\drivers\ttv200x.sys [2005-01-06 828672]
S3 oflpydin;oflpydin;\??\c:\docume~1\ngo\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\ngo\LOCALS~1\Temp\oflpydin.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1a1fd6f-4eef-11dd-90e3-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer - ngo.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 03:44]

2009-01-11 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ngo\Application Data\Mozilla\Firefox\Profiles\1919fvnx.default\
FF - prefs.js: network.proxy.type - 1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 05:56:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
"LBL"=hex:00,00,00,00,00,00,00,00
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:7e,0b,8c,6e,0a,6a,c9,01
"CDY"=hex:4a,39,05,05,06,6a,c9,01
"CNT"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:4a,39,05,05,06,6a,c9,01
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000014

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-01-11 5:59:10
ComboFix-quarantined-files.txt 2009-01-11 10:57:53
ComboFix2.txt 2009-01-08 11:42:06

Pre-Run: 1,102,835,712 bytes free
Post-Run: 1,346,342,912 bytes free

252 --- E O F --- 2008-12-19 08:01:34

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 12 January 2009 - 06:05 AM

Hi,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
REGLOCK::
[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan]
Registry::
[-HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please let me know how your computer its running now.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 xkellenx

xkellenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 13 January 2009 - 09:09 AM

Hello lusitano,

I've run into a new problem. For some reason every time I try to now run ComboFix the program detects Norton Antivirus running even after I have disabled the auto-protect. I tried to do what I had done before by running "services.msc" and disabling anything associated with Norton or Symantec and ComboFix still says it detects Norton running. Any suggestions on what I should do? Thanks.

Edited by xkellenx, 13 January 2009 - 09:10 AM.


#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 13 January 2009 - 10:16 AM

Hi,

Please click on this link and try to disable Norton, then run ComboFix.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#13 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:11 PM

Posted 21 January 2009 - 04:54 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users