Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE hijacked, strange new files in WINDOWS\system32


  • This topic is locked This topic is locked
28 replies to this topic

#1 car377

car377

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 07 February 2009 - 01:19 AM

My teenager says he unintentionally hit the wrong button on a pop-up, and now his IE keeps redirecting to sites he doesn't want to visit. Zonealarm says it has cleaned up a trojan, but after reboot, it finds the trojan again. The DDS log is below, and the attache.txt is attached. Thanks for any help!

Chuck


DDS (Ver_09-02-01.01) - NTFSx86
Run by Cajhne at 21:56:43.08 on Thu 02/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.527 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
AV: avast! antivirus 4.8.1296 [VPS 090131-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\EZSP_PX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\allSnap\allSnap.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\installs\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.toshiba.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\xxyvvTlJ.dll
BHO: {99e7791a-03b9-427d-bb96-8f756de5fe34} - c:\windows\system32\hgGxULfg.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [nwiz] nwiz.exe /installquiet /nodetect /keeploaded
mRun: [TFNF5] TFNF5.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\EZSP_PX.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\cajhne\startm~1\programs\startup\allsnap.lnk - c:\program files\allsnap\allSnap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Save Flash by &GetFlash - c:\progra~1\getflash\getflash.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: xxyvvTlJ - xxyvvTlJ.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\xxyvvTlJ.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cajhne\applic~1\mozilla\firefox\profiles\0mf02mmg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\cajhne\application data\mozilla\firefox\profiles\0mf02mmg.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-11 111184]
R1 cinemst22;cinemst22;c:\windows\system32\drivers\cinemst22.sys [2009-2-4 86144]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-29 148496]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-2-4 5760]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtual_cd\VCdRom.sys [2001-12-19 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-8-12 353680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-1-25 155160]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.exe [2004-7-16 126976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-4-14 1373480]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2004-2-4 126976]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-1-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-1-25 352920]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-2-4 8832]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-4-14 30248]
S0 ysrhsrdw;ysrhsrdw;c:\windows\system32\drivers\fbdxusfm.sys []
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-3-10 58240]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-6-10 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-6-10 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-6-10 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-6-10 59520]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-2-4 13568]

=============== Created Last 30 ================

2009-02-05 21:50 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-04 18:35 932 a------- c:\windows\system32\drivers\core.cache.dsk
2009-02-04 18:35 86,144 a------- c:\windows\system32\drivers\cinemst22.sys
2009-02-04 18:35 <DIR> --d----- c:\temp\sTMP3
2009-02-04 18:35 <DIR> --d----- c:\windows\system32\Z55
2009-02-04 18:35 <DIR> --d----- c:\windows\system32\x13
2009-02-04 18:35 <DIR> --d----- c:\temp\1cb
2009-02-04 18:35 <DIR> --d----- C:\Temp
2009-02-04 18:25 3,876 a--sh--- c:\windows\system32\gfLUxGgh.ini2
2009-02-04 18:25 1,104 a------- c:\windows\ysrhsrdw
2009-02-04 18:25 3,876 a--sh--- c:\windows\system32\gfLUxGgh.ini
2009-02-04 18:20 48,640 -------- c:\windows\system32\xxyvvTlJ.dll
2009-02-04 18:20 44,824 a------- c:\windows\system32\prunnet.exe
2009-02-02 20:36 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-02-02 20:36 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 20:35 <DIR> --d----- c:\program files\iPod
2009-02-02 20:35 <DIR> --d----- c:\program files\iTunes
2009-02-02 20:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 20:35 <DIR> --d----- c:\program files\Bonjour
2009-02-02 20:31 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-29 19:30 1,439 a------- C:\rollback.ini
2009-01-29 16:14 <DIR> --d----- c:\docume~1\cajhne\applic~1\MailFrontier
2009-01-29 16:03 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-01-28 22:30 <DIR> --d----- c:\program files\GameSpy Arcade
2009-01-28 22:17 <DIR> --d----- c:\program files\Microsoft Games
2009-01-28 22:11 <DIR> --d----- C:\NetFramework.temp
2009-01-28 18:20 <DIR> --d----- C:\Converted
2009-01-26 21:33 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-26 21:33 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-25 14:29 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-24 14:58 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-19 15:03 <DIR> --d----- c:\program files\cwRsync

==================== Find3M ====================

2009-02-05 21:43 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-04 18:20 26,353,184 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-02 22:18 312,596 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-11 04:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-11-13 15:18 73,104 a------- c:\windows\zllsputility.exe
2007-11-28 11:27 71 a------- c:\documents and settings\cajhne\mysql.bat
2006-10-07 12:15 24,192 a------- c:\documents and settings\cajhne\usbsermptxp.sys
2006-10-07 12:15 22,768 a------- c:\documents and settings\cajhne\usbsermpt.sys
2006-05-16 15:43 141,608 a------- c:\docume~1\cajhne\applic~1\GDIPFONTCACHEV1.DAT
2006-03-27 18:20 151 a------- c:\program files\WS_FTP.LOG
2008-07-22 22:52 88 ---shr-- c:\windows\system32\4158409AD8.sys
2006-05-03 02:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2008-07-22 22:55 11,863 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 03:47 31,232 a--shr-- c:\windows\system32\msfDX.dll

============= FINISH: 21:59:00.74 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:37 PM

Posted 19 February 2009 - 09:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2009 - 04:47 PM

[quote name='KoanYorel' date='Feb 19 2009, 07:52 AM' post='1143246']
Hello and welcome to Bleeping Computer

OK, I will run it again tonight and post the results. No resolution yet.

Chuck

#4 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2009 - 10:51 PM

OK, I ran DDS again. In addition to the browser redirection in IE and the unsolicited toolbar in IE, I'm now getting a toast popup with a red-circle-with-white-X icon that says, "Warning! Security report" and "Your computer is infected! It is recommended to start spyware cleaner tool" With that mangled presentation and English usage, there's no way that's legit. The DDS.txt output is below and the attach.txt is attached. Thanks for any help!

Chuck


DDS (Ver_09-02-01.01) - NTFSx86
Run by Cajhne at 20:43:06.45 on Thu 02/19/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.622 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
AV: avast! antivirus 4.8.1296 [VPS 090131-0] *On-access scanning enabled* (Outdated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\EZSP_PX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\allSnap\allSnap.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\installs\dds(4).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.toshiba.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUoMffG.dll
BHO: {b5fdc02a-5d7b-e468-8444-060ceef65c77}: {77c56fee-c060-4448-864e-b7d5a20cdf5b} - c:\windows\system32\oynoyd.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {be8d62df-bb9e-48ae-9844-1d17c2096242} - c:\windows\system32\hgGxULfg.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [nwiz] nwiz.exe /installquiet /nodetect /keeploaded
mRun: [TFNF5] TFNF5.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\EZSP_PX.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\docume~1\cajhne\startm~1\programs\startup\allsnap.lnk - c:\program files\allsnap\allSnap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Save Flash by &GetFlash - c:\progra~1\getflash\getflash.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: wvUoMffG - wvUoMffG.dll
Notify: xxyvvTlJ - xxyvvTlJ.dll
AppInit_DLLs: oynoyd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUoMffG.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cajhne\applic~1\mozilla\firefox\profiles\0mf02mmg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\cajhne\application data\mozilla\firefox\profiles\0mf02mmg.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-11 111184]
R1 cinemst22;cinemst22;c:\windows\system32\drivers\cinemst22.sys [2009-2-4 86144]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-29 148496]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-2-4 5760]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtual_cd\VCdRom.sys [2001-12-19 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-8-12 353680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-1-25 155160]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.exe [2004-7-16 126976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-4-14 1373480]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2004-2-4 126976]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-1-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-1-25 352920]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-2-4 8832]
R3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-4-14 30248]
S0 ysrhsrdw;ysrhsrdw;c:\windows\system32\drivers\fbdxusfm.sys []
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-3-10 58240]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-6-10 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-6-10 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-6-10 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-6-10 59520]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-2-4 13568]

=============== Created Last 30 ================

2009-02-19 20:37 1,586,779 ---sh--- c:\windows\system32\umspehrv.ini
2009-02-19 20:37 81,408 a------- c:\windows\system32\vrhepsmu.dll
2009-02-11 15:26 35,328 a------- c:\windows\system32\wvUoMffG.dll
2009-02-11 15:26 46,080 -------- c:\windows\system32\clickfile.exe
2009-02-11 15:11 1 a------- c:\windows\system32\uniq.tll
2009-02-11 15:11 24,064 a------- c:\windows\system32\frmwrk32.exe
2009-02-11 15:11 24,064 a------- c:\windows\system32\998.exe
2009-02-10 21:49 1,530,380 ---sh--- c:\windows\system32\xwkrsgsb.ini
2009-02-10 21:49 86,016 -------- c:\windows\system32\bsgsrkwx.dll
2009-02-10 21:47 126,464 a------- c:\windows\system32\oynoyd.dll
2009-02-10 21:47 126,464 a------- c:\windows\system32\ehivrycy.dll
2009-02-05 21:50 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-04 18:35 932 a------- c:\windows\system32\drivers\core.cache.dsk
2009-02-04 18:35 86,144 a------- c:\windows\system32\drivers\cinemst22.sys
2009-02-04 18:35 <DIR> --d----- c:\temp\sTMP3
2009-02-04 18:35 <DIR> --d----- c:\windows\system32\Z55
2009-02-04 18:35 <DIR> --d----- c:\windows\system32\x13
2009-02-04 18:35 <DIR> --d----- c:\temp\1cb
2009-02-04 18:35 <DIR> --d----- C:\Temp
2009-02-04 18:25 34,298 a--sh--- c:\windows\system32\gfLUxGgh.ini2
2009-02-04 18:25 1,104 a------- c:\windows\ysrhsrdw
2009-02-04 18:25 34,620 a--sh--- c:\windows\system32\gfLUxGgh.ini
2009-02-04 18:20 44,824 a------- c:\windows\system32\prunnet.exe
2009-02-02 20:36 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-02-02 20:36 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 20:35 <DIR> --d----- c:\program files\iPod
2009-02-02 20:35 <DIR> --d----- c:\program files\iTunes
2009-02-02 20:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 20:35 <DIR> --d----- c:\program files\Bonjour
2009-02-02 20:31 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-29 19:30 3,498 a------- C:\rollback.ini
2009-01-29 16:14 <DIR> --d----- c:\docume~1\cajhne\applic~1\MailFrontier
2009-01-29 16:03 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-01-28 22:30 <DIR> --d----- c:\program files\GameSpy Arcade
2009-01-28 22:17 <DIR> --d----- c:\program files\Microsoft Games
2009-01-28 22:11 <DIR> --d----- C:\NetFramework.temp
2009-01-28 18:20 <DIR> --d----- C:\Converted
2009-01-26 21:33 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-26 21:33 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-25 14:29 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-24 14:58 <DIR> --d----- c:\windows\system32\CatRoot_bak

==================== Find3M ====================

2009-02-19 20:31 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-04 18:20 26,353,184 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-02 22:18 312,596 a--sh--- c:\windows\system32\drivers\fidbox.idx
2007-11-28 11:27 71 a------- c:\documents and settings\cajhne\mysql.bat
2006-10-07 12:15 24,192 a------- c:\documents and settings\cajhne\usbsermptxp.sys
2006-10-07 12:15 22,768 a------- c:\documents and settings\cajhne\usbsermpt.sys
2006-05-16 15:43 141,608 a------- c:\docume~1\cajhne\applic~1\GDIPFONTCACHEV1.DAT
2006-03-27 18:20 151 a------- c:\program files\WS_FTP.LOG
2008-07-22 22:52 88 ---shr-- c:\windows\system32\4158409AD8.sys
2006-05-03 02:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2008-07-22 22:55 11,863 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 03:47 31,232 a--shr-- c:\windows\system32\msfDX.dll

============= FINISH: 20:46:02.94 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 20 February 2009 - 04:15 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 February 2009 - 08:41 AM

I tried to follow the instructions, but now combofix has rebooted the laptop and is stuck at the little blue window that says, "Please wait. Combofix is preparing to run." It's been stuck there for better than an hour. When I first started combofix, a dialog popped up instructing me to shut down Avast before proceeding, then press "OK". I did that, but I didn't think about the fact that combofix would reboot the PC, and didn't make the disabling of Avast persistent, so during the reboot, Avast started up again.

Combofix was able to install the management console prior to the reboot. It also indicated that it detected rootkit activity, and had me write down these filenames for later reference:

C:\WINDOWS\system32\drivers\senekamqnwsibu.sys
C:\WINDOWS\system32\senekalxttyevq.dll
C:\WINDOWS\system32\senekablmomyrj.dat
C:\WINDOWS\system32\senekaklytaeid.dll
C:\WINDOWS\system32\senekakvmpyejk.dll
C:\WINDOWS\system32\senekabtuhddcj.dat

What should I do now?

Thanks,
Chuck

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 21 February 2009 - 09:11 AM

Hello.

I need to leave soon, so let me get this clear first.

Can you not boot up anymore? If you cannot boot into normal mode please tell me.

If you can boot the Combofix log should of been created at C:\Combofix.txt <- See if it's there and post the results back.

Also rootkits are very nasty. The one you currently have is the Seneka Trojan. Also known as a backdoor.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do. IF you want to continue answer my questions/post the Combofix log.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 February 2009 - 10:14 AM

My mistake - ran combofix from C:\installs rather than from desktop. Re-ran it from desktop, and it completed, with the complaint about the rootkit:

C:\WINDOWS\system32\drivers\fbdxusfm.sys

It asked me to delete the file, and I said OK.

We are changing passwords, security questions, etc., and putting a fraud alert on at the credit bureau.

This computer is old, and we may not be able to rebuild it. In that case, it goes in the trash anyway. I'll post the combfix log in a minute.

Thanks
Chuck

#9 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 February 2009 - 10:21 AM

Here's the Combofix.txt log:

ComboFix 09-02-19.01 - Cajhne 2009-02-21 7:44:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.589 [GMT -7:00]
Running from: c:\documents and settings\Cajhne\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090131-0] *On-access scanning disabled* (Outdated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Cajhne\LOCALS~1\Temp\mousehook.dll
c:\docume~1\Cajhne\LOCALS~1\Temp\ntdll64.dll
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\IE4 Error Log.txt
c:\windows\system32\998.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\Cache
c:\windows\system32\d3d8caps.dat
c:\windows\system32\drivers\cinemst22.sys
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekamqnwsibu.sys
c:\windows\system32\ehivrycy.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\gfLUxGgh.ini
c:\windows\system32\gfLUxGgh.ini2
c:\windows\system32\hfcxhnsg.dll
c:\windows\system32\hsfkifmp.ini
c:\windows\system32\init32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\oynoyd.dll
c:\windows\system32\pmfikfsh.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\senekablmomyrj.dat
c:\windows\system32\senekabtuhddcj.dat
c:\windows\system32\senekaklytaeid.dll
c:\windows\system32\senekakvmpyejk.dll
c:\windows\system32\senekalxttyevq.dll
c:\windows\system32\umspehrv.ini
c:\windows\system32\uniq.tll
c:\windows\system32\vrhepsmu.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\x13
c:\windows\system32\x13\VE2PIX5.exe
c:\windows\system32\xwkrsgsb.ini
c:\windows\system32\Z55
c:\windows\system32\zbcbel.dll
c:\windows\Tasks\ycdgwyzc.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CINEMST22
-------\Legacy_TNIDRIVER
-------\Service_cinemst22
-------\Service_seneka
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-11 15:26 . 2009-02-11 15:26 46,080 --------- c:\windows\system32\clickfile.exe
2009-02-11 15:26 . 2009-02-11 15:26 35,328 --a------ c:\windows\system32\wvUoMffG.dll
2009-02-05 21:50 . 2009-02-05 21:54 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-04 18:35 . 2009-02-04 18:35 <DIR> d-------- c:\temp\sTMP3
2009-02-04 18:35 . 2009-02-21 07:46 <DIR> d-------- C:\Temp
2009-02-04 18:25 . 2009-02-21 07:57 1,104 --a------ c:\windows\ysrhsrdw
2009-02-02 20:36 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-02-02 20:36 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 20:35 . 2009-02-02 20:36 <DIR> d-------- c:\program files\iTunes
2009-02-02 20:35 . 2009-02-02 20:35 <DIR> d-------- c:\program files\iPod
2009-02-02 20:35 . 2009-02-02 20:35 <DIR> d-------- c:\program files\Bonjour
2009-02-02 20:35 . 2009-02-02 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 20:32 . 2009-02-02 20:32 <DIR> d-------- c:\program files\Apple Software Update
2009-02-02 20:31 . 2009-02-02 20:35 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-02 20:31 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-29 19:30 . 2009-02-11 15:06 3,498 --a------ C:\rollback.ini
2009-01-29 16:14 . 2009-01-29 16:14 <DIR> d-------- c:\documents and settings\Cajhne\Application Data\MailFrontier
2009-01-29 16:03 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-28 22:30 . 2009-02-04 20:33 <DIR> d-------- c:\program files\GameSpy Arcade
2009-01-28 22:17 . 2009-01-28 22:17 <DIR> d-------- c:\program files\Microsoft Games
2009-01-28 22:11 . 2009-01-28 22:11 <DIR> d-------- C:\NetFramework.temp
2009-01-28 18:20 . 2009-01-28 18:22 <DIR> d-------- C:\Converted
2009-01-27 15:08 . 2009-01-27 15:08 <DIR> d-------- c:\documents and settings\Cajhne\Application Data\Viewpoint
2009-01-26 21:33 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-26 21:33 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-25 14:29 . 2008-05-01 07:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-24 14:58 . 2009-01-25 14:57 <DIR> d-------- c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 15:01 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-21 14:59 --------- d-----w c:\documents and settings\Cajhne\Application Data\WTablet
2009-02-21 14:57 332,324 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-21 14:57 26,353,184 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-21 14:50 --------- d-----w c:\documents and settings\Cajhne\Application Data\Skype
2009-02-21 14:40 --------- d-----w c:\documents and settings\Cajhne\Application Data\OpenOffice.org2
2009-02-05 01:35 4,153,344 ----a-w c:\windows\Internet Logs\xDB17.tmp
2009-02-05 01:35 1,535,488 ----a-w c:\windows\Internet Logs\xDB16.tmp
2009-02-03 04:03 --------- d-----w c:\program files\Napster
2009-02-03 03:36 --------- d-----w c:\documents and settings\Cajhne\Application Data\Apple Computer
2009-02-03 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 03:34 --------- d-----w c:\program files\QuickTime
2009-01-30 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-29 05:21 3,955,712 ----a-w c:\windows\Internet Logs\xDB15.tmp
2009-01-29 05:21 2,074,624 ----a-w c:\windows\Internet Logs\xDB14.tmp
2009-01-28 03:07 --------- d-----w c:\program files\Microsoft Works
2009-01-26 00:56 3,920,384 ----a-w c:\windows\Internet Logs\xDB13.tmp
2009-01-19 22:03 --------- d-----w c:\program files\cwRsync
2007-11-28 18:27 71 ----a-w c:\documents and settings\Cajhne\mysql.bat
2006-10-07 19:15 24,192 ----a-w c:\documents and settings\Cajhne\usbsermptxp.sys
2006-10-07 19:15 22,768 ----a-w c:\documents and settings\Cajhne\usbsermpt.sys
2006-05-16 22:43 141,608 ----a-w c:\documents and settings\Cajhne\Application Data\GDIPFONTCACHEV1.DAT
2006-03-28 01:20 151 ----a-w c:\program files\WS_FTP.LOG
2008-07-23 05:52 88 --sh--r c:\windows\system32\4158409AD8.sys
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-07-23 05:55 11,863 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-11 15:26 35328 --a------ c:\windows\system32\wvUoMffG.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718824]
"NVIEW"="nview.dll" [2003-10-17 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-10-16 23:30 258048]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744]
"ezShieldProtector for Px"="c:\windows\system32\EZSP_PX.EXE" [2002-08-20 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-09 36352]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2003-10-20 45056]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"TosRotation"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2004-01-29 266240]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2003-12-09 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-06 77824]
"TapButt"="c:\program files\Toshiba\TapButton\TapButt.exe" [2003-10-24 163840]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2003-10-14 86016]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 271872]
"Sensiva"="c:\symbol commander\Sensiva.exe" [2002-10-01 2052096]
"RegistrySmart"="c:\program files\RegistrySmart\RegistrySmart.exe" [2007-10-16 4044016]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4866048]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-29 323216]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"EasyPHP"="c:\program files\EasyPHP1-7\easyphp.exe" [2003-10-07 151552]
"CrossMenu"="c:\program files\Toshiba\CrossMenu\CrossMenu.exe" [2003-10-18 798720]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 c:\windows\system32\000StTHK.exe]
"nwiz"="nwiz.exe" [2003-10-17 c:\windows\system32\nwiz.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-10-23 c:\windows\system32\TPSMain.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 c:\windows\agrsmmsg.exe]

c:\documents and settings\Cajhne\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
allSnap.lnk - c:\program files\allSnap\allSnap.exe [2004-03-19 81920]
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-18 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\wvUoMffG.dll" [2009-02-11 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 00:56 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 17:49 110592 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 04:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2004-08-04 00:56 30208 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoMffG]
2009-02-11 15:26 35328 c:\windows\system32\wvUoMffG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zbcbel.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Crimson Editor\\cedt.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-11 111184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-02-04 5760]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtual_cd\VCdRom.sys [2001-12-19 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-11 20560]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-16 126976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-04-14 1373480]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2004-02-04 126976]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-02-04 8832]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-04-14 30248]
S0 ysrhsrdw;ysrhsrdw;c:\windows\system32\drivers\fbdxusfm.sys []
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-03-10 58240]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-06-10 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-06-10 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-06-10 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-06-10 59520]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-02-04 13568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
\Shell\AutoRun\command - Y:\INSTALL.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f1c7f3-041a-11dc-afa4-00080de65dda}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-21 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart\RegistrySmart.exe [2007-10-16 13:45]

2009-02-21 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart [2008-07-24 10:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5994AF6E-F5AD-4CDE-801A-B72A82A7FC15} - c:\windows\system32\hgGxULfg.dll
BHO-{afbf4e34-46d5-41ef-b532-803405d98d88} - c:\windows\system32\zbcbel.dll
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKLM-Run-e4d0b5b2 - c:\windows\system32\pmfikfsh.dll
HKLM-Run-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_07\bin\jusched.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-eMusicClient - c:\program files\Winamp\eMusic\eMusicClient.exe
HKLM-Run-NWEReboot - (no file)
Notify-xxyvvTlJ - xxyvvTlJ.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Save Flash by &GetFlash - c:\progra~1\GetFlash\getflash.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Cajhne\Application Data\Mozilla\Firefox\Profiles\0mf02mmg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cajhne\Application Data\Mozilla\Firefox\Profiles\0mf02mmg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 08:00:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\fbdxusfm.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\System32\LgNotify.dll
c:\windows\system32\wvUoMffG.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\1XConfig.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\EASYPH~1\apache\apache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\progra~1\EASYPH~1\apache\apache.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\progra~1\EASYPH~1\mysql\bin\mysqld.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\Toshiba\TME3\TMETEMnu.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe
c:\windows\system32\RAMASST.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-02-21 8:09:56 - machine was rebooted [Cajhne]
ComboFix-quarantined-files.txt 2009-02-21 15:09:46

Pre-Run: 65,141,514,240 bytes free
Post-Run: 68,641,136,640 bytes free

359 --- E O F --- 2009-01-31 04:48:23

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 21 February 2009 - 11:02 AM

Hello.

Nasty infections you have here. Combofix took out a few rootkits. There are still some more we need to deal with, and some leftover files that were from another software. Even a windows file was infected but it got repaired. :thumbup2:

A few programs that you need to be warned about and some need to be removed.

View Point Programs Warning
Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Additional instructions on remocing program can be found here.

Registry Cleaner(s) Warning
The following is referring to RegistrySmart

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

2 Anti-virus Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Avast or ZoneAlarm Security Suite Antivirus.

Please uninstall them until you are only running one antivirus using Add/Remove Programs.



Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Drivers::
    ysrhsrdw
    Rootkit::
    c:\windows\system32\drivers\fbdxusfm.sys
    File::
    c:\windows\system32\clickfile.exe
    c:\windows\system32\wvUoMffG.dll
    c:\windows\system32\drivers\fidbox.idx
    c:\windows\system32\drivers\fidbox.dat
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoMffG]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New DDS log
<- Only DDS.txt
-How's your computer running now?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 February 2009 - 12:03 PM

OK, here's the next Combofix.txt - will start running FlashDisinfector next. Also, removed RegistrySmart and ZoneAlarm, and will remove the Viewpoint stuff.

ComboFix 09-02-19.01 - Cajhne 2009-02-21 9:23:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.597 [GMT -7:00]
Running from: c:\documents and settings\Cajhne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cajhne\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090131-0] *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\clickfile.exe
c:\windows\system32\drivers\fidbox.dat
c:\windows\system32\drivers\fidbox.idx
c:\windows\system32\wvUoMffG.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\clickfile.exe
c:\windows\system32\drivers\fbdxusfm.sys
c:\windows\system32\drivers\fidbox.dat
c:\windows\system32\drivers\fidbox.idx
c:\windows\system32\wvUoMffG.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-05 21:50 . 2009-02-05 21:54 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-04 18:35 . 2009-02-04 18:35 <DIR> d-------- c:\temp\sTMP3
2009-02-04 18:35 . 2009-02-21 07:46 <DIR> d-------- C:\Temp
2009-02-04 18:25 . 2009-02-04 18:25 304,128 --a------ c:\windows\system32\hgGxULfg.dll
2009-02-04 18:25 . 2009-02-21 09:35 1,104 --a------ c:\windows\ysrhsrdw
2009-02-02 20:36 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-02-02 20:36 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 20:35 . 2009-02-02 20:36 <DIR> d-------- c:\program files\iTunes
2009-02-02 20:35 . 2009-02-02 20:35 <DIR> d-------- c:\program files\iPod
2009-02-02 20:35 . 2009-02-02 20:35 <DIR> d-------- c:\program files\Bonjour
2009-02-02 20:35 . 2009-02-02 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 20:32 . 2009-02-02 20:32 <DIR> d-------- c:\program files\Apple Software Update
2009-02-02 20:31 . 2009-02-02 20:35 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-02 20:31 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-29 19:30 . 2009-02-11 15:06 3,498 --a------ C:\rollback.ini
2009-01-28 22:30 . 2009-02-04 20:33 <DIR> d-------- c:\program files\GameSpy Arcade
2009-01-28 22:17 . 2009-01-28 22:17 <DIR> d-------- c:\program files\Microsoft Games
2009-01-28 22:11 . 2009-01-28 22:11 <DIR> d-------- C:\NetFramework.temp
2009-01-28 18:20 . 2009-01-28 18:22 <DIR> d-------- C:\Converted
2009-01-27 15:08 . 2009-01-27 15:08 <DIR> d-------- c:\documents and settings\Cajhne\Application Data\Viewpoint
2009-01-26 21:33 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-26 21:33 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-25 14:29 . 2008-05-01 07:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-24 14:58 . 2009-01-25 14:57 <DIR> d-------- c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 16:38 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-21 16:37 --------- d-----w c:\documents and settings\Cajhne\Application Data\WTablet
2009-02-21 16:02 --------- d-----w c:\documents and settings\Cajhne\Application Data\Skype
2009-02-21 15:48 --------- d-----w c:\program files\RegistrySmart
2009-02-21 15:06 --------- d-----w c:\documents and settings\Cajhne\Application Data\OpenOffice.org2
2009-02-03 04:03 --------- d-----w c:\program files\Napster
2009-02-03 03:36 --------- d-----w c:\documents and settings\Cajhne\Application Data\Apple Computer
2009-02-03 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 03:34 --------- d-----w c:\program files\QuickTime
2009-01-30 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-28 03:07 --------- d-----w c:\program files\Microsoft Works
2009-01-19 22:03 --------- d-----w c:\program files\cwRsync
2007-11-28 18:27 71 ----a-w c:\documents and settings\Cajhne\mysql.bat
2006-10-07 19:15 24,192 ----a-w c:\documents and settings\Cajhne\usbsermptxp.sys
2006-10-07 19:15 22,768 ----a-w c:\documents and settings\Cajhne\usbsermpt.sys
2006-05-16 22:43 141,608 ----a-w c:\documents and settings\Cajhne\Application Data\GDIPFONTCACHEV1.DAT
2006-03-28 01:20 151 ----a-w c:\program files\WS_FTP.LOG
2008-07-23 05:52 88 --sha-r c:\windows\system32\4158409AD8.sys
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-07-23 05:55 11,863 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_ 8.08.12.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-08 23:31:04 65,536 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
+ 2009-02-21 15:05:09 65,536 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
- 2006-10-08 23:31:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
+ 2009-02-21 15:05:07 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
- 2006-10-08 23:31:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2009-02-21 15:05:09 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
- 2006-10-08 23:31:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
+ 2009-02-21 15:05:10 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
- 2006-10-08 23:31:04 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2009-02-21 15:05:09 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
- 2009-02-21 15:03:25 388,674 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-21 16:37:24 388,682 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718824]
"NVIEW"="nview.dll" [2003-10-17 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-10-16 23:30 258048]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744]
"ezShieldProtector for Px"="c:\windows\system32\EZSP_PX.EXE" [2002-08-20 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-09 36352]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2003-10-20 45056]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"TosRotation"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2004-01-29 266240]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2003-12-09 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-06 77824]
"TapButt"="c:\program files\Toshiba\TapButton\TapButt.exe" [2003-10-24 163840]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2003-10-14 86016]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 271872]
"Sensiva"="c:\symbol commander\Sensiva.exe" [2002-10-01 2052096]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4866048]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-29 323216]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"EasyPHP"="c:\program files\EasyPHP1-7\easyphp.exe" [2003-10-07 151552]
"CrossMenu"="c:\program files\Toshiba\CrossMenu\CrossMenu.exe" [2003-10-18 798720]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 c:\windows\system32\000StTHK.exe]
"nwiz"="nwiz.exe" [2003-10-17 c:\windows\system32\nwiz.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-10-23 c:\windows\system32\TPSMain.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 c:\windows\agrsmmsg.exe]

c:\documents and settings\Cajhne\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
allSnap.lnk - c:\program files\allSnap\allSnap.exe [2004-03-19 81920]
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-18 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 00:56 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 17:49 110592 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 04:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2004-08-04 00:56 30208 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Crimson Editor\\cedt.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ysrhsrdw;ysrhsrdw;c:\windows\system32\drivers\fbdxusfm.sys --> c:\windows\system32\drivers\fbdxusfm.sys [?]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-11 111184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-02-04 5760]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtual_cd\VCdRom.sys [2001-12-19 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-11 20560]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-16 126976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-04-14 1373480]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2004-02-04 126976]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-02-04 8832]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-04-14 30248]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-03-10 58240]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-06-10 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-06-10 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-06-10 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-06-10 59520]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-02-04 13568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f1c7f3-041a-11dc-afa4-00080de65dda}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-21 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart\RegistrySmart.exe []

2009-02-21 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart [2009-02-21 08:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Save Flash by &GetFlash - c:\progra~1\GetFlash\getflash.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Cajhne\Application Data\Mozilla\Firefox\Profiles\0mf02mmg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cajhne\Application Data\Mozilla\Firefox\Profiles\0mf02mmg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 09:37:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\System32\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\1XConfig.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\EASYPH~1\apache\apache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\progra~1\EASYPH~1\apache\apache.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\EASYPH~1\mysql\bin\mysqld.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\Toshiba\TME3\TMETEMnu.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe
c:\windows\system32\RAMASST.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-02-21 9:44:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 16:44:03
ComboFix2.txt 2009-02-21 15:10:00

Pre-Run: 68,765,458,432 bytes free
Post-Run: 68,756,738,048 bytes free

293 --- E O F --- 2009-01-31 04:48:23

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 21 February 2009 - 12:26 PM

Hello again :step4:

OK, here's the next Combofix.txt - will start running FlashDisinfector next. Also, removed RegistrySmart and ZoneAlarm, and will remove the Viewpoint stuff.

:thumbup2: :)

Some files just came back when they were orphaned and got removed by Combofix.. Let's take care of them again next post, once I see the DDS log and GMER log...

Also did you copy and paste everything in that codebox in my previous post when running Combofix with CFScript? Some things did not get removed, we will remove it this post. Do not run Combofix again unless I instruct you to. Thanks.

Post back with the other logs once they are complete. Let me know if there were any problems and how is your computer running at the moment?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 February 2009 - 01:06 PM

Computer seems to be running fine - popup virus warnings have disappeared, task manager works again, desktop icons are back (they had all become generic icons), execution speed is way up, double-clicking desktop icons actually launches them, looking a lot better. I double-checked the CFScript.txt, and it contains an exact replica of the text you posted above.

The Flash_disinfector.exe ran pretty quickly, was done in less than a minute with no complaints.

GMER and DDS output follows, attach.txt is attached:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-21 10:55:09
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB8778576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB8778432]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB8778910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB877800A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB877850C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB8777F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB8777FAE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB877862C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB87785EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB877876C]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01952F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01952CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01952D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01952CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F52F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F52CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F52D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F52CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02C02F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02C02CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02C02D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02C02CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[4192] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[4192] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[4192] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[4192] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Cajhne\Desktop\gmer.d\gmer.exe[4676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Cajhne\Desktop\gmer.d\gmer.exe[4676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Cajhne\Desktop\gmer.d\gmer.exe[4676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Cajhne\Desktop\gmer.d\gmer.exe[4676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Threads - GMER 1.0.14 ----

Thread 4:328 89D46298

---- EOF - GMER 1.0.14 ----



DDS (Ver_09-02-01.01) - NTFSx86
Run by Cajhne at 10:59:45.06 on Sat 02/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.637 [GMT -7:00]

AV: avast! antivirus 4.8.1296 [VPS 090131-0] *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\EZSP_PX.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Symbol Commander\Sensiva.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\EasyPHP1-7\easyphp.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\allSnap\allSnap.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Cajhne\Desktop\dds(4).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [nwiz] nwiz.exe /installquiet /nodetect /keeploaded
mRun: [TFNF5] TFNF5.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\EZSP_PX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TosRotation] "c:\program files\toshiba\toshiba rotation utility\TRot.exe"
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TapButt] c:\program files\toshiba\tapbutton\TapButt.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Sensiva] "c:\symbol commander\Sensiva.exe"
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [IVPServiceMgr] c:\toshiba\ivp\ism\ivpsvmgr.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [EasyPHP] "c:\program files\easyphp1-7\easyphp.exe"
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
StartupFolder: c:\docume~1\cajhne\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\cajhne\startm~1\programs\startup\allsnap.lnk - c:\program files\allsnap\allSnap.exe
StartupFolder: c:\docume~1\cajhne\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.1\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\miniey~1.lnk - c:\program files\infinite mind lc\eyeq\ARLaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\p5cpl.lnk - c:\windows\system32\glovecpl.cpl
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Save Flash by &GetFlash - c:\progra~1\getflash\getflash.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cajhne\applic~1\mozilla\firefox\profiles\0mf02mmg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\cajhne\application data\mozilla\firefox\profiles\0mf02mmg.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-11 111184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-2-4 5760]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtual_cd\VCdRom.sys [2001-12-19 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-1-25 155160]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.exe [2004-7-16 126976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-4-14 1373480]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2004-2-4 126976]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-2-4 8832]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-4-14 30248]
S0 ysrhsrdw;ysrhsrdw;c:\windows\system32\drivers\fbdxusfm.sys --> c:\windows\system32\drivers\fbdxusfm.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-1-25 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-1-25 352920]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-3-10 58240]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-6-10 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-6-10 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-6-10 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-6-10 59520]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-2-4 13568]

=============== Created Last 30 ================

2009-02-21 10:20 <DIR> --d----- C:\WTablet
2009-02-21 10:13 345 a------- c:\windows\gmer.ini
2009-02-21 10:06 <DIR> a-dshr-- C:\autorun.inf
2009-02-21 06:02 <DIR> a-dshr-- C:\cmdcons
2009-02-21 05:59 161,792 a------- c:\windows\SWREG.exe
2009-02-21 05:59 98,816 a------- c:\windows\sed.exe
2009-02-05 21:50 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-04 18:35 <DIR> --d----- c:\temp\sTMP3
2009-02-04 18:35 <DIR> --d----- C:\Temp
2009-02-04 18:25 1,104 a------- c:\windows\ysrhsrdw
2009-02-04 18:25 304,128 a------- c:\windows\system32\hgGxULfg.dll
2009-02-02 20:36 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-02-02 20:36 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 20:35 <DIR> --d----- c:\program files\iPod
2009-02-02 20:35 <DIR> --d----- c:\program files\iTunes
2009-02-02 20:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 20:35 <DIR> --d----- c:\program files\Bonjour
2009-02-02 20:31 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-29 19:30 3,498 a------- C:\rollback.ini
2009-01-28 22:30 <DIR> --d----- c:\program files\GameSpy Arcade
2009-01-28 22:17 <DIR> --d----- c:\program files\Microsoft Games
2009-01-28 22:11 <DIR> --d----- C:\NetFramework.temp
2009-01-28 18:20 <DIR> --d----- C:\Converted
2009-01-26 21:33 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-26 21:33 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-25 14:29 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-24 14:58 <DIR> --d----- c:\windows\system32\CatRoot_bak

==================== Find3M ====================

2009-02-19 20:31 4,212 a---h--- c:\windows\system32\zllictbl.dat
2007-11-28 11:27 71 a------- c:\documents and settings\cajhne\mysql.bat
2006-10-07 12:15 24,192 a------- c:\documents and settings\cajhne\usbsermptxp.sys
2006-10-07 12:15 22,768 a------- c:\documents and settings\cajhne\usbsermpt.sys
2006-05-16 15:43 141,608 a------- c:\docume~1\cajhne\applic~1\GDIPFONTCACHEV1.DAT
2006-03-27 18:20 151 a------- c:\program files\WS_FTP.LOG
2008-07-22 22:52 88 a--shr-- c:\windows\system32\4158409AD8.sys
2006-05-03 02:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2008-07-22 22:55 11,863 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 03:47 31,232 a--shr-- c:\windows\system32\msfDX.dll

============= FINISH: 11:00:02.35 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 21 February 2009 - 01:23 PM

Hello again.

I double-checked the CFScript.txt, and it contains an exact replica of the text you posted above. The Flash_disinfector.exe ran pretty quickly, was done in less than a minute with no complaints. GMER and DDS output follows, attach.txt is attached:

:thumbup2: Flash-Drive disinfector doesn't take very long :)

Let's remove the leftovers.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    KillAll::
    
    Driver::
    ysrhsrdw
    Rootkit::
    c:\windows\system32\drivers\fbdxusfm.sys 
    File::
    c:\windows\Tasks\RegistrySmart Scheduled Scan.job
    c:\windows\system32\hgGxULfg.dll
    Folder::
    c:\program files\RegistrySmart
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

O15 Entries Warning (Sites in your Trusted Zones)

I see you have some sites in your Trusted Zone. The security settings for the internet is not extremely high and once you put a site in your trusted zone basically almost anymore including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone. They can be accessed in the Internet via Tools>Internet Options>Security>Trusted Zone>Sites. Remove if there are any there.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Combofix log
-Kaspersky log
-New DDS logs


We're almost done :step4:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 car377

car377
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 February 2009 - 01:44 PM

Here's the Combofix.txt. I'll clean out the trusted sites and do the Kaspersky scan next.

Thanks!
Chuck

ComboFix 09-02-19.01 - Cajhne 2009-02-21 11:31:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.637 [GMT -7:00]
Running from: c:\documents and settings\Cajhne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cajhne\Desktop\CFScript2.txt
AV: avast! antivirus 4.8.1296 [VPS 090131-0] *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\hgGxULfg.dll
c:\windows\Tasks\RegistrySmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\RegistrySmart
c:\windows\system32\drivers\fbdxusfm.sys
c:\windows\system32\hgGxULfg.dll
c:\windows\Tasks\RegistrySmart Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YSRHSRDW
-------\Service_ysrhsrdw


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-21 10:20 . 2009-02-21 10:20 <DIR> d-------- C:\WTablet
2009-02-21 10:13 . 2009-02-21 10:25 345 --a------ c:\windows\gmer.ini
2009-02-05 21:50 . 2009-02-05 21:54 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-04 18:35 . 2009-02-04 18:35 <DIR> d-------- c:\temp\sTMP3
2009-02-04 18:35 . 2009-02-21 07:46 <DIR> d-------- C:\Temp
2009-02-04 18:25 . 2009-02-21 09:35 1,104 --a------ c:\windows\ysrhsrdw
2009-02-02 20:36 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-02-02 20:36 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 20:35 . 2009-02-02 20:36 <DIR> d-------- c:\program files\iTunes
2009-02-02 20:35 . 2009-02-02 20:35 <DIR> d-------- c:\program files\iPod
2009-02-02 20:35 . 2009-02-02 20:35 <DIR> d-------- c:\program files\Bonjour
2009-02-02 20:35 . 2009-02-02 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 20:32 . 2009-02-02 20:32 <DIR> d-------- c:\program files\Apple Software Update
2009-02-02 20:31 . 2009-02-02 20:35 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-02 20:31 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-29 19:30 . 2009-02-11 15:06 3,498 --a------ C:\rollback.ini
2009-01-28 22:30 . 2009-02-04 20:33 <DIR> d-------- c:\program files\GameSpy Arcade
2009-01-28 22:17 . 2009-01-28 22:17 <DIR> d-------- c:\program files\Microsoft Games
2009-01-28 22:11 . 2009-01-28 22:11 <DIR> d-------- C:\NetFramework.temp
2009-01-28 18:20 . 2009-01-28 18:22 <DIR> d-------- C:\Converted
2009-01-27 15:08 . 2009-01-27 15:08 <DIR> d-------- c:\documents and settings\Cajhne\Application Data\Viewpoint
2009-01-26 21:33 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-26 21:33 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-25 14:29 . 2008-05-01 07:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-24 14:58 . 2009-01-25 14:57 <DIR> d-------- c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 18:36 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-02-21 18:35 --------- d-----w c:\documents and settings\Cajhne\Application Data\WTablet
2009-02-21 18:20 --------- d-----w c:\documents and settings\Cajhne\Application Data\Skype
2009-02-21 17:20 --------- d-----w c:\documents and settings\Cajhne\Application Data\OpenOffice.org2
2009-02-03 04:03 --------- d-----w c:\program files\Napster
2009-02-03 03:36 --------- d-----w c:\documents and settings\Cajhne\Application Data\Apple Computer
2009-02-03 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 03:34 --------- d-----w c:\program files\QuickTime
2009-01-30 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-28 03:07 --------- d-----w c:\program files\Microsoft Works
2009-01-19 22:03 --------- d-----w c:\program files\cwRsync
2007-11-28 18:27 71 ----a-w c:\documents and settings\Cajhne\mysql.bat
2006-10-07 19:15 24,192 ----a-w c:\documents and settings\Cajhne\usbsermptxp.sys
2006-10-07 19:15 22,768 ----a-w c:\documents and settings\Cajhne\usbsermpt.sys
2006-05-16 22:43 141,608 ----a-w c:\documents and settings\Cajhne\Application Data\GDIPFONTCACHEV1.DAT
2006-03-28 01:20 151 ----a-w c:\program files\WS_FTP.LOG
2008-07-23 05:52 88 --sha-r c:\windows\system32\4158409AD8.sys
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-07-23 05:55 11,863 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_ 8.08.12.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-21 17:13:22 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2006-10-08 23:31:04 65,536 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
+ 2009-02-21 15:05:09 65,536 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
- 2006-10-08 23:31:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
+ 2009-02-21 15:05:07 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
- 2006-10-08 23:31:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2009-02-21 15:05:09 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
- 2006-10-08 23:31:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
+ 2009-02-21 15:05:10 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
- 2006-10-08 23:31:04 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2009-02-21 15:05:09 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2009-02-21 17:13:22 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2009-02-21 15:03:25 388,674 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-21 18:35:39 388,672 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-21 18:35:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718824]
"NVIEW"="nview.dll" [2003-10-17 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-10-16 23:30 258048]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744]
"ezShieldProtector for Px"="c:\windows\system32\EZSP_PX.EXE" [2002-08-20 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-09 36352]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2003-10-20 45056]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"TosRotation"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2004-01-29 266240]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2003-12-09 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-06 77824]
"TapButt"="c:\program files\Toshiba\TapButton\TapButt.exe" [2003-10-24 163840]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2003-10-14 86016]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 271872]
"Sensiva"="c:\symbol commander\Sensiva.exe" [2002-10-01 2052096]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4866048]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-29 323216]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"EasyPHP"="c:\program files\EasyPHP1-7\easyphp.exe" [2003-10-07 151552]
"CrossMenu"="c:\program files\Toshiba\CrossMenu\CrossMenu.exe" [2003-10-18 798720]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 c:\windows\system32\000StTHK.exe]
"nwiz"="nwiz.exe" [2003-10-17 c:\windows\system32\nwiz.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-10-23 c:\windows\system32\TPSMain.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 c:\windows\agrsmmsg.exe]

c:\documents and settings\Cajhne\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
allSnap.lnk - c:\program files\allSnap\allSnap.exe [2004-03-19 81920]
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-18 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 00:56 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 17:49 110592 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 04:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2004-08-04 00:56 30208 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Crimson Editor\\cedt.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-11 111184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-02-04 5760]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtual_cd\VCdRom.sys [2001-12-19 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-11 20560]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-16 126976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-04-14 1373480]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2004-02-04 126976]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-02-04 8832]
R3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-04-14 30248]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-03-10 58240]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-06-10 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-06-10 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-06-10 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-06-10 59520]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-02-04 13568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f1c7f3-041a-11dc-afa4-00080de65dda}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Save Flash by &GetFlash - c:\progra~1\GetFlash\getflash.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Cajhne\Application Data\Mozilla\Firefox\Profiles\0mf02mmg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cajhne\Application Data\Mozilla\Firefox\Profiles\0mf02mmg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 11:36:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\System32\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\1XConfig.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\EASYPH~1\apache\apache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\EASYPH~1\apache\apache.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\EASYPH~1\mysql\bin\mysqld.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\Toshiba\TME3\TMETEMnu.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe
c:\windows\system32\RAMASST.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-02-21 11:41:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 18:41:55
ComboFix2.txt 2009-02-21 16:44:10
ComboFix3.txt 2009-02-21 15:10:00

Pre-Run: 68,758,196,224 bytes free
Post-Run: 68,745,420,800 bytes free

293 --- E O F --- 2009-01-31 04:48:23




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users