Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Security 2010 persistent infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 charlie222

charlie222

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 12 April 2010 - 03:30 PM

Unable to run GMR, I get system shut-down when I try.

Here is the DDS file, I also have the zipped Attach file ready to attach.

Referred here by boopme. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/308507/xp-security-trojan-and-something-lingers/ ~ OB Will re-attempt F-Secure Online scan shortly. Thanks in advance.


DDS (Ver_10-03-17.01) - NTFSx86
Run by charles at 0:14:31.29 on Mon 04/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.159 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\charles\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = hxxp://toshibadirect.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {41f2373f-de91-4989-95a3-b2ca5610cf05} - fapumoke.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: {c4e061f8-cb80-4fe0-a1cb-a00a93e6556a} - c:\windows\system32\rqRKEusp.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [CeEPOWER] c:\program files\toshiba\power management\CePMTray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [EzButton] c:\program files\ezbutton\EzButton.EXE
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [IVPServiceMgr] c:\toshiba\ivp\ism\ivpsvmgr.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [PDUiP6600DMon] c:\program files\canon\memory card utility\ip6600d\PDUiP6600DMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [UDC Integration]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39617.8445601852
DPF: {A171B122-677E-D68D-EF29-6D8BA9FD9E76} - hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/virtualmark/tc/MSC3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dentaltown.webex.com/client/T26L/event/ieatgpc.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: awtsTkhf - awtsTkhf.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: vorosuka.dll c:\windows\system32\difodime.dll c:\windows\system32\wumoyuvo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kujasaset - {cc3b2f34-a6a3-4394-a093-7f8846232c4c} - No File
SSODL: mutunatap - {3a7beef1-041a-447d-915f-2c3b1a8d24cf} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKEusp
LSA: Notification Packages = scecli vorosuka.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-10 217032]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-28 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-26 29512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-1 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-10 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-10 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-10 1142224]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S0 mmydrsvw;mmydrsvw;c:\windows\system32\drivers\fdwll.sys --> c:\windows\system32\drivers\fdwll.sys [?]
S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2010-04-11 21:49:55 0 d-----w- c:\program files\ESET
2010-04-11 20:12:18 0 d-----w- c:\docume~1\charles\applic~1\AVG8
2010-04-11 14:42:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-11 14:39:42 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 14:39:42 0 d-----w- c:\docume~1\charles\applic~1\SUPERAntiSpyware.com
2010-04-10 22:56:43 0 d-----w- c:\docume~1\charles\applic~1\PC Tools
2010-04-10 22:56:43 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-10 19:30:22 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-10 19:30:22 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-10 19:30:22 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-10 19:30:22 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-10 19:30:22 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-10 19:30:22 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-10 19:30:22 131 ----a-w- c:\windows\IDB.zip
2010-04-10 19:30:22 1152444 ----a-w- c:\windows\UDB.zip
2010-04-10 19:27:46 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-10 19:27:46 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-10 19:27:36 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-10 19:27:36 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-10 19:27:36 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-10 19:27:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-10 19:27:21 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-10 19:27:21 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-10 19:27:10 0 d-----w- c:\program files\Spyware Doctor
2010-04-10 19:27:10 0 d-----w- c:\program files\common files\PC Tools
2010-04-07 01:10:01 17216 ----a-r- c:\windows\system32\drivers\ax88772.sys
2010-04-07 01:10:01 0 d-----w- c:\program files\AX88772
2010-04-06 13:39:28 1168 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmfeklnmal.dll
2010-04-06 13:38:30 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-06 12:24:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 12:24:12 552 ----a-w- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2010-04-11 18:31:23 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 17:13:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 17:12:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-02 01:53:01 36864 ----a-w- c:\windows\system32\acs.exe
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2007-11-25 17:57:06 3928264 -c--a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-11-25 17:54:15 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe
2007-11-25 16:06:52 2293848 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2003-08-27 21:19:18 36963 -c----r- c:\program files\common files\SM1updtr.dll

============= FINISH: 0:16:39.12 ===============

Edited by Orange Blossom, 12 April 2010 - 07:18 PM.


BC AdBot (Login to Remove)

 


#2 charlie222

charlie222
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 12 April 2010 - 09:09 PM

FSecure online scan report:



Online Scanner - Scanning Report - Monday, April 12, 2010 18:59:54Scanning
Report
Monday, April 12, 2010 15:00:06 - 18:59:54
Computer name: TOSHIBA-USER
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\



1 malware found
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)



Statistics
Scanned:
Files: 76308
System: 5343
Not scanned: 8
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\DOCUMENTS AND SETTINGS\CHARLES\LOCAL SETTINGS\TEMP\HSPERFDATA_CHARLES\2108
C:\DOCUMENTS AND SETTINGS\CHARLES\LOCAL SETTINGS\TEMP\HSPERFDATA_CHARLES\3620



Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT
CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics



Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name. This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:54 AM

Posted 16 April 2010 - 10:40 AM

Hello charlie222,



Sorry about the delay.sad.gif

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! smile.gif

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 charlie222

charlie222
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 20 April 2010 - 06:18 PM

ComboFix 10-04-19.08 - charles 04/20/2010 15:07:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.469 [GMT -7:00]
Running from: c:\documents and settings\charles\Desktop\malware defense\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDmfeklnmal.dll
c:\documents and settings\charles\Favorites\.url
c:\documents and settings\charles\Local Settings\Temporary Internet Files\4cPF5a76.jpg
c:\documents and settings\charles\Local Settings\Temporary Internet Files\bdJd5T1Y.jpg
c:\documents and settings\charles\Local Settings\Temporary Internet Files\BITr63g.jpg
c:\documents and settings\charles\Local Settings\Temporary Internet Files\gRuMG2U.jpg
c:\documents and settings\charles\Recent\Thumbs.db
c:\program files\Common
c:\recycler\S-1-5-21-861241397-2520754843-2310609565-500
c:\windows\CeEKey .INI
c:\windows\CePMTray .INI
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\jestertb.dll
c:\windows\Temp\tmp3.tmp
c:\windows\TPTray .INI

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-19 00:37 . 2010-04-19 00:37 96512 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-04-18 20:53 . 2010-04-19 01:02 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-12 21:59 . 2010-04-12 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-04-12 21:26 . 2010-04-12 21:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-11 21:49 . 2010-04-11 21:49 -------- d-----w- c:\program files\ESET
2010-04-11 20:12 . 2010-04-11 20:12 -------- d-----w- c:\documents and settings\charles\Application Data\AVG8
2010-04-11 17:04 . 2010-04-11 17:04 -------- d-----w- c:\documents and settings\charles\Local Settings\Application Data\Threat Expert
2010-04-11 14:42 . 2010-04-11 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-11 14:39 . 2010-04-14 07:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 14:39 . 2010-04-11 14:39 -------- d-----w- c:\documents and settings\charles\Application Data\SUPERAntiSpyware.com
2010-04-11 02:03 . 2010-04-11 02:03 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-04-11 02:03 . 2010-04-11 02:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-04-10 22:56 . 2010-04-20 22:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-10 22:56 . 2010-04-10 22:56 -------- d-----w- c:\documents and settings\charles\Application Data\PC Tools
2010-04-10 22:56 . 2010-04-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-10 19:30 . 2010-01-22 16:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-10 19:30 . 2010-01-22 16:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-10 19:30 . 2010-01-22 16:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-10 19:30 . 2010-01-22 16:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-10 19:30 . 2009-10-28 08:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-10 19:30 . 2008-11-26 19:08 131 ----a-w- c:\windows\IDB.zip
2010-04-10 19:27 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-10 19:27 . 2010-03-10 18:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-10 19:27 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-10 19:27 . 2010-02-05 16:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-10 19:27 . 2010-04-20 22:33 -------- d-----w- c:\program files\Spyware Doctor
2010-04-10 19:27 . 2010-04-10 22:57 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-07 01:10 . 2010-04-07 01:10 -------- d-----w- c:\program files\AX88772
2010-04-07 01:10 . 2004-08-05 16:17 17216 ----a-r- c:\windows\system32\drivers\ax88772.sys
2010-04-06 13:38 . 2010-04-06 22:21 -------- d-----w- c:\documents and settings\charles\Local Settings\Application Data\avG
2010-04-06 13:38 . 2010-04-06 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-06 12:24 . 2010-04-18 23:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 12:24 . 2010-04-06 12:24 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-05 18:03 . 2010-04-05 18:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-04 02:50 . 2010-04-04 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 22:22 . 2006-05-16 22:17 335 ----a-w- c:\windows\system32\tablet.dat
2010-04-14 08:01 . 2009-12-07 23:54 -------- d-----w- c:\program files\QuickTime
2010-04-14 08:00 . 2009-11-11 15:20 -------- d-----w- c:\program files\Picasa2
2010-04-14 07:01 . 2004-08-10 20:57 -------- d-----w- c:\program files\ltmoh
2010-04-14 07:01 . 2010-02-08 23:22 -------- d-----w- c:\program files\iTunes
2010-04-14 07:01 . 2004-08-10 20:59 -------- d-----w- c:\program files\Apoint2K
2010-04-14 07:01 . 2006-03-23 23:19 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-14 07:01 . 2004-08-10 20:52 -------- d-----w- c:\program files\Atheros
2010-04-14 07:01 . 2004-08-10 21:03 -------- d-----w- c:\program files\EzButton
2010-04-13 15:01 . 2010-04-12 21:21 112 ----a-w- c:\documents and settings\All Users\Application Data\ErxxGM.dat
2010-04-12 21:26 . 2004-08-12 22:19 -------- d-----w- c:\program files\Common Files\Java
2010-04-12 21:26 . 2004-08-12 22:19 -------- d-----w- c:\program files\Java
2010-04-12 01:52 . 2007-03-09 17:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-11 14:06 . 2008-06-25 21:31 -------- d-----w- c:\program files\SpyNoMore
2010-04-10 22:57 . 2009-10-15 22:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-07 01:10 . 2004-08-10 20:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 20:12 . 2010-03-01 18:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 18:38 . 2009-11-11 15:41 -------- d-----w- c:\program files\World of Warcraft
2010-03-30 07:46 . 2010-03-01 18:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-03-01 18:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 22:12 . 2008-04-03 02:00 -------- d-----w- c:\program files\Safari
2010-03-15 17:13 . 2009-07-28 13:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 17:13 . 2007-02-26 18:57 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 17:12 . 2009-07-28 13:45 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2004-08-09 23:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-02 01:53 . 2010-03-02 01:53 36864 ----a-w- c:\windows\system32\acs.exe
2010-03-01 18:31 . 2010-03-01 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-01 18:21 . 2010-03-01 18:21 -------- d-----w- c:\documents and settings\charles\Application Data\Malwarebytes
2010-03-01 18:20 . 2010-03-01 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 18:06 . 2009-07-28 13:45 -------- d-----w- c:\program files\AVG
2010-02-25 06:24 . 2004-08-09 23:27 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-09 23:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-09 23:26 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-09 23:26 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-09 23:27 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-11-25 17:57 . 2007-11-25 15:02 3928264 -c--a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-11-25 17:54 . 2007-11-25 14:54 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe
2007-11-25 16:06 . 2007-11-25 16:06 2293848 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2003-08-27 21:19 . 2004-08-10 21:09 36963 -c----r- c:\program files\Common Files\SM1updtr.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Apoint2K\Apoint .exe
c:\program files\Atheros\ACU .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\EzButton\EzButton .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\ltmoh\Ltmoh .exe
c:\program files\Microsoft IntelliPoint\point32 .exe
c:\program files\Picasa2\PicasaMediaDetector .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\Spyware Doctor\pctsTray .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Toshiba\E-KEY\CeEKey .exe
c:\program files\Toshiba\Power Management\CePMTray .exe
c:\program files\Toshiba\TOSCDSPD\toscdspd .exe
c:\program files\Toshiba\Touch and Launch\PadExe .exe
c:\program files\Toshiba\TouchPad\TPTray .exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [N/A]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [N/A]
"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-18 151552]
"NDSTray.exe"="NDSTray.exe" [N/A]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]
"UDC Integration"="" [N/A]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-04-12 1286608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-8-10 155648]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-5-16 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 17:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/10/2010 12:27 PM 217032]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/28/2009 6:45 AM 216200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/1/2010 11:06 AM 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/10/2010 12:30 PM 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/10/2010 12:27 PM 366840]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 3:22 PM 102400]
S0 mmydrsvw;mmydrsvw;c:\windows\system32\drivers\fdwll.sys --> c:\windows\system32\drivers\fdwll.sys [?]
S1 dtxcgyvo;dtxcgyvo;\??\c:\windows\system32\drivers\dtxcgyvo.sys --> c:\windows\system32\drivers\dtxcgyvo.sys [?]
S1 MpKsl6e1dd657;MpKsl6e1dd657;\??\c:\windows\system32\MpEngineStore\MpKsl6e1dd657.sys --> c:\windows\system32\MpEngineStore\MpKsl6e1dd657.sys [?]
S2 mrtRate;mrtRate; [x]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\charles\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\charles\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2004-08-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-10 01:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = hxxp://toshibadirect.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {A171B122-677E-D68D-EF29-6D8BA9FD9E76} - hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
BHO-{41f2373f-de91-4989-95a3-b2ca5610cf05} - fapumoke.dll
BHO-{C4E061F8-CB80-4FE0-A1CB-A00A93E6556A} - c:\windows\system32\rqRKEusp.dll
Toolbar-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SSODL-kujasaset-{cc3b2f34-a6a3-4394-a093-7f8846232c4c} - (no file)
SSODL-mutunatap-{3a7beef1-041a-447d-915f-2c3b1a8d24cf} - (no file)
Notify-awtsTkhf - awtsTkhf.dll
AddRemove-SpyNoMore - c:\program files\SpyNoMore\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\athgina.dll
c:\windows\system32\athcfg11.dll
c:\windows\system32\athcfg11Res.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1312)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\windows\system32\ACS.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\Power Management\CeEPwrSvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\toshiba\Ivp\Swupdate\swupdtmr.exe
c:\windows\system32\Tablet.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\AGRSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-04-20 15:45:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-20 22:45

Pre-Run: 47,858,016,256 bytes free
Post-Run: 48,395,780,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 164A76F7504292CE5E2DF4320227B4A0


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:54 AM

Posted 20 April 2010 - 06:32 PM

Hello again smile.gif

See if you can run GMER now, and also have a run with MBAM and post the reports. How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 charlie222

charlie222
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 21 April 2010 - 03:05 PM

Run GMER: Unable. First two tries it just froze after running a few pages worth. Next three tries, got black screen "{Fatal System Error} .... System shutdown" after running a short time, about half an hour.

How running: Better. No longer getting hijacked when changing webpages. thumbup.gif

Seems to run pretty slowly now though. Maybe half or one-third normal speed. Or maybe not, I have Comcast cable and it flickers on and off all the time.

Is there anything more I can do to fix this? Thanks again.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:54 AM

Posted 22 April 2010 - 03:20 PM

Hello,

My apologies for the late reply. Something went horribly wrong with my own system and I've had to hurry with the basics of a whole new one just to get back here. sad.gif

Could you not run MBAM either? If not, please try uninstalling it and reinstalling. Sometimes this malware corrupts programs and they need to be replaced. Have a run with it and post the report in your reply and we'll go from there. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 charlie222

charlie222
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 25 April 2010 - 04:33 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3961

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/25/2010 1:52:22 PM
mbam-log-2010-04-25 (13-52-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 253704
Time elapsed: 1 hour(s), 46 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:54 AM

Posted 26 April 2010 - 04:30 PM

Hello again smile.gif

So you could run it.....excellent! thumbup2.gif Now that some time has passed, has the speed gotten better? You said :
QUOTE
Seems to run pretty slowly now though. Maybe half or one-third normal speed. Or maybe not, I have Comcast cable and it flickers on and off all the time.


I just want to be sure before so I know what to do next. wink.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 charlie222

charlie222
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 May 2010 - 11:50 AM

Thank you very much for the help. thumbup.gif thumbup.gif thumbup.gif You guys are the greatest.

The computer is still balky, but it now runs well enough that I can get my information off of it. I think the stalling and slowness it has now might be from the Toshiba software trying to save power by hibernating while in use. Or maybe from one of the several automatic scans (SD, MBAM, AVG, etc.) starting up in the background. Perhaps I should run all scans manually?


I will look around the forum for appropriate places to post questions about that and other issues not related to malware removal. Thanks in advance if you can suggest where to post such questions.

I tried the forums on the Toshiba site. There I found many people asking very similar questions but did not see any answers except from other users who did not appear to have any special expertise or even the ability to read.

Calling or emailing Toshiba results in a request to send the computer in. I am not eager to ship my computers that I actually use across the country to a service center for an unknown time span, and my interactions with Toshiba so far do not suggest that doing that would result in a solution to the problems anyway.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:54 AM

Posted 16 May 2010 - 02:23 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users