Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DesktopTrojan.Win32.BlackBird AND Trojan-Downloader.Win32.Agent.v [RES

Started by vegas23 , Apr 09 2008 09:13 PM

  • This topic is locked This topic is locked

#1
vegas23
Posted 09 April 2008 - 09:13 PM

vegas23

    New Member

  • Member
  • Pip
  • 4 posts
Here are the Two Logs, first is Hijackthis list, second is the uninstall list. I have a Toshiba Portage M300 computer, I have an updated Norton Internet security suite, I tried the Microsoft Malware remover, AVG free, and have installed Spyware blaster and the ATF cleaner.



Thanks in advance for the help. Im gonna need it!







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:33 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: GNX Bingo - {619FD815-8D43-414D-8638-22CC868AF066} - C:\WINDOWS\svpekgonlmf.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - C:\WINDOWS\system32\pmnkKbxV.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ThpSrv] c:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [57CiMdwXd6] C:\Documents and Settings\All Users\Application Data\futixibo\nsfixyde.exe
O4 - HKCU\..\Policies\Explorer\Run: [57CiMdwXd6] C:\Documents and Settings\All Users\Application Data\futixibo\nsfixyde.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203993635223
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 10729 bytes



Adobe Acrobat 5.0
Adobe Acrobat 7.0.9 Standard
Adobe Flash Player ActiveX
Adobe Shockwave Player
AppCore
Apple Mobile Device Support
Apple Software Update
Bluetooth Stack for Windows by Toshiba
Bonjour
ccCommon
CD/DVD Drive Acoustic Silencer
C-Major Audio
Component Framework
DVD-RAM Driver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915865)
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
InterVideo WinDVD for TOSHIBA
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Expression Web
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
PC Backup Free Trial
Quicken 2007
QuickTime
SD Secure Module
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sonic DLA
Sonic RecordNow!
SPBBC 32bit
SpywareBlaster 4.0
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
The Rosetta Stone
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Display Devices Change Utility
TOSHIBA HDD Protection
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA Mobile Extension3 for Windows XP V3.67.00.XP
TOSHIBA Password Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Boot Utility
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
TOSHIBA Zooming Utility
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VideoShow Expressions
WD Backup
WD Firewire HID Driver
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Wireless Hotkey
  • 0

Advertisements

#2
greyknight17
Posted 14 April 2008 - 08:52 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: GNX Bingo - {619FD815-8D43-414D-8638-22CC868AF066} - C:\WINDOWS\svpekgonlmf.dll (file missing)
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - C:\WINDOWS\system32\pmnkKbxV.dll (file missing)
O4 - HKLM\..\Policies\Explorer\Run: [57CiMdwXd6] C:\Documents and Settings\All Users\Application Data\futixibo\nsfixyde.exe
O4 - HKCU\..\Policies\Explorer\Run: [57CiMdwXd6] C:\Documents and Settings\All Users\Application Data\futixibo\nsfixyde.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Documents and Settings\All Users\Application Data\futixibo\

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
vegas23
Posted 19 April 2008 - 08:58 PM

vegas23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thanks for getting back to me greyknight17. here is the requested Combofix log.




ComboFix 08-04-18.3 - Victor 2008-04-19 22:46:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT -4:00]
Running from: C:\Documents and Settings\Victor\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Victor\Desktopblackbird.jpg
C:\Documents and Settings\Victor\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Victor\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Victor\Desktopfilemanagerclient.exe
C:\Documents and Settings\Victor\Desktopfkwp1.5.exe
C:\Documents and Settings\Victor\Desktopfkwp2.0.exe
C:\Documents and Settings\Victor\Desktopfwebd.exe
C:\Documents and Settings\Victor\DesktopFWebdEditor.exe
C:\Documents and Settings\Victor\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Victor\Desktopvirii
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\PC-Cleaner
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\fkdnrwsv.dll
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\sxfnewqb.dll
C:\WINDOWS\system32\PXIOnUvw.ini
C:\WINDOWS\system32\PXIOnUvw.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 20:52 . 2008-04-19 20:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 01:10 . 2008-04-18 01:10 <DIR> d-------- C:\dc76b951c57cb243232243699d
2008-04-12 19:25 . 2008-04-19 20:55 <DIR> d-------- C:\Program Files\Safari
2008-04-12 19:23 . 2008-04-12 19:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 19:23 . 2008-04-12 19:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-12 19:22 . 2008-04-12 19:22 <DIR> d-------- C:\Program Files\iPod
2008-04-12 19:21 . 2008-04-12 19:22 <DIR> d-------- C:\Program Files\iTunes
2008-04-12 19:18 . 2008-04-12 19:19 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 22:57 . 2008-04-09 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 18:49 . 2008-04-09 18:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-09 18:41 . 2008-04-09 18:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-09 18:41 . 2008-04-09 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 18:41 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-09 01:22 . 2008-04-09 01:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 01:22 . 2008-04-09 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 00:45 . 2008-04-09 01:16 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-08 23:43 . 2008-04-08 23:43 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-08 23:41 . 2008-04-08 23:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-07 12:45 . 2008-04-08 00:32 1,274 ---hs---- C:\WINDOWS\system32\pfxraqsb.ini
2008-04-06 12:45 . 2008-04-06 12:45 354 ---hs---- C:\WINDOWS\system32\pwwtdrko.ini
2008-04-05 12:45 . 2008-04-05 12:45 294 ---hs---- C:\WINDOWS\system32\vpickddh.ini
2008-04-04 12:44 . 2008-04-04 12:44 294 ---hs---- C:\WINDOWS\system32\lchotnth.ini
2008-04-03 00:48 . 2008-04-04 00:48 294 --ahs---- C:\WINDOWS\system32\xvkahpus.ini
2008-04-02 11:15 . 2008-04-02 11:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-02 11:15 . 2008-04-02 11:15 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-02 11:11 . 2008-04-02 11:15 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-04-02 11:11 . 2008-04-09 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-01 22:14 . 2008-04-01 22:14 <DIR> d-------- C:\Documents and Settings\Victor\Application Data\Sonic
2008-04-01 22:00 . 2008-04-01 22:03 <DIR> d-------- C:\Program Files\VideoShow Expressions
2008-04-01 22:00 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-21 12:19 . 2008-03-21 12:19 <DIR> d-------- C:\Documents and Settings\Victor\Application Data\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 02:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 12:17 --------- d-----w C:\Documents and Settings\Victor\Application Data\Apple Computer
2008-04-11 14:13 --------- d-----w C:\Program Files\Google
2008-04-03 13:43 --------- d-----w C:\Documents and Settings\Victor\Application Data\Move Networks
2008-04-02 02:05 --------- d-----w C:\Documents and Settings\Victor\Application Data\ArcSoft
2008-04-02 02:02 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-04-02 02:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 15:53 --------- d-----w C:\Program Files\Quicken
2008-03-25 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 17:19 --------- d-----w C:\Program Files\My Book
2008-03-18 17:18 339,968 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2008-03-07 18:59 --------- d-----w C:\Documents and Settings\Victor\Application Data\Hewlett-Packard
2008-03-07 18:44 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-07 18:42 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-07 01:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-03 21:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 16:06 --------- d-----w C:\Documents and Settings\Victor\Application Data\AdobeUM
2008-02-26 16:39 --------- d-----w C:\Program Files\The Rosetta Stone
2008-02-26 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-26 05:47 --------- d-----w C:\Program Files\Bonjour
2008-02-26 05:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-26 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-26 03:54 0 --sha-r C:\WINDOWS\system32\drivers\TOSHIBA_PORTEGE M300_S3A1980D001_PPM30C-NC201E.MRK
2008-02-26 03:54 --------- d-----w C:\Program Files\Toshiba
2008-02-26 03:52 --------- d-----w C:\Program Files\Install AOL 9.0
2008-02-26 03:51 --------- d-----w C:\Program Files\OnX Enterprise Solutions
2008-02-26 03:51 --------- d-----w C:\Program Files\Laptop Retriever
2008-02-26 03:42 --------- d-----w C:\Program Files\Datalode
2008-02-26 03:16 --------- d-----w C:\Documents and Settings\Victor\Application Data\Intuit
2008-02-26 03:15 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-02-26 03:15 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-26 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-26 03:08 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-26 03:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-26 02:52 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-26 02:20 --------- d-----w C:\Documents and Settings\Victor\Application Data\Symantec
2008-02-26 02:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-26 02:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-26 02:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-26 02:19 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-26 02:19 --------- d-----w C:\Program Files\Symantec
2008-02-26 02:19 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-26 02:18 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 21:43 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-06 21:43 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-07 00:05 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-25 22:18 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-24 20:56 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-24 20:52 126976]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 21:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-27 21:22 73728 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 19:03 135168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 04:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 04:08 495616]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 22:00 126976]
"NDSTray.exe"="NDSTray.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 19:07 49152]
"TPSMain"="TPSMain.exe" [2004-11-09 00:30 270336 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2004-11-09 00:30 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TFncKy"="TFncKy.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-11-11 14:43 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2004-07-10 02:49 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-28 05:05 127035]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 00:38 88361 C:\WINDOWS\agrsmmsg.exe]
"ThpSrv"="c:\WINDOWS\system32\thpsrv /logon" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"CFSServ.exe"="CFSServ.exe" []
"WD Button Manager"="WDBtnMgr.exe" [2008-03-18 13:18 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2008-02-25 23:07:47 25214]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 19:22:58 28672]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2004-06-16 18:50:58 147456]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-11-22 16:21:20 155648]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2008-03-18 13:19:13 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-01 01:49]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 16:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 15:08]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 02:18]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - IPOD_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-04-20 00:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 17:55:07 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1204916051.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-04-19 05:40:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-17 23:59:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Victor.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 22:48:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 22:49:55
ComboFix-quarantined-files.txt 2008-04-20 02:49:50

Pre-Run: 46,158,544,896 bytes free
Post-Run: 46,294,040,576 bytes free

283 --- E O F --- 2008-04-18 05:10:20
  • 0

#4
greyknight17
Posted 19 April 2008 - 09:03 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go back to the page where you got Combofix and follow the instructions on how to install the XP Recovery Console. Skip the part for the Windows CD. Download the bootdisk instead and drag/drop it into Combofix.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\pfxraqsb.ini
C:\WINDOWS\system32\pwwtdrko.ini
C:\WINDOWS\system32\vpickddh.ini
C:\WINDOWS\system32\lchotnth.ini
C:\WINDOWS\system32\xvkahpus.ini

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#5
vegas23
Posted 20 April 2008 - 06:23 AM

vegas23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Greyknight17,
The computer is running much better. Also, I now have access to my "Task Manager"! I tried running the XP recovery before but I must have done something wrong. I think I did it correctly this time. Here is the Log file from Combofix after running the script you sent me.





ComboFix 08-04-18.3 - Victor 2008-04-20 8:13:39.2 - NTFSx86
Running from: C:\Documents and Settings\Victor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Victor\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\lchotnth.ini
C:\WINDOWS\system32\pfxraqsb.ini
C:\WINDOWS\system32\pwwtdrko.ini
C:\WINDOWS\system32\vpickddh.ini
C:\WINDOWS\system32\xvkahpus.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lchotnth.ini
C:\WINDOWS\system32\pfxraqsb.ini
C:\WINDOWS\system32\pwwtdrko.ini
C:\WINDOWS\system32\vpickddh.ini
C:\WINDOWS\system32\xvkahpus.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 20:52 . 2008-04-19 20:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 01:10 . 2008-04-18 01:10 <DIR> d-------- C:\dc76b951c57cb243232243699d
2008-04-12 19:25 . 2008-04-19 20:55 <DIR> d-------- C:\Program Files\Safari
2008-04-12 19:23 . 2008-04-12 19:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 19:23 . 2008-04-12 19:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-12 19:22 . 2008-04-12 19:22 <DIR> d-------- C:\Program Files\iPod
2008-04-12 19:21 . 2008-04-12 19:22 <DIR> d-------- C:\Program Files\iTunes
2008-04-12 19:18 . 2008-04-12 19:19 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 22:57 . 2008-04-09 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 18:49 . 2008-04-09 18:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-09 18:41 . 2008-04-09 18:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-09 18:41 . 2008-04-09 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 18:41 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-09 01:22 . 2008-04-09 01:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 01:22 . 2008-04-09 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 00:45 . 2008-04-09 01:16 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-08 23:43 . 2008-04-08 23:43 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-08 23:41 . 2008-04-08 23:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-02 11:15 . 2008-04-02 11:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-02 11:15 . 2008-04-02 11:15 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-02 11:11 . 2008-04-02 11:15 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-04-02 11:11 . 2008-04-09 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-01 22:14 . 2008-04-01 22:14 <DIR> d-------- C:\Documents and Settings\Victor\Application Data\Sonic
2008-04-01 22:00 . 2008-04-01 22:03 <DIR> d-------- C:\Program Files\VideoShow Expressions
2008-04-01 22:00 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-21 12:19 . 2008-03-21 12:19 <DIR> d-------- C:\Documents and Settings\Victor\Application Data\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 12:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 12:17 --------- d-----w C:\Documents and Settings\Victor\Application Data\Apple Computer
2008-04-11 14:13 --------- d-----w C:\Program Files\Google
2008-04-03 13:43 --------- d-----w C:\Documents and Settings\Victor\Application Data\Move Networks
2008-04-02 02:05 --------- d-----w C:\Documents and Settings\Victor\Application Data\ArcSoft
2008-04-02 02:02 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-04-02 02:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 15:53 --------- d-----w C:\Program Files\Quicken
2008-03-25 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 17:19 --------- d-----w C:\Program Files\My Book
2008-03-18 17:18 339,968 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2008-03-07 18:59 --------- d-----w C:\Documents and Settings\Victor\Application Data\Hewlett-Packard
2008-03-07 18:44 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-07 18:42 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-07 01:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-03 21:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 16:06 --------- d-----w C:\Documents and Settings\Victor\Application Data\AdobeUM
2008-02-26 16:39 --------- d-----w C:\Program Files\The Rosetta Stone
2008-02-26 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-26 05:47 --------- d-----w C:\Program Files\Bonjour
2008-02-26 05:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-26 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-26 03:54 0 --sha-r C:\WINDOWS\system32\drivers\TOSHIBA_PORTEGE M300_S3A1980D001_PPM30C-NC201E.MRK
2008-02-26 03:54 --------- d-----w C:\Program Files\Toshiba
2008-02-26 03:52 --------- d-----w C:\Program Files\Install AOL 9.0
2008-02-26 03:51 --------- d-----w C:\Program Files\OnX Enterprise Solutions
2008-02-26 03:51 --------- d-----w C:\Program Files\Laptop Retriever
2008-02-26 03:42 --------- d-----w C:\Program Files\Datalode
2008-02-26 03:16 --------- d-----w C:\Documents and Settings\Victor\Application Data\Intuit
2008-02-26 03:15 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-02-26 03:15 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-26 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-26 03:08 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-26 03:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-26 02:52 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-26 02:20 --------- d-----w C:\Documents and Settings\Victor\Application Data\Symantec
2008-02-26 02:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-26 02:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-26 02:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-26 02:19 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-26 02:19 --------- d-----w C:\Program Files\Symantec
2008-02-26 02:19 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-26 02:18 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 21:43 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-06 21:43 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-07 00:05 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-25 22:18 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-24 20:56 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-24 20:52 126976]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 21:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-27 21:22 73728 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 19:03 135168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 04:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 04:08 495616]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 22:00 126976]
"NDSTray.exe"="NDSTray.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 19:07 49152]
"TPSMain"="TPSMain.exe" [2004-11-09 00:30 270336 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2004-11-09 00:30 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TFncKy"="TFncKy.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-11-11 14:43 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2004-07-10 02:49 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-28 05:05 127035]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 00:38 88361 C:\WINDOWS\agrsmmsg.exe]
"ThpSrv"="c:\WINDOWS\system32\thpsrv /logon" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"CFSServ.exe"="CFSServ.exe" []
"WD Button Manager"="WDBtnMgr.exe" [2008-03-18 13:18 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2008-02-25 23:07:47 25214]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 19:22:58 28672]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2004-06-16 18:50:58 147456]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-11-22 16:21:20 155648]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2008-03-18 13:19:13 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-01 01:49]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 16:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 15:08]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 02:18]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - IPOD_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-04-20 00:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 17:55:07 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1204916051.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-04-20 05:40:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-17 23:59:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Victor.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 08:15:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 8:16:47
ComboFix-quarantined-files.txt 2008-04-20 12:16:40
ComboFix2.txt 2008-04-20 02:49:56

Pre-Run: 46,370,025,472 bytes free
Post-Run: 46,413,328,384 bytes free

208 --- E O F --- 2008-04-18 05:10:20
  • 0

#6
greyknight17
Posted 20 April 2008 - 10:26 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It's installed successfully now. You will never need this unless something horrible has happened (like Windows having booting issues). We can assist you in recovering the system by booting into this console and either reset or replace certain files to make it bootable again.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and type in Combofix /u (notice the space there) and hit OK to remove it. You should be set to go.
  • 0

#7
vegas23
Posted 20 April 2008 - 02:44 PM

vegas23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
greyknight17,
Everything is running great! Ive uninstalled the Combo Fix, rebooted and the system is running as fast as it did before! Thank you again for the help...GTG rocks!
  • 0

#8
greyknight17
Posted 20 April 2008 - 04:02 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP