Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Monderb.gen [RESOLVED]


  • This topic is locked This topic is locked

#1
n2gc

n2gc

    Member

  • Member
  • PipPip
  • 30 posts
Hello..
I took in my relatives kids laptop as they claimed it was slow....I guess. :)
I installed Kaspersky to do a scan and it found trojan WIN32.Monderb.gen
in this file C/System32/yayAspml.dll. I have tried to clean it in safe mode,
regular boot, etc to no avail. Kaspersky will log it in up to 4 times and then
for disinfection, when all of sudden the laptop shuts down like one does
when shutting down properly. However when it does, this odd looking Windows
XP banner shows up telling me it's doing so and then reboots the laptop.
It does this over and over. I've tried to dump the dll file but am having zero
luck cleaning this laptop. I've run HJT and believe I have removed the
other nasty's, but this trojan is beating me.

Would someone be kind enough to enlighten me on how get rid of this ?
It would be most appreciated..

Thank you
n2gc

Edited by n2gc, 15 June 2008 - 05:25 PM.

  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
  • 0

#3
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Ran the scan a little bit ago >

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:03 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\Caity\LOCALS~1\Temp\msprint.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B0F2E63-3FA9-41E2-8664-8FADC2DF0799}: NameServer = 85.255.115.85,85.255.112.183
O17 - HKLM\System\CCS\Services\Tcpip\..\{C051320C-733D-474C-A98B-CF845B074735}: NameServer = 85.255.115.85,85.255.112.183
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.183
O17 - HKLM\System\CS1\Services\Tcpip\..\{8B0F2E63-3FA9-41E2-8664-8FADC2DF0799}: NameServer = 85.255.115.85,85.255.112.183
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.183
O17 - HKLM\System\CS2\Services\Tcpip\..\{8B0F2E63-3FA9-41E2-8664-8FADC2DF0799}: NameServer = 85.255.115.85,85.255.112.183
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.183
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7901 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

You're dealing with several different infections... so we'll have to do this step by step...

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please download FixwareOut from the following site:
http://download.blee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Keep in mind, this won't solve all your problems yet.. we'll deal with the rest afterwards.

Also, Can you tell me what Antivirus you are currently running, because this is confusing. I see parts of Kaspersky present and parts of Command Software Systems present. Please let me know which Antivirus still works, is up to date and is currently running. This is really important to know since you should have a decent, working and up to dated Antivirus present
  • 0

#5
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
This was run just a few minutes ago after I ran Fixtit and a reboot.
The trouble is there are 3 different people using this laptop.
As far as an AV I had to remove Kas as best I could because
it would try and disinfect the trojan over and over. Kept shutting
the unit off then on. Couldn't get anything done. I don't believe
there is a valid up to date AV program on it right now, but soon
soon will be. Thank you so much for helping me with this.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:10 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213304684390
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8259 bytes

Edited by n2gc, 12 June 2008 - 03:59 PM.

  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Let's deal with the rest now..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#7
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thank you so much. I'll post as soon as things quiet down a bit.
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Don't wait too long with this, because as long malware is present, it will download and install more malware all the time.
  • 0

#9
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here is the report from Combo scan

ComboFix 08-06-11.7 - bg 2008-06-13 6:41:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -7:00]
Running from: C:\Documents and Settings\bg\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bg\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\aksjadwn.ini
C:\WINDOWS\system32\LmpsAyay.ini
C:\WINDOWS\system32\LmpsAyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xfjpgreh.ini
C:\WINDOWS\system32\yayAspmL.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-12 15:53 . 2008-06-12 15:53 <DIR> dr-h----- C:\Documents and Settings\Mikael\Application Data\yahoo!
2008-06-12 15:52 . 2008-06-12 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-12 15:29 . 2008-06-12 15:29 <DIR> d-------- C:\Program Files\Avira
2008-06-12 14:42 . 2008-06-13 06:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 14:42 . 2008-06-12 14:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-12 14:38 . 2008-06-12 15:46 <DIR> d-------- C:\fixwareout
2008-06-12 14:23 . 2008-06-12 14:23 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 14:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-12 13:14 . 2008-06-12 13:14 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-06-12 13:14 . 2003-11-14 09:50 155,648 --a------ C:\WINDOWS\system32\ifc21.dll
2008-06-12 13:14 . 2003-11-14 09:50 104,960 --a------ C:\WINDOWS\system32\COMNCTR.DLL
2008-06-12 13:14 . 2003-11-14 09:50 97,792 --a------ C:\WINDOWS\system32\LGUICOM.DLL
2008-06-12 13:14 . 2003-11-14 09:50 94,208 --a------ C:\WINDOWS\system32\FEELIT.DLL
2008-06-12 13:14 . 2003-11-14 09:50 16,896 --a------ C:\WINDOWS\system32\LMOUSE32.DLL
2008-06-12 13:14 . 2003-11-14 09:50 3,568 --a------ C:\WINDOWS\system32\LMOUSE16.DLL
2008-06-12 13:13 . 2008-06-12 13:13 <DIR> d-------- C:\Program Files\Logitech
2008-06-12 13:13 . 2003-11-07 02:50 152,064 --a------ C:\WINDOWS\system32\lmoufrc.dll
2008-06-12 13:13 . 2003-11-07 02:50 70,798 --a------ C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2008-06-12 13:13 . 2003-11-07 02:50 51,486 --a------ C:\WINDOWS\system32\drivers\L8042PR2.SYS
2008-06-12 13:13 . 2003-11-07 02:50 37,884 --a------ C:\WINDOWS\system32\drivers\LHIDUSB.SYS
2008-06-12 13:13 . 2003-11-07 02:50 25,502 --a------ C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2008-06-12 13:13 . 2003-11-07 02:50 23,372 --a------ C:\WINDOWS\system32\LCOINST.DLL
2008-06-12 13:13 . 2003-11-07 02:50 19,968 --------- C:\WINDOWS\LOGI_MWX.EXE
2008-06-12 13:13 . 2003-11-07 02:50 14,092 --a------ C:\WINDOWS\system32\drivers\LCCFLTR.SYS
2008-06-11 23:07 . 2008-06-11 23:07 <DIR> d-------- C:\Documents and Settings\Mikael\Application Data\MySpace
2008-06-11 18:29 . 2008-06-11 18:29 <DIR> d-------- C:\kav
2008-06-11 18:04 . 2008-06-11 18:04 <DIR> d---s---- C:\Documents and Settings\bg\UserData
2008-06-11 17:25 . 2008-06-11 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 16:30 . 2008-06-12 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-11 16:07 . 2008-06-11 16:07 <DIR> d-------- C:\Program Files\InterMute
2008-06-11 15:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-11 15:46 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-11 15:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-11 15:46 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-11 13:54 . 2008-06-11 13:54 <DIR> d-------- C:\Documents and Settings\bg\Application Data\Zero Knowledge
2008-06-11 13:52 . 2005-04-20 14:35 <DIR> d-------- C:\Documents and Settings\bg\WINDOWS
2008-06-11 13:52 . 2005-04-20 15:12 <DIR> d-------- C:\Documents and Settings\bg\Application Data\You've Got Pictures Screensaver
2008-06-11 13:52 . 2005-04-20 14:42 <DIR> d-------- C:\Documents and Settings\bg\Application Data\toshiba
2008-06-11 13:52 . 2005-04-20 14:54 <DIR> d-------- C:\Documents and Settings\bg\Application Data\Intuit
2008-06-11 13:52 . 2005-04-20 15:26 <DIR> d-------- C:\Documents and Settings\bg\Application Data\InterVideo
2008-06-11 13:52 . 2005-04-20 15:08 <DIR> d-------- C:\Documents and Settings\bg\Application Data\InterTrust
2008-06-11 13:52 . 2006-02-28 18:24 <DIR> d-------- C:\Documents and Settings\bg\Application Data\AOL
2008-06-11 13:52 . 2008-06-12 15:40 <DIR> d-------- C:\Documents and Settings\bg
2008-06-11 13:47 . 2005-04-20 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-11 13:47 . 2005-04-20 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-11 13:47 . 2005-04-20 14:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-06-11 13:47 . 2005-04-20 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-11 13:47 . 2005-04-20 15:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-06-11 13:47 . 2005-04-20 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-11 13:47 . 2006-02-28 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-11 13:47 . 2008-06-11 13:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 19:19 . 2008-05-24 13:25 <DIR> d-------- C:\Program Files\AXPFixer
2008-05-23 18:57 . 2008-05-24 13:15 <DIR> d-------- C:\$AVG8.VAULT$
2008-05-23 18:50 . 2008-05-23 18:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx(2).dll
2008-05-23 18:49 . 2008-05-23 18:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-05-23 18:49 . 2008-05-24 13:25 <DIR> d-------- C:\Program Files\AVG(2)
2008-05-23 18:49 . 2008-05-24 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-05-23 18:36 . 2008-05-28 15:04 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-23 18:36 . 2008-05-28 15:04 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-21 11:16 . 2008-05-21 11:16 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 22:38 --------- d-----w C:\Program Files\Yahoo!
2008-06-12 22:20 --------- d-----w C:\Program Files\Google
2008-06-12 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-12 21:02 --------- d-----w C:\Program Files\Java
2008-06-12 01:21 --------- d-----w C:\Program Files\America Online 9.0
2008-05-24 20:27 --------- d-----w C:\Program Files\Apple Software Update
2008-05-21 18:17 --------- d-----w C:\Program Files\iTunes
2008-05-21 18:14 --------- d-----w C:\Program Files\QuickTime
2008-04-24 18:30 --------- d-----w C:\Program Files\APAstyle.info
2008-04-21 20:32 --------- d-----w C:\Program Files\AIM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 09:15 339968]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-04-12 16:18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 10:00 339968]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 15:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 15:26 688218]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"HostManager"="C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe" [2006-05-09 17:24 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-20 14:34:50 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnNGwvs]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\aim6.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 18:03:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 06:47:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-13 6:50:37 - machine was rebooted [bg]
ComboFix-quarantined-files.txt 2008-06-13 13:50:28

Pre-Run: 66,180,259,840 bytes free
Post-Run: 66,115,293,184 bytes free

196 --- E O F --- 2007-12-12 11:03:23


I'll go ahead and install the recovery console.

The log from HJT.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:42 AM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213304684390
O20 - Winlogon Notify: opnNGwvs - C:\WINDOWS\
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8572 bytes

Thank you in helping me. Kaspersky has been removed. The only active up to date AV is
Avira Free.

PS recovery console installed.

Edited by n2gc, 13 June 2008 - 08:29 AM.

  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Navigate to and delete the following files:

C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\blackster.scr

Then, check and fix next leftover in HijackThis:

O20 - Winlogon Notify: opnNGwvs - C:\WINDOWS\

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Install an Antivirus aftwards.

Let me know in your next reply how things are now.
  • 0

Advertisements


#11
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
1. trojan was found at C:\WINDOWS\system32\yayAspmL.dll
It is TR/Vundo.Gen

It is listed a number of times from Avira as detected then error.
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Is it still detecting it?

In that case, then the infection became active again... and if so, please run Combofix again and post the log in your next reply.
  • 0

#13
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Ran it again and here's the Combo log, as well as a fresh HJT log.

ComboFix 08-06-11.7 - bg 2008-06-13 9:22:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.145 [GMT -7:00]
Running from: C:\Documents and Settings\bg\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-13 08:39 . 2008-06-13 08:39 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-13 06:51 . 2008-06-13 06:51 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-13 06:51 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 06:51 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 15:53 . 2008-06-12 15:53 <DIR> dr-h----- C:\Documents and Settings\Mikael\Application Data\yahoo!
2008-06-12 15:52 . 2008-06-12 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-12 15:29 . 2008-06-12 15:29 <DIR> d-------- C:\Program Files\Avira
2008-06-12 14:42 . 2008-06-13 06:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 14:42 . 2008-06-12 14:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-12 14:38 . 2008-06-12 15:46 <DIR> d-------- C:\fixwareout
2008-06-12 14:23 . 2008-06-12 14:23 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 14:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-12 13:14 . 2008-06-12 13:14 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-06-12 13:14 . 2003-11-14 09:50 155,648 --a------ C:\WINDOWS\system32\ifc21.dll
2008-06-12 13:14 . 2003-11-14 09:50 104,960 --a------ C:\WINDOWS\system32\COMNCTR.DLL
2008-06-12 13:14 . 2003-11-14 09:50 97,792 --a------ C:\WINDOWS\system32\LGUICOM.DLL
2008-06-12 13:14 . 2003-11-14 09:50 94,208 --a------ C:\WINDOWS\system32\FEELIT.DLL
2008-06-12 13:14 . 2003-11-14 09:50 16,896 --a------ C:\WINDOWS\system32\LMOUSE32.DLL
2008-06-12 13:14 . 2003-11-14 09:50 3,568 --a------ C:\WINDOWS\system32\LMOUSE16.DLL
2008-06-12 13:13 . 2008-06-12 13:13 <DIR> d-------- C:\Program Files\Logitech
2008-06-12 13:13 . 2003-11-07 02:50 152,064 --a------ C:\WINDOWS\system32\lmoufrc.dll
2008-06-12 13:13 . 2003-11-07 02:50 70,798 --a------ C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2008-06-12 13:13 . 2003-11-07 02:50 51,486 --a------ C:\WINDOWS\system32\drivers\L8042PR2.SYS
2008-06-12 13:13 . 2003-11-07 02:50 37,884 --a------ C:\WINDOWS\system32\drivers\LHIDUSB.SYS
2008-06-12 13:13 . 2003-11-07 02:50 25,502 --a------ C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2008-06-12 13:13 . 2003-11-07 02:50 23,372 --a------ C:\WINDOWS\system32\LCOINST.DLL
2008-06-12 13:13 . 2003-11-07 02:50 19,968 --------- C:\WINDOWS\LOGI_MWX.EXE
2008-06-12 13:13 . 2003-11-07 02:50 14,092 --a------ C:\WINDOWS\system32\drivers\LCCFLTR.SYS
2008-06-11 23:07 . 2008-06-11 23:07 <DIR> d-------- C:\Documents and Settings\Mikael\Application Data\MySpace
2008-06-11 18:04 . 2008-06-11 18:04 <DIR> d---s---- C:\Documents and Settings\bg\UserData
2008-06-11 17:25 . 2008-06-11 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 16:30 . 2008-06-12 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-11 16:07 . 2008-06-11 16:07 <DIR> d-------- C:\Program Files\InterMute
2008-06-11 15:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-11 15:46 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-11 15:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-11 15:46 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-11 13:54 . 2008-06-11 13:54 <DIR> d-------- C:\Documents and Settings\bg\Application Data\Zero Knowledge
2008-06-11 13:52 . 2005-04-20 14:35 <DIR> d-------- C:\Documents and Settings\bg\WINDOWS
2008-06-11 13:52 . 2005-04-20 15:12 <DIR> d-------- C:\Documents and Settings\bg\Application Data\You've Got Pictures Screensaver
2008-06-11 13:52 . 2005-04-20 14:42 <DIR> d-------- C:\Documents and Settings\bg\Application Data\toshiba
2008-06-11 13:52 . 2005-04-20 14:54 <DIR> d-------- C:\Documents and Settings\bg\Application Data\Intuit
2008-06-11 13:52 . 2005-04-20 15:26 <DIR> d-------- C:\Documents and Settings\bg\Application Data\InterVideo
2008-06-11 13:52 . 2005-04-20 15:08 <DIR> d-------- C:\Documents and Settings\bg\Application Data\InterTrust
2008-06-11 13:52 . 2006-02-28 18:24 <DIR> d-------- C:\Documents and Settings\bg\Application Data\AOL
2008-06-11 13:52 . 2008-06-13 08:45 <DIR> d-------- C:\Documents and Settings\bg
2008-06-11 13:47 . 2005-04-20 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-11 13:47 . 2005-04-20 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-11 13:47 . 2005-04-20 14:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-06-11 13:47 . 2005-04-20 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-11 13:47 . 2005-04-20 15:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-06-11 13:47 . 2005-04-20 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-11 13:47 . 2006-02-28 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-11 13:47 . 2008-06-11 13:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 19:19 . 2008-05-24 13:25 <DIR> d-------- C:\Program Files\AXPFixer
2008-05-23 18:57 . 2008-05-24 13:15 <DIR> d-------- C:\$AVG8.VAULT$
2008-05-23 18:50 . 2008-05-23 18:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx(2).dll
2008-05-23 18:49 . 2008-05-23 18:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-05-23 18:49 . 2008-05-24 13:25 <DIR> d-------- C:\Program Files\AVG(2)
2008-05-23 18:49 . 2008-05-24 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-05-21 11:16 . 2008-05-21 11:16 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 22:38 --------- d-----w C:\Program Files\Yahoo!
2008-06-12 22:20 --------- d-----w C:\Program Files\Google
2008-06-12 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-12 21:02 --------- d-----w C:\Program Files\Java
2008-06-12 01:21 --------- d-----w C:\Program Files\America Online 9.0
2008-05-24 20:27 --------- d-----w C:\Program Files\Apple Software Update
2008-05-21 18:17 --------- d-----w C:\Program Files\iTunes
2008-05-21 18:14 --------- d-----w C:\Program Files\QuickTime
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-24 18:30 --------- d-----w C:\Program Files\APAstyle.info
2008-04-21 20:32 --------- d-----w C:\Program Files\AIM
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\SET7E.tmp
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\SET7F.tmp
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\SET80.tmp
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\SET81.tmp
2008-04-21 07:03 3,059,712 ----a-w C:\WINDOWS\system32\SET86.tmp
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\SET8E.tmp
2008-04-17 10:37 351,744 ----a-w C:\WINDOWS\system32\SET90.tmp
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 09:15 339968]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-04-12 16:18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 10:00 339968]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 15:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 15:26 688218]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"HostManager"="C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe" [2006-05-09 17:24 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-20 14:34:50 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\aim6.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 18:03:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 09:23:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 9:24:12
ComboFix-quarantined-files.txt 2008-06-13 16:24:02
ComboFix2.txt 2008-06-13 16:21:54
ComboFix3.txt 2008-06-13 13:50:39

Pre-Run: 66,664,259,584 bytes free
Post-Run: 66,649,526,272 bytes free

171 --- E O F --- 2008-06-13 15:21:26

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:44 AM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213304684390
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8231 bytes
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Strange.... I don't see the file present in the log, and I don't see any loading points pointing to it either.. So this is confusing now.

Anyway, since you say that Avira still finds it and can't remove it... perform next step..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\yayAspmL.dll
C:\WINDOWS\system32\SET7E.tmp
C:\WINDOWS\system32\SET7F.tmp
C:\WINDOWS\system32\SET80.tmp
C:\WINDOWS\system32\SET81.tmp
C:\WINDOWS\system32\SET86.tmp
C:\WINDOWS\system32\SET8E.tmp
C:\WINDOWS\system32\SET90.tmp


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by miekiemoes, 13 June 2008 - 11:02 AM.

  • 0

#15
n2gc

n2gc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Did as you advised and here is a new log. I believe Aliva has picked up something else now.
Will post that once the scan stops.

ComboFix 08-06-11.7 - bg 2008-06-13 10:26:29.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -7:00]
Running from: C:\Documents and Settings\bg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bg\Desktop\CfScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\SET7E.tmp
C:\WINDOWS\system32\SET7F.tmp
C:\WINDOWS\system32\SET80.tmp
C:\WINDOWS\system32\SET81.tmp
C:\WINDOWS\system32\SET86.tmp
C:\WINDOWS\system32\SET8E.tmp
C:\WINDOWS\system32\SET90.tmp
C:\WINDOWS\system32\yayAspmL.dll
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-13 09:41 . 2008-06-13 09:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-13 08:39 . 2008-06-13 08:39 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-13 06:51 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 06:51 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 15:53 . 2008-06-12 15:53 <DIR> dr-h----- C:\Documents and Settings\Mikael\Application Data\yahoo!
2008-06-12 15:52 . 2008-06-12 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-12 15:29 . 2008-06-12 15:29 <DIR> d-------- C:\Program Files\Avira
2008-06-12 14:42 . 2008-06-13 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 14:42 . 2008-06-12 14:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-12 14:38 . 2008-06-13 09:50 <DIR> d-------- C:\fixwareout
2008-06-12 14:23 . 2008-06-12 14:23 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 14:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-12 13:14 . 2008-06-12 13:14 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-06-12 13:14 . 2003-11-14 09:50 155,648 --a------ C:\WINDOWS\system32\ifc21.dll
2008-06-12 13:14 . 2003-11-14 09:50 104,960 --a------ C:\WINDOWS\system32\COMNCTR.DLL
2008-06-12 13:14 . 2003-11-14 09:50 97,792 --a------ C:\WINDOWS\system32\LGUICOM.DLL
2008-06-12 13:14 . 2003-11-14 09:50 94,208 --a------ C:\WINDOWS\system32\FEELIT.DLL
2008-06-12 13:14 . 2003-11-14 09:50 16,896 --a------ C:\WINDOWS\system32\LMOUSE32.DLL
2008-06-12 13:14 . 2003-11-14 09:50 3,568 --a------ C:\WINDOWS\system32\LMOUSE16.DLL
2008-06-12 13:13 . 2008-06-12 13:13 <DIR> d-------- C:\Program Files\Logitech
2008-06-12 13:13 . 2003-11-07 02:50 152,064 --a------ C:\WINDOWS\system32\lmoufrc.dll
2008-06-12 13:13 . 2003-11-07 02:50 70,798 --a------ C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2008-06-12 13:13 . 2003-11-07 02:50 51,486 --a------ C:\WINDOWS\system32\drivers\L8042PR2.SYS
2008-06-12 13:13 . 2003-11-07 02:50 37,884 --a------ C:\WINDOWS\system32\drivers\LHIDUSB.SYS
2008-06-12 13:13 . 2003-11-07 02:50 25,502 --a------ C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2008-06-12 13:13 . 2003-11-07 02:50 23,372 --a------ C:\WINDOWS\system32\LCOINST.DLL
2008-06-12 13:13 . 2003-11-07 02:50 19,968 --------- C:\WINDOWS\LOGI_MWX.EXE
2008-06-12 13:13 . 2003-11-07 02:50 14,092 --a------ C:\WINDOWS\system32\drivers\LCCFLTR.SYS
2008-06-11 23:07 . 2008-06-11 23:07 <DIR> d-------- C:\Documents and Settings\Mikael\Application Data\MySpace
2008-06-11 18:04 . 2008-06-11 18:04 <DIR> d---s---- C:\Documents and Settings\bg\UserData
2008-06-11 17:25 . 2008-06-11 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 16:30 . 2008-06-12 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-11 16:07 . 2008-06-11 16:07 <DIR> d-------- C:\Program Files\InterMute
2008-06-11 15:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-11 15:46 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-11 15:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-11 15:46 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-11 13:54 . 2008-06-11 13:54 <DIR> d-------- C:\Documents and Settings\bg\Application Data\Zero Knowledge
2008-06-11 13:52 . 2005-04-20 14:35 <DIR> d-------- C:\Documents and Settings\bg\WINDOWS
2008-06-11 13:52 . 2005-04-20 15:12 <DIR> d-------- C:\Documents and Settings\bg\Application Data\You've Got Pictures Screensaver
2008-06-11 13:52 . 2005-04-20 14:42 <DIR> d-------- C:\Documents and Settings\bg\Application Data\toshiba
2008-06-11 13:52 . 2005-04-20 14:54 <DIR> d-------- C:\Documents and Settings\bg\Application Data\Intuit
2008-06-11 13:52 . 2005-04-20 15:26 <DIR> d-------- C:\Documents and Settings\bg\Application Data\InterVideo
2008-06-11 13:52 . 2005-04-20 15:08 <DIR> d-------- C:\Documents and Settings\bg\Application Data\InterTrust
2008-06-11 13:52 . 2006-02-28 18:24 <DIR> d-------- C:\Documents and Settings\bg\Application Data\AOL
2008-06-11 13:52 . 2008-06-13 08:45 <DIR> d-------- C:\Documents and Settings\bg
2008-06-11 13:47 . 2005-04-20 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-11 13:47 . 2005-04-20 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-11 13:47 . 2005-04-20 14:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-06-11 13:47 . 2005-04-20 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-11 13:47 . 2005-04-20 15:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-06-11 13:47 . 2005-04-20 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-11 13:47 . 2006-02-28 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-11 13:47 . 2008-06-11 13:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 19:19 . 2008-05-24 13:25 <DIR> d-------- C:\Program Files\AXPFixer
2008-05-23 18:57 . 2008-05-24 13:15 <DIR> d-------- C:\$AVG8.VAULT$
2008-05-23 18:50 . 2008-05-23 18:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx(2).dll
2008-05-23 18:49 . 2008-05-23 18:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-05-23 18:49 . 2008-05-24 13:25 <DIR> d-------- C:\Program Files\AVG(2)
2008-05-23 18:49 . 2008-05-24 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-05-21 11:16 . 2008-05-21 11:16 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 22:38 --------- d-----w C:\Program Files\Yahoo!
2008-06-12 22:20 --------- d-----w C:\Program Files\Google
2008-06-12 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-12 21:02 --------- d-----w C:\Program Files\Java
2008-06-12 01:21 --------- d-----w C:\Program Files\America Online 9.0
2008-05-24 20:27 --------- d-----w C:\Program Files\Apple Software Update
2008-05-21 18:17 --------- d-----w C:\Program Files\iTunes
2008-05-21 18:14 --------- d-----w C:\Program Files\QuickTime
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-24 18:30 --------- d-----w C:\Program Files\APAstyle.info
2008-04-21 20:32 --------- d-----w C:\Program Files\AIM
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( [email protected]_ 9.21.35.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 13:46:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 16:35:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-10-11 06:13:44 1,023,488 ------w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2006-06-26 17:37:10 148,480 ------w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 12:00:00 45,568 ------w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2008-06-12 21:39:56 153,976 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-13 16:35:23 153,976 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ------w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-10-30 10:16:33 3,058,688 ------w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-10-11 06:13:45 1,494,528 ------w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-10-11 06:13:45 474,112 ------w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-10-11 06:13:45 615,424 ------w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-10-29 10:26:53 115,712 ------w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 09:15 339968]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-04-12 16:18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 10:00 339968]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 15:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 15:26 688218]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"HostManager"="C:\Program Files\Common Files\AOL\1141089950\ee\AOLSoftware.exe" [2006-05-09 17:24 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-20 14:34:50 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\aim6.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\1141089950\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 18:03:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 10:27:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 10:28:34
ComboFix-quarantined-files.txt 2008-06-13 17:28:22
ComboFix2.txt 2008-06-13 17:17:54
ComboFix3.txt 2008-06-13 16:54:37
ComboFix4.txt 2008-06-13 16:24:13
ComboFix5.txt 2008-06-13 16:21:54

Pre-Run: 66,597,720,064 bytes free
Post-Run: 66,584,780,800 bytes free

204 --- E O F --- 2008-06-13 15:21:26

This coming up on Alivra as well.

Here is an explanation on the above which states it's for testing.

Eicar-Test-Signature
It is not a virus, but a program designed to determine if antivirus products are installed properly. The name of this testing program is derived from an organization named EICAR, or European Institute for Computer Anti-Virus Research. You can find more information at their website www.eicar.com.

Please note that the EICAR test file may be larger than 68 bytes. However the correct size is 68 bytes and validity checks should only be performed with it.


Edited by n2gc, 13 June 2008 - 11:52 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP