Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help removing vundo [RESOLVED]


  • This topic is locked This topic is locked

#1
powello80

powello80

    New Member

  • Member
  • Pip
  • 4 posts
Hi, this is my first post so hope im in the right area?

I have been trying to remove vundo from my laptop for a week now and have finally given up after trying evrything i know and going through the steps in the 'you must read this before posting a hijackthis log, malware cleaning guide'

I have attached the log files that were requested in the article.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:32, on 06/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: {f976e8f9-fd06-43bb-9fb4-3bbbb09bf8e1} - {1e8fb90b-bbb3-4bf9-bb34-60df9f8e679f} - C:\WINDOWS\system32\esnvvp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {F19384DB-EBCE-4C8F-8C69-5D3263747C56} - C:\WINDOWS\system32\opnkjJyV.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1190299506093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1212735625906
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 9881 bytes





Malwarebytes' Anti-Malware 1.19
Database version: 922
Windows 5.1.2600 Service Pack 3

17:08:11 06/07/2008
mbam-log-7-6-2008 (17-08-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 107015
Time elapsed: 20 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/06/2008 at 06:49 PM

Application Version : 4.15.1000

Core Rules Database Version : 3497
Trace Rules Database Version: 1488

Scan type : Complete Scan
Total Scan Time : 01:29:25

Memory items scanned : 475
Memory threats detected : 1
Registry items scanned : 5531
Registry threats detected : 0
File items scanned : 73564
File threats detected : 4

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\ESNVVP.DLL
C:\WINDOWS\SYSTEM32\ESNVVP.DLL

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\[email protected][2].txt
C:\Documents and Settings\User\Cookies\[email protected][1].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP





;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-06 19:45:09
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 3
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Sophos Antivirus 7.0.5 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe[]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\User\Local Settings\Temp\nsb30.tmp
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\User\Local Settings\Temp\nsp15B4.tmp
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No C:\Documents and Settings\User\Local Settings\Temp\hviuwpsh.dll
No C:\WINDOWS\system32\ghqadcme.dll
No C:\WINDOWS\system32\hvzexi.dll
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================




Ad-Aware
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Audacity 1.2.6
Bluetooth Monitor 3
Canon MP150
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
ConnectGoV5Update
Cryptainer LE
GTK+ 2.10.13 runtime environment
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Intel® Graphics Media Accelerator Driver
InterVideo WinDVD for TOSHIBA
iTunes
Java™ 6 Update 6
LADSPA_plugins-win-0.4.15
LimeWire 4.16.6
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office XP Media Content
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Panda ActiveScan 2.0
Photo Story 3 for Windows
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Sophos Anti-Virus
Sophos AutoUpdate
SUPERAntiSpyware Free Edition
TalkTalk Assist & Go
Texas Instruments PCIxx21/x515/xx12 drivers.
The GIMP 2.2.17
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Supervisor Password
TOSHIBA Zooming Utility
TouchPad On/Off Utility
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
powello80

powello80

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello, thanks for your help with this.

Below is the log that combofix produced:



ComboFix 08-07-05.1 - User 2008-07-07 8:43:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.493 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\NLKZEPWJ\iforex.com
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\NLKZEPWJ\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\BM131cea23.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fsfjdtck.ini
C:\WINDOWS\system32\GfhhRXyb.ini2
C:\WINDOWS\system32\haitmjre.dll
C:\WINDOWS\system32\jfgbipar.dll
C:\WINDOWS\system32\VyJjknpo.ini
C:\WINDOWS\system32\VyJjknpo.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-06 20:13 . 2008-07-06 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 18:58 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 18:04 . 2008-07-05 18:04 <DIR> d-------- C:\VundoFix Backups
2008-07-05 11:09 . 2008-07-05 11:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-05 11:09 . 2008-07-05 11:09 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-05 11:09 . 2008-07-05 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 11:09 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-05 11:09 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-05 09:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-03 09:11 . 2008-07-03 09:12 <DIR> d-------- C:\Program Files\Panda Security
2008-07-03 08:39 . 2008-07-03 08:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 17:34 . 2008-06-29 22:58 442 --a------ C:\WINDOWS\wininit.ini
2008-06-29 14:23 . 2008-06-30 15:28 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 14:17 . 2008-07-05 09:53 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-06-29 14:16 . 2008-07-05 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 14:12 . 2008-06-29 14:12 105,856 --a------ C:\WINDOWS\system32\hvzexi.dll
2008-06-29 14:12 . 2008-06-29 14:12 105,856 --a------ C:\WINDOWS\system32\ghqadcme.dll
2008-06-28 14:56 . 2008-07-05 09:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 14:56 . 2008-07-03 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 14:34 . 2008-06-28 14:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 21:05 . 2008-06-27 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 19:35 . 2008-07-03 08:19 110,390 --a------ C:\WINDOWS\BM131cea23.xml
2008-06-24 08:49 . 2008-06-24 08:49 0 --a------ C:\WINDOWS\TPTray.INI
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-22 22:18 . 2008-06-22 22:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-11 18:50 . 2008-06-13 12:05 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:50 . 2008-06-13 12:05 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 18:50 . 2008-05-08 15:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 12:27 . 2008-04-14 01:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-06-10 12:26 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-10 12:25 . 2008-04-14 01:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 21:04 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2008-07-06 16:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 08:35 --------- d-----w C:\Program Files\Java
2008-06-06 12:16 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-08 18:48 --------- d-----w C:\Program Files\QuickTime
2008-05-08 18:48 --------- d-----w C:\Program Files\iTunes
2008-05-08 18:48 --------- d-----w C:\Program Files\iPod
2008-05-08 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-08 18:46 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-08 18:46 --------- d-----w C:\Program Files\Apple Software Update
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2006-12-12 10:13 32,768 ----a-w C:\Documents and Settings\All Users\Application Data\EBLib.dll
2006-07-28 15:25 19,456 ----a-w C:\Documents and Settings\All Users\Application Data\LPCFilter.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 11:26 65536]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 16:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 16:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 16:40 118784]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 16:31 638976]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 13:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2006-05-25 11:17 65536]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2007-06-01 05:40 53248]
"DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 11:49 495616]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 09:24 581632]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 10:06 143360]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 14:40 196608]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 08:33 202016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 22:49 16377344 C:\WINDOWS\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2005-08-11 14:33 266240 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2007-06-30 08:18 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TDispVol"="TDispVol.exe" [2005-12-27 13:22 73728 C:\WINDOWS\system32\TDispVol.exe]
"Zooming"="ZoomingHook.exe" [2005-06-06 09:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2/8/2008 10:32:57 PM 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [6/21/2007 11:18:00 AM 245760]
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [4/14/2008 4:00:57 PM 69632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 12:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 12:08]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);C:\Program Files\TalkTalk\bin\sprtsvc.exe [2007-10-12 08:33]
R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2007-01-24 12:16]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2007-03-26 12:22]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 13:42]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;C:\WINDOWS\system32\DRIVERS\trudf.sys [2007-02-19 12:15]
S3 TpChoice;Touch Pad Detection Filter driver;C:\WINDOWS\system32\DRIVERS\TpChoice.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 09:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-20 13:28:37 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-09-20 13:28:38 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-09-20 13:28:38 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{1e8fb90b-bbb3-4bf9-bb34-60df9f8e679f} - C:\WINDOWS\system32\esnvvp.dll
BHO-{F19384DB-EBCE-4C8F-8C69-5D3263747C56} - C:\WINDOWS\system32\opnkjJyV.dll
HKLM-Run-ISTray - C:\Program Files\Spyware Doctor\pctsTray.exe
HKLM-Run-NDSTray.exe - NDSTray.exe
HKLM-Run-TFncKy - TFncKy.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 08:47:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\TDispVol.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-07 8:51:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-07 07:50:52

Pre-Run: 65,932,247,040 bytes free
Post-Run: 66,163,015,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

225 --- E O F --- 2008-06-21 09:30:07
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You have Sophos Antivirus and AVG8 installed there. It's recommended to have only one antivirus program installed. Decide which one you want to keep and uninstall the other one now.

Double click on C:\WINDOWS\wininit.ini to open it up in Notepad. Copy & paste the entire contents of that file here. Then delete all the contents in that file. Copy & paste the following two lines back and save the file:

[rename]
nul=

Double click on TPTray.INI and post the contents of that file here as well. I want to see what's inside this one.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Collect::
C:\WINDOWS\system32\hvzexi.dll
C:\WINDOWS\system32\ghqadcme.dll
C:\WINDOWS\BM131cea23.xml

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
powello80

powello80

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello

the wininit.ini file looked like this

[rename]
c:\tempjunk7045.tmp=C:\WINDOWS\system32\opnkjJyV.dll_old
nul=c:\tempjunk5887.tmp
c:\tempjunk3004.tmp=C:\WINDOWS\system32\urqPhfec.dll_old
c:\tempjunk9867.tmp=C:\WINDOWS\system32\xxyxYpnn.dll_old
c:\tempjunk608.tmp=C:\WINDOWS\system32\urqPhfec.dll_old
c:\tempjunk5257.tmp=C:\WINDOWS\system32\xxyxYpnn.dll_old
c:\tempjunk2960.tmp=C:\WINDOWS\system32\urqPhfec.dll_old
c:\tempjunk5887.tmp=C:\WINDOWS\system32\xxyxYpnn.dll_old

TPtray.ini was empty

here is the log file:

ComboFix 08-07-05.1 - User 2008-07-08 15:30:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.491 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM131cea23.xml
C:\WINDOWS\system32\ghqadcme.dll
C:\WINDOWS\system32\hvzexi.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-07 14:12 . 2008-07-07 14:12 18,842 --a------ C:\idsuite_run.bat
2008-07-07 14:09 . 2008-07-07 14:12 <DIR> d-------- C:\Program Files\Index.dat Suite
2008-07-06 20:13 . 2008-07-06 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 18:58 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 18:04 . 2008-07-05 18:04 <DIR> d-------- C:\VundoFix Backups
2008-07-05 11:09 . 2008-07-05 11:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-05 11:09 . 2008-07-05 11:09 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-05 11:09 . 2008-07-05 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 11:09 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-05 11:09 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-05 09:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-03 09:11 . 2008-07-03 09:12 <DIR> d-------- C:\Program Files\Panda Security
2008-07-03 08:39 . 2008-07-03 08:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 17:34 . 2008-07-08 15:26 20 --a------ C:\WINDOWS\wininit.ini
2008-06-29 14:23 . 2008-06-30 15:28 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 14:17 . 2008-07-05 09:53 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-06-29 14:16 . 2008-07-05 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-28 14:56 . 2008-07-05 09:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 14:56 . 2008-07-03 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 14:34 . 2008-06-28 14:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 21:05 . 2008-06-27 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 08:49 . 2008-06-24 08:49 0 --a------ C:\WINDOWS\TPTray.INI
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-22 22:21 . 2008-06-22 22:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-22 22:18 . 2008-06-22 22:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-11 18:50 . 2008-06-13 12:05 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:50 . 2008-06-13 12:05 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 18:50 . 2008-05-08 15:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 12:27 . 2008-04-14 01:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-06-10 12:26 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-10 12:25 . 2008-04-14 01:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 13:16 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2008-07-06 16:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 08:35 --------- d-----w C:\Program Files\Java
2008-06-06 12:16 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 18:48 --------- d-----w C:\Program Files\QuickTime
2008-05-08 18:48 --------- d-----w C:\Program Files\iTunes
2008-05-08 18:48 --------- d-----w C:\Program Files\iPod
2008-05-08 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-08 18:46 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-08 18:46 --------- d-----w C:\Program Files\Apple Software Update
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 04:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 04:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 04:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2006-12-12 10:13 32,768 ----a-w C:\Documents and Settings\All Users\Application Data\EBLib.dll
2006-07-28 15:25 19,456 ----a-w C:\Documents and Settings\All Users\Application Data\LPCFilter.sys
.

((((((((((((((((((((((((((((( [email protected]_ 8.50.37.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-07 07:46:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 13:14:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 11:26 65536]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 16:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 16:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 16:40 118784]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 16:31 638976]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 13:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2006-05-25 11:17 65536]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2007-06-01 05:40 53248]
"DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 11:49 495616]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 09:24 581632]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 10:06 143360]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 14:40 196608]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 08:33 202016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 22:49 16377344 C:\WINDOWS\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2005-08-11 14:33 266240 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2007-06-30 08:18 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TDispVol"="TDispVol.exe" [2005-12-27 13:22 73728 C:\WINDOWS\system32\TDispVol.exe]
"Zooming"="ZoomingHook.exe" [2005-06-06 09:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2/8/2008 10:32:57 PM 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [6/21/2007 11:18:00 AM 245760]
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [4/14/2008 4:00:57 PM 69632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 12:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 12:08]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);C:\Program Files\TalkTalk\bin\sprtsvc.exe [2007-10-12 08:33]
R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2007-01-24 12:16]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2007-03-26 12:22]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 13:42]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;C:\WINDOWS\system32\DRIVERS\trudf.sys [2007-02-19 12:15]
S3 TpChoice;Touch Pad Detection Filter driver;C:\WINDOWS\system32\DRIVERS\TpChoice.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 09:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-20 13:28:37 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-09-20 13:28:38 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-09-20 13:28:38 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 15:32:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-08 15:33:32
ComboFix-quarantined-files.txt 2008-07-08 14:33:29
ComboFix2.txt 2008-07-07 07:51:07

Pre-Run: 66,082,947,072 bytes free
Post-Run: 66,082,902,016 bytes free

219 --- E O F --- 2008-06-21 09:30:07
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP