psywzrd

Members
  • Content Count

    10
  • Joined

  • Last visited

Community Reputation

0 Neutral

About psywzrd

  • Rank
    Member
  1. I definitely did not delete that Vundobackups folder so I'm not quite sure what happened there. I did look for those files you listed and only found these two: C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Also, here are the results of my Kaspersky scan: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, December 27, 2007 10:37:44 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 27/12/2007 Kaspersky Anti-Virus database records: 498126 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Z:\ Scan Statistics: Total number of scanned objects: 71967 Number of viruses found: 7 Number of infected objects: 403 Number of suspicious objects: 0 Duration of the scan process: 02:19:23 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\image5[1].gif.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP129.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP200B.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP206F.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP20D2.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp .exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp .exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp.exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win206F.tmp.exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Documents and Settings\{owner]\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped C:\Documents and Settings\{owner}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped C:\Documents and Settings\{owner}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped C:\Documents and Settings\{owner}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip ZIP: infected - 3 skipped {snipped locked objects} C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\BitTorrent_DNA\dna.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\ltmoh\Ltmoh.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Messenger\msmsgs.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Microsoft ActiveSync\wcescomm .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\QuickTime\qttask.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\Synaptics\SynTP\SynTPLpr.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\Program Files\TOSHIBA\Tvs\TvsTray.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\qoobox\Quarantine\C\WINDOWS\system32\drvweg.dll.vir Infected: Trojan.Win32.Dialer.yz skipped C:\qoobox\Quarantine\C\WINDOWS\system32\ljjkjgf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped C:\qoobox\Quarantine\C\WINDOWS\system32\OLD54.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\qoobox\Quarantine\C\WINDOWS\system32\RCX8C.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\qoobox\Quarantine\C\WINDOWS\system32\rqrpp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip/rqrpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip/xxyyvuv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip ZIP: infected - 2 skipped C:\qoobox\Quarantine\catchme2007-12-27_154140.12.zip/rqrpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped C:\qoobox\Quarantine\catchme2007-12-27_154140.12.zip ZIP: infected - 1 skipped C:\SDFix\backups_old1\backups.zip/backups/ctfmon.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\SDFix\backups_old1\backups.zip/backups/spoolsv.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped {snipped system volume information folder objects} C:\TOSHIBA\IVP\ISM\pinger.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\VundoFix Backups\rqrpp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped C:\VundoFix Backups\rqrpp.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\MXOALDR.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SM1BG.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\cmd.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\ctfmon.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\ebgkpsie.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\rqrpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped C:\WINDOWS\system32\rqrpp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.
  2. Regarding the last step in your post, did you mean rqrpp.exe and rqrpp.dll?
  3. I posted my latest logs before I saw Jane's message above. While I was waiting for HJThis to get back to me about this, I uninstalled several programs that appeared to be infected. They are as follows: Intel® PROSet/Wireless Software Maxtor OneTouch Microsoft ActiveSync Notebook Maximizer QuickTime Retrospect Express HD 1.1 ScanSoft OmniPage Pro 14.0 ScanSoft PaperPort 11 SoundMAX Trend Micro PC-cillin Internet Security 2007 Viewpoint Media Player I am running a Kaspersky scan as I type this (I'm posting from a different computer). It's just 6% done and it has already found 3 viruses and 13 infected objects. As far as having backups of my data, I had been running nightly backups up until the time my computer started showing signs of infection; therefore, I'm a little worried that my backups may be infected as well. I do have my recovery discs etc. but I obviously prefer to try to fix this without resorting to that because I don't have much confidence in my backups at this point. I'll let this Kaspersky scan run its course and wait to hear back from you guys on how to proceed.
  4. Ok - things seem to have improved significantly (although I'm sure you'll be able to tell me just how close we are to fixing my problems); however, I'm still getting an error message very time my computer reboots (Error loading c:\windows\system32\ndaTqsVqrX.dll. The specified module could not be found). That dll file is definitely not in the specified directory (which makes sense based on the error message). Here are the requested logs: VundoFix V6.7.7 Checking Java version... Scan started at 9:01:08 PM 12/22/2007 Listing files found while scanning.... C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hphmon04.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\system32\winsfg32.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\dla\tfswctrl.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hkcmd.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\hphmon04.exe C:\WINDOWS\system32\hphmon04.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxtray.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\winsfg32.dll C:\WINDOWS\system32\winsfg32.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.7.7 Checking Java version... Scan started at 10:24:56 PM 12/23/2007 Listing files found while scanning.... C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.7.7 Checking Java version... Scan started at 11:35:18 AM 12/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mcrh.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.7.7 Checking Java version... Scan started at 4:11:40 PM 12/27/2007 Listing files found while scanning.... C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Performing Repairs to the registry. Done! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:16:44 PM, on 12/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Synaptics\SynTP\SynTPLpr .exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\TOSHIBA\IVP\ISM\pinger .exe C:\WINDOWS\SM1BG .EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\psywzrd.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {B93D6D28-77CF-4293-B9FD-919F1183C211} - C:\WINDOWS\system32\rqrpp.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 6849 bytes
  5. ComboFix 07-12-21.4 - {owner} 2007-12-27 12:38:19.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.244 [GMT -5:00] Running from: C:\Documents and Settings\{owner}\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\{owner}\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\rqrpp.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\ppqvmpqr C:\WINDOWS\ppqvmpqr\1.png C:\WINDOWS\ppqvmpqr\2.png C:\WINDOWS\ppqvmpqr\3.png C:\WINDOWS\ppqvmpqr\4.png C:\WINDOWS\ppqvmpqr\5.png C:\WINDOWS\ppqvmpqr\6.png C:\WINDOWS\ppqvmpqr\bottom-rc.gif C:\WINDOWS\ppqvmpqr\content.png C:\WINDOWS\ppqvmpqr\download.gif C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif C:\WINDOWS\ppqvmpqr\frame-h1bg.gif C:\WINDOWS\ppqvmpqr\head.png C:\WINDOWS\ppqvmpqr\indexuc.html C:\WINDOWS\ppqvmpqr\indexud.html C:\WINDOWS\ppqvmpqr\main.css C:\WINDOWS\ppqvmpqr\net.png C:\WINDOWS\ppqvmpqr\pc-mag.gif C:\WINDOWS\ppqvmpqr\pc.gif C:\WINDOWS\ppqvmpqr\poloska1.png C:\WINDOWS\ppqvmpqr\poloska2.png C:\WINDOWS\ppqvmpqr\poloska3.png C:\WINDOWS\ppqvmpqr\promouc1.html C:\WINDOWS\ppqvmpqr\promouc2.html C:\WINDOWS\ppqvmpqr\promouc3.html C:\WINDOWS\ppqvmpqr\promouc4.html C:\WINDOWS\ppqvmpqr\promouc5.html C:\WINDOWS\ppqvmpqr\promoud1.html C:\WINDOWS\ppqvmpqr\promoud2.html C:\WINDOWS\ppqvmpqr\promoud3.html C:\WINDOWS\ppqvmpqr\promoud4.html C:\WINDOWS\ppqvmpqr\promoud5.html C:\WINDOWS\ppqvmpqr\reg.png C:\WINDOWS\ppqvmpqr\repair.png C:\WINDOWS\ppqvmpqr\scr-1.png C:\WINDOWS\ppqvmpqr\scr-2.png C:\WINDOWS\ppqvmpqr\styles.css C:\WINDOWS\ppqvmpqr\top-rc.gif C:\WINDOWS\ppqvmpqr\vline.gif C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\rqrpp.dll . ((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 ))))))))))))))))))))))))))))))) . 2007-12-27 12:49 . 2007-12-27 12:49 331,776 --------- C:\WINDOWS\system32\rqrpp.dll 2007-12-27 12:49 . 2007-12-27 12:53 493 --ahs---- C:\WINDOWS\system32\pprqr.ini2 2007-12-27 12:29 . 2007-12-27 12:34 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-12-26 13:38 . 2007-12-27 12:50 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe 2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups 2007-12-26 11:14 . 2007-12-27 12:50 388,608 --a------ C:\WINDOWS\system32\cmd .exe 2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6 2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder 2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver 2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba 2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit 2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo 2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust 2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL 2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha 2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe 2007-12-19 19:43 . 2007-12-27 11:18 94,208 --a------ C:\WINDOWS\MXOALDR .EXE 2007-12-19 19:42 . 2007-12-27 11:17 94,208 --a------ C:\WINDOWS\SM1BG .EXE 2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe 2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe 2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe 2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect 2007-12-06 17:28 . 2007-12-27 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp 2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor 2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks 2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-27 17:50 --------- d-----w C:\Program Files\QuickTime 2007-12-27 17:49 430,592 ----a-w C:\WINDOWS\SM1BG.EXE 2007-12-27 17:49 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE 2007-12-27 17:49 --------- d-----w C:\Program Files\Notebook Maximizer 2007-12-27 17:49 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-27 17:49 --------- d-----w C:\Program Files\ltmoh 2007-12-27 17:34 --------- d-----w C:\Program Files\BitTorrent_DNA 2007-12-23 04:50 --------- d-----w C:\Documents and Settings\{{owner}}\Application Data\BitTorrent DNA 2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro 2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-19 13:53 --------- d-----w C:\Program Files\eMule 2007-12-19 03:47 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent 2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN 2007-11-18 20:14 --------- d-----w C:\Program Files\iNav 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile 2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools 2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2 2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent 2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\{owner}\GoToAssist_chat2way__317_en.exe 2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\{owner}\chatlnk.exe 2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{464E825D-3523-410E-970A-1C5676F49F0A}] 2007-12-27 12:49 331776 --------- C:\WINDOWS\system32\rqrpp.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-27 12:49] "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-27 12:49] "SpriteService"="" [] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-27 12:49] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-27 12:49] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-27 12:49] "NDSTray.exe"="NDSTray.exe" [] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-27 12:49] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-27 12:49] "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-27 12:49] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-27 12:49] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-27 12:58] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [] "TFncKy"="TFncKy.exe" [] "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [] "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-27 12:49] "Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-27 12:49] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [] "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [] "pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-27 12:49] "SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-27 12:49] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-27 12:49] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-27 12:49] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-27 12:49] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-27 12:49] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-27 12:49] "MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [] "MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-27 12:49] "RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-27 12:50] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-27 13:01] C:\Documents and Settings\{owner}\Start Menu\Programs\Startup\ Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34] PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\system32\rqrpp.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04] 2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] 2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14] 2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService] 2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray] 2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}] \Shell\AutoRun\command - E:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}] \Shell\AutoRun\command - setupSNK.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-27 12:55:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-27 13:08:04 - machine was rebooted C:\ComboFix2.txt ... 2007-12-26 11:33 C:\ComboFix3.txt ... 2007-12-24 20:42 . 2007-12-21 14:19:06 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:09:44 PM, on 12/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe C:\WINDOWS\system32\fxssvc.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe C:\Program Files\Synaptics\SynTP\SynTPLpr .exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\Program Files\ltmoh\Ltmoh .exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe C:\Program Files\Toshiba\Tvs\TvsTray .exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\SM1BG .EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe C:\WINDOWS\MXOALDR .EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe C:\Program Files\Trend Micro\HijackThis\psywzrd.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {464E825D-3523-410E-970A-1C5676F49F0A} - C:\WINDOWS\system32\rqrpp.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe" O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe" O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe -- End of file - 11183 bytes
  6. No worries - I can totally relate to the computer problems . Plus it is the holidays so I'm sure you have better things to do as well. Anyway, you mentioned that I should disable all programs you had me do before so I'm assuming that just means you want me to turn off my PC-Cillin. It's off since I don't have that computer connected to the internet anyway but if you needed me to do something else, please let me know. Here are the logs you requested (still getting some error messages when my computer boots up but I assume you'll see that in the logs). Thank you for your time. ComboFix 07-12-21.4 - {owner} 2007-12-24 19:55:09.2 - NTFSx86 Running from: C:\Documents and Settings\{owner}\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\{owner}\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\drvweg.dll C:\WINDOWS\system32\ljjkjgf.dll C:\WINDOWS\system32\ndaTqsVqrX.dll C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\OLD54.tmp C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\RCX8C.tmp C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\xxyyvuv.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\PerfInfo C:\WINDOWS\PerfInfo\lB8v7JNIMpuc.exe.bak C:\WINDOWS\system32\drvweg.dll C:\WINDOWS\system32\ljjkjgf.dll C:\WINDOWS\system32\ndaTqsVqrX.dll C:\WINDOWS\system32\OLD54.tmp C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\RCX8C.tmp C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\xxyyvuv.dll C:\WINDOWS\system32\rqrpp.dll . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 ))))))))))))))))))))))))))))))) . 2007-12-24 20:34 . 2007-12-24 20:34 331,776 --------- C:\WINDOWS\system32\rqrpp.dll 2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr 2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6 2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder 2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver 2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba 2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit 2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo 2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust 2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL 2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha 2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe 2007-12-19 19:43 . 2007-12-24 01:08 94,208 --a------ C:\WINDOWS\MXOALDR .EXE 2007-12-19 19:42 . 2007-12-24 01:06 94,208 --a------ C:\WINDOWS\SM1BG .EXE 2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe 2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe 2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe 2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect 2007-12-06 17:28 . 2007-12-24 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp 2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor 2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks 2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-25 01:36 --------- d-----w C:\Program Files\QuickTime 2007-12-25 01:35 430,592 ----a-w C:\WINDOWS\SM1BG.EXE 2007-12-25 01:35 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE 2007-12-25 01:35 --------- d-----w C:\Program Files\Notebook Maximizer 2007-12-25 01:35 --------- d-----w C:\Program Files\ltmoh 2007-12-25 01:34 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-25 01:34 --------- d-----w C:\Program Files\BitTorrent_DNA 2007-12-23 04:50 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent DNA 2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro 2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-19 13:53 --------- d-----w C:\Program Files\eMule 2007-12-19 03:47 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent 2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN 2007-11-18 20:14 --------- d-----w C:\Program Files\iNav 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile 2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools 2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2 2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent 2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\{owner}\GoToAssist_chat2way__317_en.exe 2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\{owner}\chatlnk.exe 2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE3469A0-D7BC-432E-A7C4-29F6821FC8B8}] 2007-12-24 20:34 331776 --------- C:\WINDOWS\system32\rqrpp.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-24 20:34] "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-24 20:34] "SpriteService"="" [] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-24 20:34] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-24 20:34] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-24 20:34] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-24 20:35] "NDSTray.exe"="NDSTray.exe" [] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-24 20:35] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-24 20:35] "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-24 20:35] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-24 20:35] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-24 20:35] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [] "TFncKy"="TFncKy.exe" [] "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [] "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-24 20:35] "Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-24 20:35] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [] "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [] "pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-24 20:35] "SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-24 20:35] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-24 20:35] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-24 20:35] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-24 20:35] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-24 20:35] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-24 20:35] "MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [] "MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-24 20:35] "RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-24 20:36] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 20:36] C:\Documents and Settings\{owner}\Start Menu\Programs\Startup\ Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34] PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\system32\rqrpp.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04] 2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] 2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14] 2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService] 2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray] 2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00] R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05] R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54] R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32] S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}] \Shell\AutoRun\command - E:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}] \Shell\AutoRun\command - setupSNK.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-24 20:39:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\pprqr.ini 442 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\WINDOWS\system32\rqrpp.dll . Completion time: 2007-12-24 20:42:25 - machine was rebooted C:\ComboFix2.txt ... 2007-12-24 01:34 . 2007-12-21 14:19:06 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:50:04 PM, on 12/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe C:\Program Files\Synaptics\SynTP\SynTPLpr .exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ltmoh\Ltmoh .exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe C:\Program Files\Toshiba\Tvs\TvsTray .exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe C:\WINDOWS\SM1BG .EXE C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\MXOALDR .EXE C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\WINDOWS\system32\RAMASST.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress .exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\BitTorrent_DNA\dna.exe C:\Program Files\BitTorrent_DNA\dna .exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe" O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe" O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe -- End of file - 10939 bytes
  7. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:46:24 AM, on 12/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Synaptics\SynTP\SynTPLpr .exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ltmoh\Ltmoh .exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe C:\Program Files\Toshiba\Tvs\TvsTray .exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe C:\WINDOWS\system32\TPSMain.exe C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide .exe C:\WINDOWS\SM1BG .EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe C:\WINDOWS\MXOALDR .EXE C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress .exe C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\BitTorrent_DNA\dna.exe C:\Program Files\BitTorrent_DNA\dna .exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [zotcridi] rundll32.exe "C:\Program Files\fubszkho\vczmferq.dll",Init O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F8E.tmp .exe O4 - HKLM\..\Run: [lotqzorg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lotqzorg.dll" O4 - HKLM\..\Run: [sC2] C:\Program Files\SecCenter\scprot4.exe O4 - HKLM\..\Run: [xwpcpefy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll" O4 - HKLM\..\Run: [vilsrcfe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll" O4 - HKLM\..\Run: [xorevota] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xorevota.dll" O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe" O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe" O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe -- End of file - 11770 bytes
  8. ComboFix 07-12-21.4 - {owner} 2007-12-24 0:33:42.1 - NTFSx86 Running from: C:\Documents and Settings\{owner}\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Cglrdyzv C:\Program Files\Cglrdyzv\euanwhov.dll C:\Program Files\fubszkho C:\Program Files\fubszkho\vczmferq.dll C:\Program Files\Sancktje C:\Program Files\Sancktje\jymnyjih.dll C:\Program Files\Umlnojon C:\Program Files\Umlnojon\zbhqcxgu.dll C:\Program Files\Uodyhzhz C:\Program Files\Uodyhzhz\vfdlyamd.dll C:\Program Files\xedmrglg C:\Program Files\xedmrglg\vcnctide.dll C:\WINDOWS\PerfInfo C:\WINDOWS\PerfInfo\lB8v7JNIMpuc.exe C:\WINDOWS\PerfInfo\lB8v7JNIMpud.exe C:\WINDOWS\system32\drvran.dll C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll . ((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 ))))))))))))))))))))))))))))))) . 2007-12-24 01:15 . 2007-12-24 01:18 391 --ahs---- C:\WINDOWS\system32\pprqr.ini2 2007-12-24 01:15 . 2007-12-24 01:18 391 --ahs---- C:\WINDOWS\system32\pprqr.ini 2007-12-24 01:07 . 2007-12-24 01:07 <DIR> d-------- C:\WINDOWS\LastGood 2007-12-24 01:07 . 2007-12-24 01:07 749,056 --a------ C:\WINDOWS\system32\OLD54.tmp 2007-12-24 01:02 . 2007-12-24 01:02 <DIR> d-------- C:\WINDOWS\PerfInfo 2007-12-23 23:59 . 2007-12-24 00:51 331,776 --------- C:\WINDOWS\system32\rqrpp.dll 2007-12-23 23:49 . 2007-12-24 01:07 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe 2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr 2007-12-23 12:53 . 2007-12-23 12:53 208,896 --a------ C:\WINDOWS\system32\ndaTqsVqrX.dll 2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-12-22 21:01 . 2007-12-23 23:48 <DIR> d-------- C:\VundoFix Backups 2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6 2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder 2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver 2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba 2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit 2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo 2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust 2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL 2007-12-19 22:53 . 2007-12-19 22:53 335,360 --a------ C:\WINDOWS\system32\RCX8C.tmp 2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha 2007-12-19 20:42 . 2007-12-19 20:41 103,424 --a------ C:\WINDOWS\system32\drvweg.dll 2007-12-19 20:41 . 2007-12-19 20:41 39,936 --a------ C:\WINDOWS\system32\xxyyvuv.dll 2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe 2007-12-19 19:43 . 2007-12-24 01:08 94,208 --a------ C:\WINDOWS\MXOALDR .EXE 2007-12-19 19:42 . 2007-12-24 01:06 94,208 --a------ C:\WINDOWS\SM1BG .EXE 2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe 2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe 2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe 2007-12-19 15:17 . 2007-12-19 15:17 39,936 --a------ C:\WINDOWS\system32\ljjkjgf.dll 2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect 2007-12-06 17:28 . 2007-12-24 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp 2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor 2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks 2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-24 06:10 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-24 06:09 --------- d-----w C:\Program Files\QuickTime 2007-12-24 06:05 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE 2007-12-24 06:04 430,592 ----a-w C:\WINDOWS\SM1BG.EXE 2007-12-24 06:04 --------- d-----w C:\Program Files\Notebook Maximizer 2007-12-24 06:03 --------- d-----w C:\Program Files\ltmoh 2007-12-24 06:03 --------- d-----w C:\Program Files\BitTorrent_DNA 2007-12-23 04:50 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent DNA 2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro 2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-19 13:53 --------- d-----w C:\Program Files\eMule 2007-12-19 03:47 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent 2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN 2007-11-18 20:14 --------- d-----w C:\Program Files\iNav 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile 2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools 2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2 2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent 2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\{owner}\GoToAssist_chat2way__317_en.exe 2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\{owner}\chatlnk.exe 2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F5C28B0-D7F6-4125-AE4E-E2989242F7DD}] 2007-12-24 00:51 331776 --------- C:\WINDOWS\system32\rqrpp.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}] C:\Program Files\Uodyhzhz\vfdlyamd.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}] 2007-12-19 20:41 39936 --a------ C:\WINDOWS\system32\xxyyvuv.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-24 01:03] "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-24 01:11] "SpriteService"="" [] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-24 01:23] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-24 01:03] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-24 01:03] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-24 01:03] "NDSTray.exe"="NDSTray.exe" [] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-24 00:18] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-24 01:03] "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-24 01:04] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-24 01:04] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-24 01:05] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [] "TFncKy"="TFncKy.exe" [] "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [] "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-24 01:04] "Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-24 01:04] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [] "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [] "pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-24 01:04] "SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-24 01:04] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-24 01:04] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-24 01:05] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-24 01:05] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-24 01:05] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-24 01:05] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] "MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [] "MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-24 01:05] "RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-24 01:07] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 01:09] "zotcridi"="C:\Program Files\fubszkho\vczmferq.dll" [] "avp"="C:\WINDOWS\TEMP\win1F8E.tmp .exe" [] "lotqzorg"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\lotqzorg.dll" [] "SC2"="C:\Program Files\SecCenter\scprot4.exe" [] "xwpcpefy"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll" [] "vilsrcfe"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll" [] "xorevota"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\xorevota.dll" [] "combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 07:00] C:\Documents and Settings\{owner}\Start Menu\Programs\Startup\ Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34] PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{B9E85D85-F6EE-4655-A639-E33983612A6E}"= C:\WINDOWS\system32\xxyyvuv.dll [2007-12-19 20:41 39936] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvuv] xxyyvuv.dll 2007-12-19 20:41 39936 C:\WINDOWS\system32\xxyyvuv.dll [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\system32\rqrpp.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04] 2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] 2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14] 2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService] 2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray] 2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}] \Shell\AutoRun\command - E:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}] \Shell\AutoRun\command - setupSNK.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-24 01:14:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-24 1:34:24 - machine was rebooted . 2007-12-21 14:19:06 --- E O F ---
  9. Wow - that was quick! Thank you. Unfortunately, I can't be as quick with my replies since my computer is running so slowly right now (I'm actually posting from a different computer and keeping the infected computer offline). Anyway, here are the logs. VundoFix V6.7.7 Checking Java version... Scan started at 9:01:08 PM 12/22/2007 Listing files found while scanning.... C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hphmon04.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\system32\winsfg32.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\dla\tfswctrl.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hkcmd.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\hphmon04.exe C:\WINDOWS\system32\hphmon04.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxtray.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\winsfg32.dll C:\WINDOWS\system32\winsfg32.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.7.7 Checking Java version... Scan started at 10:24:56 PM 12/23/2007 Listing files found while scanning.... C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.exe Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rqrpp.exe C:\WINDOWS\system32\rqrpp.exe Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\pprqr.ini C:\WINDOWS\system32\pprqr.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pprqr.ini2 C:\WINDOWS\system32\pprqr.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpp.dll C:\WINDOWS\system32\rqrpp.dll Has been deleted! Performing Repairs to the registry. Done!
  10. My computer is infected with Virtumonde and probably some other stuff as well (besides the obvious infection pop-ups, my computer has slowed down to an absolute crawl). When my computer boots up to my desktop I get also get several strange pop-ups: Load Library C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll failed. The specified module could not be found. Load Library C:\Documents and Settings\All Users\Application Data\lotqzorg.dll failed. The specified module could not be found. Load Library C:\Documents and Settings\All Users\Application Data\xorevota.dll failed. The specified module could not be found. Load Library C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll failed. The specified module could not be found. Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:37:55 PM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe C:\Program Files\Synaptics\SynTP\SynTPLpr .exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ltmoh\Ltmoh .exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe C:\Program Files\Toshiba\Tvs\TvsTray .exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\SM1BG .EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe C:\WINDOWS\MXOALDR .EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\BitTorrent_DNA\dna .exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [zotcridi] rundll32.exe "C:\Program Files\fubszkho\vczmferq.dll",Init O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F8E.tmp .exe O4 - HKLM\..\Run: [lotqzorg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lotqzorg.dll" O4 - HKLM\..\Run: [sC2] C:\Program Files\SecCenter\scprot4.exe O4 - HKLM\..\Run: [xwpcpefy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll" O4 - HKLM\..\Run: [vilsrcfe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll" O4 - HKLM\..\Run: [xorevota] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xorevota.dll" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe" O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe" O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe -- End of file - 11598 bytes