Sign in to follow this  
psywzrd

Help! Virtumonde and a painfully slow computer.

Recommended Posts

My computer is infected with Virtumonde and probably some other stuff as well (besides the obvious infection pop-ups, my computer has slowed down to an absolute crawl). When my computer boots up to my desktop I get also get several strange pop-ups:

 

Load Library C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll failed. The specified module could not be found.

 

Load Library C:\Documents and Settings\All Users\Application Data\lotqzorg.dll failed. The specified module could not be found.

 

Load Library C:\Documents and Settings\All Users\Application Data\xorevota.dll failed. The specified module could not be found.

 

Load Library C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll failed. The specified module could not be found.

 

 

Here is my HJT log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:37:55 PM, on 12/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe

C:\Program Files\Synaptics\SynTP\SynTPLpr .exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh .exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh .exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe

C:\Program Files\Toshiba\Tvs\TvsTray .exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe

C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSMain.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\SM1BG .EXE

C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe

C:\WINDOWS\MXOALDR .EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe

C:\Program Files\Microsoft ActiveSync\wcescomm .exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\BitTorrent_DNA\dna .exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run

O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [zotcridi] rundll32.exe "C:\Program Files\fubszkho\vczmferq.dll",Init

O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F8E.tmp .exe

O4 - HKLM\..\Run: [lotqzorg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lotqzorg.dll"

O4 - HKLM\..\Run: [sC2] C:\Program Files\SecCenter\scprot4.exe

O4 - HKLM\..\Run: [xwpcpefy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll"

O4 - HKLM\..\Run: [vilsrcfe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll"

O4 - HKLM\..\Run: [xorevota] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xorevota.dll"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"

O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

 

--

End of file - 11598 bytes

Edited by LS CalamityJane
Deleted attachment - no longer needed

Share this post


Link to post
Share on other sites

Hello.psywzrd & Welcome

 

Please download

VundoFix.exe

to your desktop.

 

Don't run just Yet!

 

=========================

 

Download ComboFix from Here or Here to your Desktop.

 

Don't run just Yet!

 

=========================

 

NOTE: This next step I'm going to have you do. Is to be done only after you download the tools, above not before.

 

I need you to disable your Anti-Virus scanner. If not sure how to go about doing this I will try and find this info.

 

NOTE: Again this is to be done only after downloading the tools, above not before.

 

=========================

 

Now run

 

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,

click YES

Once you click yes, your desktop will go blank as it starts removing

Vundo.

When completed, it will prompt that it will reboot your computer,

click OK.

Please post the contents of C:\vundofix.txt

 

==========================

 

After VundoFix is done not before run this tool.

 

[*]Double click combofix.exe and follow the prompts.

[*]When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply

 

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

==========================

 

Once both tools, above are done. Turn on your Anti-Virus scanner. I may ask that you disable it again.

 

Come back here with the VundoFix log, ComboFix log and Hijack-This log.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Wow - that was quick! Thank you. Unfortunately, I can't be as quick with my replies since my computer is running so slowly right now (I'm actually posting from a different computer and keeping the infected computer offline). Anyway, here are the logs.

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 9:01:08 PM 12/22/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\hphmon04.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\winsfg32.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\dla\tfswctrl.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\hkcmd.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\hphmon04.exe

C:\WINDOWS\system32\hphmon04.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxtray.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\winsfg32.dll

C:\WINDOWS\system32\winsfg32.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 10:24:56 PM 12/23/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

Share this post


Link to post
Share on other sites

ComboFix 07-12-21.4 - {owner} 2007-12-24 0:33:42.1 - NTFSx86

Running from: C:\Documents and Settings\{owner}\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\Cglrdyzv

C:\Program Files\Cglrdyzv\euanwhov.dll

C:\Program Files\fubszkho

C:\Program Files\fubszkho\vczmferq.dll

C:\Program Files\Sancktje

C:\Program Files\Sancktje\jymnyjih.dll

C:\Program Files\Umlnojon

C:\Program Files\Umlnojon\zbhqcxgu.dll

C:\Program Files\Uodyhzhz

C:\Program Files\Uodyhzhz\vfdlyamd.dll

C:\Program Files\xedmrglg

C:\Program Files\xedmrglg\vcnctide.dll

C:\WINDOWS\PerfInfo

C:\WINDOWS\PerfInfo\lB8v7JNIMpuc.exe

C:\WINDOWS\PerfInfo\lB8v7JNIMpud.exe

C:\WINDOWS\system32\drvran.dll

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

 

.

((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))

.

 

2007-12-24 01:15 . 2007-12-24 01:18 391 --ahs---- C:\WINDOWS\system32\pprqr.ini2

2007-12-24 01:15 . 2007-12-24 01:18 391 --ahs---- C:\WINDOWS\system32\pprqr.ini

2007-12-24 01:07 . 2007-12-24 01:07 <DIR> d-------- C:\WINDOWS\LastGood

2007-12-24 01:07 . 2007-12-24 01:07 749,056 --a------ C:\WINDOWS\system32\OLD54.tmp

2007-12-24 01:02 . 2007-12-24 01:02 <DIR> d-------- C:\WINDOWS\PerfInfo

2007-12-23 23:59 . 2007-12-24 00:51 331,776 --------- C:\WINDOWS\system32\rqrpp.dll

2007-12-23 23:49 . 2007-12-24 01:07 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe

2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr

2007-12-23 12:53 . 2007-12-23 12:53 208,896 --a------ C:\WINDOWS\system32\ndaTqsVqrX.dll

2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-12-22 21:01 . 2007-12-23 23:48 <DIR> d-------- C:\VundoFix Backups

2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT

2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6

2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder

2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel

2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver

2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba

2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit

2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo

2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL

2007-12-19 22:53 . 2007-12-19 22:53 335,360 --a------ C:\WINDOWS\system32\RCX8C.tmp

2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha

2007-12-19 20:42 . 2007-12-19 20:41 103,424 --a------ C:\WINDOWS\system32\drvweg.dll

2007-12-19 20:41 . 2007-12-19 20:41 39,936 --a------ C:\WINDOWS\system32\xxyyvuv.dll

2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

2007-12-19 19:43 . 2007-12-24 01:08 94,208 --a------ C:\WINDOWS\MXOALDR .EXE

2007-12-19 19:42 . 2007-12-24 01:06 94,208 --a------ C:\WINDOWS\SM1BG .EXE

2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe

2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe

2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe

2007-12-19 15:17 . 2007-12-19 15:17 39,936 --a------ C:\WINDOWS\system32\ljjkjgf.dll

2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for

2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect

2007-12-06 17:28 . 2007-12-24 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp

2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor

2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks

2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-24 06:10 --------- d-----w C:\Program Files\Microsoft ActiveSync

2007-12-24 06:09 --------- d-----w C:\Program Files\QuickTime

2007-12-24 06:05 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE

2007-12-24 06:04 430,592 ----a-w C:\WINDOWS\SM1BG.EXE

2007-12-24 06:04 --------- d-----w C:\Program Files\Notebook Maximizer

2007-12-24 06:03 --------- d-----w C:\Program Files\ltmoh

2007-12-24 06:03 --------- d-----w C:\Program Files\BitTorrent_DNA

2007-12-23 04:50 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent DNA

2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro

2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys

2007-12-19 13:53 --------- d-----w C:\Program Files\eMule

2007-12-19 03:47 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent

2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN

2007-11-18 20:14 --------- d-----w C:\Program Files\iNav

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile

2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools

2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2

2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent

2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\{owner}\GoToAssist_chat2way__317_en.exe

2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\{owner}\chatlnk.exe

2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F5C28B0-D7F6-4125-AE4E-E2989242F7DD}]

2007-12-24 00:51 331776 --------- C:\WINDOWS\system32\rqrpp.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}]

C:\Program Files\Uodyhzhz\vfdlyamd.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]

2007-12-19 20:41 39936 --a------ C:\WINDOWS\system32\xxyyvuv.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-24 01:03]

"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-24 01:11]

"SpriteService"="" []

"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-24 01:23]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-24 01:03]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-24 01:03]

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-24 01:03]

"NDSTray.exe"="NDSTray.exe" []

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-24 00:18]

"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]

"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-24 01:03]

"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-24 01:04]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-24 01:04]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-24 01:05]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []

"TFncKy"="TFncKy.exe" []

"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]

"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []

"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-24 01:04]

"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-24 01:04]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []

"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []

"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-24 01:04]

"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-24 01:04]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-24 01:04]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-24 01:05]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-24 01:05]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-24 01:05]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-24 01:05]

"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []

"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-24 01:05]

"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-24 01:07]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 01:09]

"zotcridi"="C:\Program Files\fubszkho\vczmferq.dll" []

"avp"="C:\WINDOWS\TEMP\win1F8E.tmp .exe" []

"lotqzorg"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\lotqzorg.dll" []

"SC2"="C:\Program Files\SecCenter\scprot4.exe" []

"xwpcpefy"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll" []

"vilsrcfe"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll" []

"xorevota"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\xorevota.dll" []

"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 07:00]

 

C:\Documents and Settings\{owner}\Start Menu\Programs\Startup\

Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]

PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{B9E85D85-F6EE-4655-A639-E33983612A6E}"= C:\WINDOWS\system32\xxyyvuv.dll [2007-12-19 20:41 39936]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvuv]

xxyyvuv.dll 2007-12-19 20:41 39936 C:\WINDOWS\system32\xxyyvuv.dll

 

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=C:\WINDOWS\system32\rqrpp.exe

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]

2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]

2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]

\Shell\AutoRun\command - E:\setupSNK.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]

\Shell\AutoRun\command - setupSNK.exe

 

.

**************************************************************************

 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-24 01:14:33

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-24 1:34:24 - machine was rebooted

.

2007-12-21 14:19:06 --- E O F ---

Edited by LS CalamityJane
Replaced personal name in log with [color=blue]{owner}[/color]

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:46:24 AM, on 12/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr .exe

C:\Program Files\Synaptics\SynTP\SynTPEnh .exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh .exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe

C:\Program Files\Toshiba\Tvs\TvsTray .exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe

C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

C:\WINDOWS\system32\TPSMain.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide .exe

C:\WINDOWS\SM1BG .EXE

C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe

C:\WINDOWS\MXOALDR .EXE

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Microsoft ActiveSync\wcescomm .exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress .exe

C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\BitTorrent_DNA\dna.exe

C:\Program Files\BitTorrent_DNA\dna .exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run

O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [zotcridi] rundll32.exe "C:\Program Files\fubszkho\vczmferq.dll",Init

O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F8E.tmp .exe

O4 - HKLM\..\Run: [lotqzorg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lotqzorg.dll"

O4 - HKLM\..\Run: [sC2] C:\Program Files\SecCenter\scprot4.exe

O4 - HKLM\..\Run: [xwpcpefy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll"

O4 - HKLM\..\Run: [vilsrcfe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll"

O4 - HKLM\..\Run: [xorevota] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xorevota.dll"

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"

O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

 

--

End of file - 11770 bytes

Share this post


Link to post
Share on other sites

Hi.psywzrd

 

First I can't till you how sorry I am on the delay with this. But I've been having a ton of problems on my PC. If it seems like I have forgot about you this is not so. I can just about post anything and my copy and paste is on it's way out on me, not good when your working on log-files.

 

NOTE: Please make sure to disable all the Programs I had you do before.

 

 

1. Close any open browsers.

 

2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.

 

File::

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\OLD54.tmp

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\ndaTqsVqrX.dll

C:\WINDOWS\system32\RCX8C.tmp

C:\WINDOWS\system32\njprckha

C:\WINDOWS\system32\drvweg.dll

C:\WINDOWS\system32\xxyyvuv.dll

C:\WINDOWS\system32\ljjkjgf.dll

 

Folder::

C:\Program Files\Uodyhzhz

C:\Program Files\SecCenter

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F5C28B0-D7F6-4125-AE4E-E2989242F7DD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zotcridi"=-

"avp"=-

"lotqzorg"=-

"xwpcpefy"=-

"vilsrcfe"=-

"xorevota"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{B9E85D85-F6EE-4655-A639-E33983612A6E}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvuv]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

 

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

 

When finished, it will produce a log for you at "C:\ComboFix.txt"

 

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

 

Then come back here with both the HijackThis log and ComboFix.txt

 

 

Gogo :(

Share this post


Link to post
Share on other sites

No worries - I can totally relate to the computer problems :( . Plus it is the holidays so I'm sure you have better things to do as well. Anyway, you mentioned that I should disable all programs you had me do before so I'm assuming that just means you want me to turn off my PC-Cillin. It's off since I don't have that computer connected to the internet anyway but if you needed me to do something else, please let me know. Here are the logs you requested (still getting some error messages when my computer boots up but I assume you'll see that in the logs). Thank you for your time.

 

ComboFix 07-12-21.4 - {owner} 2007-12-24 19:55:09.2 - NTFSx86

Running from: C:\Documents and Settings\{owner}\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\{owner}\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\WINDOWS\system32\drvweg.dll

C:\WINDOWS\system32\ljjkjgf.dll

C:\WINDOWS\system32\ndaTqsVqrX.dll

C:\WINDOWS\system32\njprckha

C:\WINDOWS\system32\OLD54.tmp

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\RCX8C.tmp

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\xxyyvuv.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\PerfInfo

C:\WINDOWS\PerfInfo\lB8v7JNIMpuc.exe.bak

C:\WINDOWS\system32\drvweg.dll

C:\WINDOWS\system32\ljjkjgf.dll

C:\WINDOWS\system32\ndaTqsVqrX.dll

C:\WINDOWS\system32\OLD54.tmp

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\RCX8C.tmp

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\xxyyvuv.dll

C:\WINDOWS\system32\rqrpp.dll . . . . failed to delete

 

.

((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))

.

 

2007-12-24 20:34 . 2007-12-24 20:34 331,776 --------- C:\WINDOWS\system32\rqrpp.dll

2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr

2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT

2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6

2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder

2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel

2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver

2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba

2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit

2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo

2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL

2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha

2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

2007-12-19 19:43 . 2007-12-24 01:08 94,208 --a------ C:\WINDOWS\MXOALDR .EXE

2007-12-19 19:42 . 2007-12-24 01:06 94,208 --a------ C:\WINDOWS\SM1BG .EXE

2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe

2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe

2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe

2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for

2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect

2007-12-06 17:28 . 2007-12-24 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp

2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor

2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks

2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-25 01:36 --------- d-----w C:\Program Files\QuickTime

2007-12-25 01:35 430,592 ----a-w C:\WINDOWS\SM1BG.EXE

2007-12-25 01:35 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE

2007-12-25 01:35 --------- d-----w C:\Program Files\Notebook Maximizer

2007-12-25 01:35 --------- d-----w C:\Program Files\ltmoh

2007-12-25 01:34 --------- d-----w C:\Program Files\Microsoft ActiveSync

2007-12-25 01:34 --------- d-----w C:\Program Files\BitTorrent_DNA

2007-12-23 04:50 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent DNA

2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro

2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys

2007-12-19 13:53 --------- d-----w C:\Program Files\eMule

2007-12-19 03:47 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent

2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN

2007-11-18 20:14 --------- d-----w C:\Program Files\iNav

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile

2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools

2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2

2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent

2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\{owner}\GoToAssist_chat2way__317_en.exe

2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\{owner}\chatlnk.exe

2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE3469A0-D7BC-432E-A7C4-29F6821FC8B8}]

2007-12-24 20:34 331776 --------- C:\WINDOWS\system32\rqrpp.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-24 20:34]

"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-24 20:34]

"SpriteService"="" []

"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-24 20:34]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-24 20:34]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-24 20:34]

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-24 20:35]

"NDSTray.exe"="NDSTray.exe" []

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-24 20:35]

"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]

"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-24 20:35]

"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-24 20:35]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-24 20:35]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-24 20:35]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []

"TFncKy"="TFncKy.exe" []

"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]

"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []

"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-24 20:35]

"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-24 20:35]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []

"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []

"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-24 20:35]

"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-24 20:35]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-24 20:35]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-24 20:35]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-24 20:35]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-24 20:35]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-24 20:35]

"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []

"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-24 20:35]

"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-24 20:36]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 20:36]

 

C:\Documents and Settings\{owner}\Start Menu\Programs\Startup\

Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]

PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=C:\WINDOWS\system32\rqrpp.exe

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]

2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]

2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

 

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]

R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]

R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]

S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]

\Shell\AutoRun\command - E:\setupSNK.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]

\Shell\AutoRun\command - setupSNK.exe

 

.

**************************************************************************

 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-24 20:39:20

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\pprqr.ini 442 bytes

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

-> C:\WINDOWS\system32\rqrpp.dll

.

Completion time: 2007-12-24 20:42:25 - machine was rebooted

C:\ComboFix2.txt ... 2007-12-24 01:34

.

2007-12-21 14:19:06 --- E O F ---

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:50:04 PM, on 12/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe

C:\Program Files\Synaptics\SynTP\SynTPLpr .exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh .exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh .exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe

C:\Program Files\Toshiba\Tvs\TvsTray .exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

C:\WINDOWS\SM1BG .EXE

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\MXOALDR .EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe

C:\Program Files\Microsoft ActiveSync\wcescomm .exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress .exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\BitTorrent_DNA\dna.exe

C:\Program Files\BitTorrent_DNA\dna .exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run

O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"

O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

 

--

End of file - 10939 bytes

Edited by LS CalamityJane
Replaced personal name in log with [color=blue]{owner}[/color]

Share this post


Link to post
Share on other sites

Hi.psywzrd

 

 

1. Close any open browsers.

 

2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.

 

File::

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\njprckha

C:\WINDOWS\system32\pprqr.ini

 

Folder::

C:\WINDOWS\ppqvmpqr

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE3469A0-D7BC-432E-A7C4-29F6821FC8B8}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

 

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

 

When finished, it will produce a log for you at "C:\ComboFix.txt"

 

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

 

Then come back here with both the HijackThis log and ComboFix.txt

 

 

Gogo :blink:

Share this post


Link to post
Share on other sites

ComboFix 07-12-21.4 - {owner} 2007-12-27 12:38:19.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.244 [GMT -5:00]

Running from: C:\Documents and Settings\{owner}\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\{owner}\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\WINDOWS\system32\njprckha

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\rqrpp.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\ppqvmpqr

C:\WINDOWS\ppqvmpqr\1.png

C:\WINDOWS\ppqvmpqr\2.png

C:\WINDOWS\ppqvmpqr\3.png

C:\WINDOWS\ppqvmpqr\4.png

C:\WINDOWS\ppqvmpqr\5.png

C:\WINDOWS\ppqvmpqr\6.png

C:\WINDOWS\ppqvmpqr\bottom-rc.gif

C:\WINDOWS\ppqvmpqr\content.png

C:\WINDOWS\ppqvmpqr\download.gif

C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif

C:\WINDOWS\ppqvmpqr\frame-h1bg.gif

C:\WINDOWS\ppqvmpqr\head.png

C:\WINDOWS\ppqvmpqr\indexuc.html

C:\WINDOWS\ppqvmpqr\indexud.html

C:\WINDOWS\ppqvmpqr\main.css

C:\WINDOWS\ppqvmpqr\net.png

C:\WINDOWS\ppqvmpqr\pc-mag.gif

C:\WINDOWS\ppqvmpqr\pc.gif

C:\WINDOWS\ppqvmpqr\poloska1.png

C:\WINDOWS\ppqvmpqr\poloska2.png

C:\WINDOWS\ppqvmpqr\poloska3.png

C:\WINDOWS\ppqvmpqr\promouc1.html

C:\WINDOWS\ppqvmpqr\promouc2.html

C:\WINDOWS\ppqvmpqr\promouc3.html

C:\WINDOWS\ppqvmpqr\promouc4.html

C:\WINDOWS\ppqvmpqr\promouc5.html

C:\WINDOWS\ppqvmpqr\promoud1.html

C:\WINDOWS\ppqvmpqr\promoud2.html

C:\WINDOWS\ppqvmpqr\promoud3.html

C:\WINDOWS\ppqvmpqr\promoud4.html

C:\WINDOWS\ppqvmpqr\promoud5.html

C:\WINDOWS\ppqvmpqr\reg.png

C:\WINDOWS\ppqvmpqr\repair.png

C:\WINDOWS\ppqvmpqr\scr-1.png

C:\WINDOWS\ppqvmpqr\scr-2.png

C:\WINDOWS\ppqvmpqr\styles.css

C:\WINDOWS\ppqvmpqr\top-rc.gif

C:\WINDOWS\ppqvmpqr\vline.gif

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\rqrpp.dll

 

.

((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))

.

 

2007-12-27 12:49 . 2007-12-27 12:49 331,776 --------- C:\WINDOWS\system32\rqrpp.dll

2007-12-27 12:49 . 2007-12-27 12:53 493 --ahs---- C:\WINDOWS\system32\pprqr.ini2

2007-12-27 12:29 . 2007-12-27 12:34 143 --a------ C:\WINDOWS\system32\mcrh.tmp

2007-12-26 13:38 . 2007-12-27 12:50 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe

2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups

2007-12-26 11:14 . 2007-12-27 12:50 388,608 --a------ C:\WINDOWS\system32\cmd .exe

2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT

2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6

2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder

2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel

2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver

2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba

2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit

2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo

2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL

2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha

2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

2007-12-19 19:43 . 2007-12-27 11:18 94,208 --a------ C:\WINDOWS\MXOALDR .EXE

2007-12-19 19:42 . 2007-12-27 11:17 94,208 --a------ C:\WINDOWS\SM1BG .EXE

2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe

2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe

2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe

2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for

2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect

2007-12-06 17:28 . 2007-12-27 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp

2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor

2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks

2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-27 17:50 --------- d-----w C:\Program Files\QuickTime

2007-12-27 17:49 430,592 ----a-w C:\WINDOWS\SM1BG.EXE

2007-12-27 17:49 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE

2007-12-27 17:49 --------- d-----w C:\Program Files\Notebook Maximizer

2007-12-27 17:49 --------- d-----w C:\Program Files\Microsoft ActiveSync

2007-12-27 17:49 --------- d-----w C:\Program Files\ltmoh

2007-12-27 17:34 --------- d-----w C:\Program Files\BitTorrent_DNA

2007-12-23 04:50 --------- d-----w C:\Documents and Settings\{{owner}}\Application Data\BitTorrent DNA

2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro

2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys

2007-12-19 13:53 --------- d-----w C:\Program Files\eMule

2007-12-19 03:47 --------- d-----w C:\Documents and Settings\{owner}\Application Data\BitTorrent

2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN

2007-11-18 20:14 --------- d-----w C:\Program Files\iNav

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile

2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools

2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2

2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent

2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\{owner}\GoToAssist_chat2way__317_en.exe

2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\{owner}\chatlnk.exe

2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{464E825D-3523-410E-970A-1C5676F49F0A}]

2007-12-27 12:49 331776 --------- C:\WINDOWS\system32\rqrpp.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-27 12:49]

"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-27 12:49]

"SpriteService"="" []

"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-27 12:49]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-27 12:49]

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-27 12:49]

"NDSTray.exe"="NDSTray.exe" []

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-27 12:49]

"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]

"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-27 12:49]

"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-27 12:49]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-27 12:49]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-27 12:58]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []

"TFncKy"="TFncKy.exe" []

"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]

"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []

"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-27 12:49]

"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-27 12:49]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []

"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []

"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-27 12:49]

"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-27 12:49]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-27 12:49]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-27 12:49]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-27 12:49]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-27 12:49]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-27 12:49]

"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []

"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-27 12:49]

"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-27 12:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-27 13:01]

 

C:\Documents and Settings\{owner}\Start Menu\Programs\Startup\

Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]

PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=C:\WINDOWS\system32\rqrpp.exe

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]

2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]

2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]

\Shell\AutoRun\command - E:\setupSNK.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]

\Shell\AutoRun\command - setupSNK.exe

 

.

**************************************************************************

 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-27 12:55:02

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-27 13:08:04 - machine was rebooted

C:\ComboFix2.txt ... 2007-12-26 11:33

C:\ComboFix3.txt ... 2007-12-24 20:42

.

2007-12-21 14:19:06 --- E O F ---

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:09:44 PM, on 12/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

C:\WINDOWS\system32\fxssvc.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe

C:\Program Files\Synaptics\SynTP\SynTPLpr .exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe

C:\Program Files\Synaptics\SynTP\SynTPEnh .exe

C:\Program Files\ltmoh\Ltmoh .exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe

C:\Program Files\Toshiba\Tvs\TvsTray .exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\SM1BG .EXE

C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe

C:\WINDOWS\MXOALDR .EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe

C:\Program Files\Microsoft ActiveSync\wcescomm .exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

C:\Program Files\Trend Micro\HijackThis\psywzrd.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {464E825D-3523-410E-970A-1C5676F49F0A} - C:\WINDOWS\system32\rqrpp.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run

O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"

O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

 

--

End of file - 11183 bytes

Edited by LS CalamityJane
Replaced personal name in log with [color=blue]{owner}[/color]

Share this post


Link to post
Share on other sites

Hi.psywzrd

 

Let's update your Java, first then go after it like this.

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Let me know in your next reply how things are now.

 

==========================

 

Then after updating your Java, not before do this.

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

( Do not copy the word quote)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{464E825D-3523-410E-970A-1C5676F49F0A}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

 

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

==========================

 

Then let's do this.

 

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

 

Filename: vundofix.vft

Save As Type: All Files (*.*)

 

C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\njprckha

 

 

* Close all other windows and programs.

* Double-click VundoFix.exe to run it.

* Drag vundofix.vft onto the listbox (white box) of VundoFix.

* Click the "Remove Vundo" button.

* You will receive a prompt asking if you want to remove the files, click YES

* Once you click yes, your desktop will go blank as it starts removing Vundo.

* When completed, it will prompt that it will reboot your computer, click OK.

* Please post the contents of C:\vundofix.txt and a new HijackThis log.

 

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting

 

===========================

 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

 

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe

 

O2 - BHO: (no name) - {464E825D-3523-410E-970A-1C5676F49F0A} - C:\WINDOWS\system32\rqrpp.dll

 

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

 

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

 

Close Hijackthis.

 

 

Gogo :blink:

Share this post


Link to post
Share on other sites

Hi guys,

 

Sorry for the interruption but this is a new variant of Vundo that infects your program files and startup programs as well. It will keep reinfecting the machine if you keep at it this way because neither ComboFix, Vundofix not HijackThis or any of the tools you are using right now are not able to deal with it entirely at the moment. It is just resurrecting itself with each unsuccessful removal attempt.

 

I can see in your logs that some of your program files ARE infected and the only way to find all of them is to run an online AV scan with Kaspersky which is the best one id'ing it right now. Once infected I don't think it is able to fix all of these either, so I can't guarantee how this computer will run once the infected files are deleted, then the programs that need them won't work.

 

These are some of the files I see in that log that are likely infected and causing the reinfection

 

 

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

 

C:\Program Files\Microsoft ActiveSync\wcescomm .exe

 

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

 

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

 

C:\TOSHIBA\IVP\ISM\pinger.exe

C:\Program Files\Notebook Maximizer\maximizer_startup.exe

 

C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

 

C:\WINDOWS\MXOALDR.EXE

C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe"

C:\Program Files\QuickTime\qttask .exe

..............

There are likely others too. As you can see some of those look pretty vital to the operation of your computer. Uninstalling PC-cillin since it looks like it may be infected as well, you could try running the free 30 day trial of Kaspersky AV (not the suite - just the AV) with current updates and see if it is able to disinfect the critical files belonging to your legitimate programs, but I can't say for sure, as it might just delete them if it can't disinfect them.

 

DO you have have good backups of your data files and important stuff (not program files)?. You'll want to make sure also that you have your Windows operating system install CDs or recovery disks and also original install media of your program files since some of them may need to be re-installed.

 

Let me know before we proceed any further because the damage by removal might be unrecoverable for your system.

Share this post


Link to post
Share on other sites

Hi.CJ

 

As always a 1000 thanks.

 

Please perform this online scan: Kaspersky Webscan

Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.

Read the Requirements and Privacy statement, then select "Accept"

A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

Select "Install" to download the ActiveX controls that allows ActiveScan to run.

 

When the download is complete it will say ready, click "Next"

Select a target to scan: Click on "My Computer"

When the scan is complete choose to save the results as "Save as Text"

Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Ok - things seem to have improved significantly (although I'm sure you'll be able to tell me just how close we are to fixing my problems); however, I'm still getting an error message very time my computer reboots (Error loading c:\windows\system32\ndaTqsVqrX.dll. The specified module could not be found). That dll file is definitely not in the specified directory (which makes sense based on the error message). Here are the requested logs:

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 9:01:08 PM 12/22/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\hphmon04.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\winsfg32.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\dla\tfswctrl.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\hkcmd.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\hphmon04.exe

C:\WINDOWS\system32\hphmon04.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxtray.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\winsfg32.dll

C:\WINDOWS\system32\winsfg32.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 10:24:56 PM 12/23/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 11:35:18 AM 12/26/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mcrh.tmp Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Scan started at 4:11:40 PM 12/27/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.exe

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini

C:\WINDOWS\system32\pprqr.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\pprqr.ini2

C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.dll

C:\WINDOWS\system32\rqrpp.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrpp.exe

C:\WINDOWS\system32\rqrpp.exe Has been deleted!

 

Performing Repairs to the registry.

Done!

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:16:44 PM, on 12/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSMain.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr .exe

C:\Program Files\Synaptics\SynTP\SynTPEnh .exe

C:\TOSHIBA\IVP\ISM\pinger .exe

C:\WINDOWS\SM1BG .EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\psywzrd.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {B93D6D28-77CF-4293-B9FD-919F1183C211} - C:\WINDOWS\system32\rqrpp.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow

O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

 

--

End of file - 6849 bytes

Share this post


Link to post
Share on other sites

I posted my latest logs before I saw Jane's message above. While I was waiting for HJThis to get back to me about this, I uninstalled several programs that appeared to be infected. They are as follows:

 

Intel® PROSet/Wireless Software

Maxtor OneTouch

Microsoft ActiveSync

Notebook Maximizer

QuickTime

Retrospect Express HD 1.1

ScanSoft OmniPage Pro 14.0

ScanSoft PaperPort 11

SoundMAX

Trend Micro PC-cillin Internet Security 2007

Viewpoint Media Player

 

I am running a Kaspersky scan as I type this (I'm posting from a different computer). It's just 6% done and it has already found 3 viruses and 13 infected objects. As far as having backups of my data, I had been running nightly backups up until the time my computer started showing signs of infection; therefore, I'm a little worried that my backups may be infected as well. I do have my recovery discs etc. but I obviously prefer to try to fix this without resorting to that because I don't have much confidence in my backups at this point.

 

I'll let this Kaspersky scan run its course and wait to hear back from you guys on how to proceed.

Edited by psywzrd

Share this post


Link to post
Share on other sites

Ok - I'm sorry for the new interruption now, but I need to get some copies of files please for analysis. You can do this after you finish the KAV scan because it won't delete anything at the moment - we're just having you run that to get an idea of what files are definitely infected.

 

As for your backups - they may well be infected too. Any programs removed, I would suggest (after this PC is clean) to reinstall via original media and not any backups. I just wanted to make sure that you have recovery discs, install discs - whatever you might need in case something goes wrong on removal. I have already noticed that Vundo fix removed some files that we need to look at to see if they are clean or not.

 

Go to this folder: C:\VundoFix Backups

 

 

*rightclick* on it. Choose "send to compressed (zipped) folder" and that will make a zip file

in the same location, i.e.;

C:\VundoFix Backups.zip

 

 

Please go here to upload a suspicious file for analysis.

http://www.uploadmalware.com/

 

* Enter your username from this forum as: psywzrd at LS

 

* Copy and paste the link to this thread: http://www.lavasoftsupport.com/index.php?showtopic=14873

 

* Click "Browse" on the 1. field.

Browse to the following file and click the file with your mouse, press "Open"

C:\VundoFix Backups.zip (that's the zip file you just made)

 

* In the comments, please mention that I asked you to upload this file

 

* Click on Send File

.................

Now please repeat the above for this file (you don't need to put it in a zip) - just upload it as you did above

 

C:\WINDOWS\system32\rqrpp.exe

 

and this one also please

 

C:\WINDOWS\system32\rqrpp.dll <---Edit: fixed the name on that one

Edited by LS CalamityJane

Share this post


Link to post
Share on other sites
Regarding the last step in your post, did you mean rqrpp.exe and rqrpp.dll?

Yes, sorry and we got it - thanks ;)

 

Now, a question. Did you by chance delete the VUndofixBackups folder previously?

 

The files I wanted to look at were presumably deleted in the prior run of VundoFix on the 22nd. These were not in the backups folder you uploaded and should be if you did not delete the first backups folder:

 

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\hphmon04.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\winsfg32.dll

 

If you did delete it, would it still be in the recycle bin? If you did not delete it (the first Vundofix backups folder), could you look on your system in those locations listed above and see if they are still there?

Share this post


Link to post
Share on other sites

I definitely did not delete that Vundobackups folder so I'm not quite sure what happened there. I did look for those files you listed and only found these two:

 

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

 

Also, here are the results of my Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 27, 2007 10:37:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/12/2007
Kaspersky Anti-Virus database records: 498126
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
Z:\

Scan Statistics:
Total number of scanned objects: 71967
Number of viruses found: 7
Number of infected objects: 403
Number of suspicious objects: 0
Duration of the scan process: 02:19:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\image5[1].gif.bac_a01008	Infected: Trojan-Downloader.Win32.Alphabet.gen	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP129.tmp.bac_a01008	Infected: Trojan-Downloader.Win32.Alphabet.gen	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP200B.tmp.bac_a01008	Infected: Trojan-Downloader.Win32.Alphabet.gen	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP206F.tmp.bac_a01008	Infected: Trojan-Downloader.Win32.Alphabet.gen	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP20D2.tmp.bac_a01008	Infected: Trojan-Downloader.Win32.Alphabet.gen	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp  .exe.bac_a01008	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp .exe.bac_a01008	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp.exe.bac_a01008	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win206F.tmp.exe.bac_a01008	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Documents and Settings\{owner]\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/BnnnnBaa.class	Infected: Trojan.Java.ClassLoader.as	skipped
C:\Documents and Settings\{owner}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/VaannnaaBaa.class	Infected: Trojan.Java.ClassLoader.as	skipped
C:\Documents and Settings\{owner}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/Bnnnnn.class	Infected: Trojan.Java.ClassLoader.as	skipped
C:\Documents and Settings\{owner}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip	ZIP: infected - 3	skipped

{snipped locked objects}

C:\Program Files\Analog Devices\SoundMAX\Smax4					.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4				   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4				  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4				 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4				.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4			   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4			  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4			 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4			.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4		   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4		  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4		 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4		.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4	   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4	  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4	 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4	.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\BitTorrent_DNA\dna.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\ltmoh\Ltmoh.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Messenger\msmsgs.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm				   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm				  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm				 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm				.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm			   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm			  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm			 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm			.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm		   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm		  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm		 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm		.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm	   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm	  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm	 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm	.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Microsoft ActiveSync\wcescomm .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask					 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask					.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask				   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask				  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask				 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask				.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask			   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask			  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask			 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask			.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask		   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask		  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask		 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask		.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask	   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask	  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask	 .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask	.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask   .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask  .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask .exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\QuickTime\qttask.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvweg.dll.vir	Infected: Trojan.Win32.Dialer.yz	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ljjkjgf.dll.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.cln	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\OLD54.tmp.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX8C.tmp.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rqrpp.exe.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip/rqrpp.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.clc	skipped
C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip/xxyyvuv.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.cln	skipped
C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip	ZIP: infected - 2	skipped
C:\qoobox\Quarantine\catchme2007-12-27_154140.12.zip/rqrpp.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.clc	skipped
C:\qoobox\Quarantine\catchme2007-12-27_154140.12.zip	ZIP: infected - 1	skipped
C:\SDFix\backups_old1\backups.zip/backups/ctfmon.exe.tmp	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\SDFix\backups_old1\backups.zip/backups/spoolsv.exe	Infected: Trojan-Downloader.Win32.Alphabet.gen	skipped
C:\SDFix\backups_old1\backups.zip	ZIP: infected - 2	skipped

{snipped system volume information folder objects}

C:\TOSHIBA\IVP\ISM\pinger.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\VundoFix Backups\rqrpp.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.clc	skipped
C:\VundoFix Backups\rqrpp.exe.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\MXOALDR.EXE	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SM1BG.EXE	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\cmd.exe.tmp	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\ctfmon.exe.tmp	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\WINDOWS\system32\drivers\sptd.sys	Object is locked	skipped
C:\WINDOWS\system32\ebgkpsie.exe	Infected: Trojan-Downloader.Win32.Agent.gwe	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\rqrpp.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.clc	skipped
C:\WINDOWS\system32\rqrpp.exe	Infected: not-a-virus:AdWare.Win32.Virtumonde.cli	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.

Edited by LS CalamityJane
Snipped log

Share this post


Link to post
Share on other sites

Ok, the KAV scan log shows us what we are dealing with here. You can see with each unsuccessful removal the infection has created a new infected file and added spaces to the file name just before the extension.

 

Tools that have been used so far are not dealing with the infection properly at the moment including: VundoFix, SDFix, ComboFix, etc. In some cases they are replacing an infected file with just another infected file. So I believe your best shot at this is going to be an antivirus solution. There may not be a clean replacement file on the system for each infected file found and it is quite possible that it may render many programs inoperable. Hopefully, those can be reinstalled and windows file protection will cover any system files.

 

I really think your best shot at getting this is to download, update and run the Kaspersky free trial AV and see if it is able to disinfect and remove the infected files. I can't guarantee the results because this is just too new to have been tested fully.

For best results after installing and updating the KAV AV 7.0 - run the actual scan (full system scan) in SAFE MODE.

 

Here is a link to the KAV free trial if you want to try that. Get the AV only (not the suite)

(there may be other antivirus solutions available, however, I'm only aware of this one at this time - I'll be looking for others)

 

This a free personal trial for 30 days, get the 2nd one down in this list:

Kaspersky Anti-Virus 7.0

http://www.kaspersky.com/trials

Share this post


Link to post
Share on other sites

Just a note to add - I'm going to go in and snip the log posted for repetitive entries (like those in the system restore backups listings) to make it shorter and also to use code tags on it because the forum software is stripping the extra spaces in some of the file names. You can look at the log itself to see them and I'll fix the forum post here so they appear in the original format.

 

To get rid of the infected files in the system volume information folders (the system restore backups), you can do this AFTER the machine is clean (but meanwhile don't use any prior system backup restore points unless there is a major malfunction)

 

After the machine is clean and running properly - you can turn OFF system restore and reboot (which delete all prior system restore points) and then turn it back on again to create a new clean backup. But don't do that yet until we determine how that disinfection goes first. Turning off System restore will delete ALL backups and sometimes having even an infected backup is better than no backup at all.

Share this post


Link to post
Share on other sites

And so you do. Since you indicated you wanted to complete this at the other forum, I'm going to close this one. You didn't tell us you were working on it elsewhere and the duplicate efforts here is non-productive. I would suggest you show Shaba your KAV scan log.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this