Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Suffering from trojans. Help please!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Suffering from trojans. Help please!

Unread postby morty » August 19th, 2008, 1:14 pm

Logfile of HijackThis v1.99.1
Scan saved at 6:01:54 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.pimpmysearch.com/home.html?gname=Morty
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [70a30479] rundll32.exe "C:\WINDOWS\system32\rjuvbijs.dll",b
O4 - HKLM\..\Run: [BM739037e5] Rundll32.exe "C:\WINDOWS\system32\uxdiwkyr.dll",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1775002859
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27845FBC-99C6-4C0E-B907-FD1D2ED9CF94}: NameServer = 195.229.241.222 213.42.20.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
Last edited by morty on August 22nd, 2008, 10:02 am, edited 1 time in total.
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am
Advertisement
Register to Remove

Re: Suffering from trojans. Help please!

Unread postby morty » August 19th, 2008, 1:25 pm

Hello guys.
Recently I downloaded an E-book from a website which was infected with a trojan that my Norton Internet Security 2008 (which I update everyday) did not detect. It was a slowing my computer a bit at first, but then eventhough my Firewall detected the trojan as Trojan.Vundo and said that it blocked the attack from the source, but my laptop started to get much slower day by day. Since the day before yesterday another threat is being detected with the name of HTTP FAKE SCAN WEBPAGE and unusual and strange things are happening to my computer, the websites close by themselves, a very big number of blank internet explorer windows open and then the whole IEEXPLORER task is closed down, the explorer task is often closed down. The computer freezes a lot and also the number of sent files is often more than the received files in my Modem Status. I was chatting with a friend of mine yesterday and his computer got infected with four different threats( detected). There is another problem which causes my IE explorer to close down about 3 minutes after I opened it.
This is getting worse everyday and I am in need of urgent help.
Thanks and best regards,
morty
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby chryssi2001 » August 23rd, 2008, 5:51 am

Hello morty,

I will be assisting you with your malware issues.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
----------------------------------------------
REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitComet

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
----------------------------------------------
RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Hijackthis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe.

Do not run HijackThis yet.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
Combofix report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Suffering from trojans. Help please!

Unread postby morty » August 23rd, 2008, 6:02 am

thanks very much for the reply!
I shall follow your steps thoroughly this afternoon. Thanks again.
Morty
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby chryssi2001 » August 23rd, 2008, 6:43 am

Ok!! :)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Suffering from trojans. Help please!

Unread postby morty » August 23rd, 2008, 2:55 pm

Ok I did as you said till the Malwarebytes Anti-malware bit. I also removed Bitcomet. H ere is the Malwarebytes Anti Malware log: -

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

10:38:44 PM 8/23/2008
mbam-log-08-23-2008 (22-38-44).txt

Scan type: Quick Scan
Objects scanned: 95806
Time elapsed: 25 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 21
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 105

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtqoMgd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\etabksuh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fhyuanhl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\omksfecq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pmnljJBu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vbolmkck.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vteitkio.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mlJddcCS.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqPhETK.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{302d0486-3f1f-45ef-8c95-93aad2837ece} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{302d0486-3f1f-45ef-8c95-93aad2837ece} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b7dd0f86-861c-4897-bd49-27b021bc863e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7dd0f86-861c-4897-bd49-27b021bc863e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{db80ff64-932a-4c4b-a502-66d1f2e9b0be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljddccs (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{db80ff64-932a-4c4b-a502-66d1f2e9b0be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4358f465-929a-44fd-b1ef-addbcce01926} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4358f465-929a-44fd-b1ef-addbcce01926} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58befbbc-b854-4adc-8683-94a03c2e374d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{58befbbc-b854-4adc-8683-94a03c2e374d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cd989e2e-cc59-4ad9-bea3-3e44ecc7b340} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cd989e2e-cc59-4ad9-bea3-3e44ecc7b340} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\70a30479 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{db80ff64-932a-4c4b-a502-66d1f2e9b0be} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm739037e5 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnljjbu -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnljjbu -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\USER\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pmnljJBu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uBJjlnmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uBJjlnmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqoMgd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dgMoqtwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgMoqtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJddcCS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\byXpPfGx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xGfPpXyb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xGfPpXyb.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXNGvTN.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NTvGNXbc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NTvGNXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\etabksuh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\huskbate.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhyuanhl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lhnauyhf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fnjqstfs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sftsqjnf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fpqsrewf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fwersqpf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnkICsR.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RsCIknnn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RsCIknnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\omksfecq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qcefskmo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnKCttU.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UttCKnmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UttCKnmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rjuvbijs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sjibvujr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uypnxsuc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cusxnpyu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbolmkck.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kckmlobv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vteitkio.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\oiktietv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmLfef.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fefLmUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fefLmUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmMCtT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TtCMmUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TtCMmUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wnbgtjja.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ajjtgbnw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUoLcBS.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SBcLoUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SBcLoUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayaYqRJ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JRqYayay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JRqYayay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\YHX2JI9K\3077htsbdjyf[1].dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\frcwhxvw.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\bistsixn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXPFVLF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpdvachf.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpksbvbh.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dxkhrqap.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcBrSkI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emploubi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eqkllqkp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eyloiktw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fjdfiowu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hcaielpy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hlimpcym.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jbxewlxp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jficfnls.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lgurfxtt.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlKCtq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnmnKEv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pqollsrj.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ptokxutc.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rrkuanap.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spetebcb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tmgnhmiw.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twkufldo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqqrspn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utufvcqw.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUlihiH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wedpfhoq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wlvkjhtr.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xjbcurrc.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoyjgvmf.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qpovccqi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xjemsqne.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xvnualhv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyvtQJC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytfybsrp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\6KAPNP8W\kb456456[1] (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\AD8RKTUT\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\HPKM075B\kb65666[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\8RHJ2QZP\kb65666[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\8RHJ2QZP\64q33[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\8RHJ2QZP\CAMVOXKZ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\LFJN590Q\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\LFJN590Q\kb456456[4] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\YHX2JI9K\CAAJS52N (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rabi Avvali\Local Settings\Temporary Internet Files\Content.IE5\YHX2JI9K\kb65666[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\hcuwewai.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPhETK.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\BM739037e5.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM739037e5.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\CmdLineExt03.dll (Trojan.Agent) -> Delete on reboot.


I shall follow on to the other steps.
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 12:51 am

Ok, this is the Combofix log file: -

ComboFix 08-08-21.02 - USER 2008-08-23 23:20:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1375 [GMT 4:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\interclick.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\interclick.com\ud.sol
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\static.youku.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\static.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\static.youku.com\v1.0.0255\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\K49WBQ9H\static.youku.com\v1.0.0311\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\bpibhxyg.ini
C:\WINDOWS\system32\ctueyigt.dll
C:\WINDOWS\system32\drtqhpfu.ini
C:\WINDOWS\system32\dvhlwfun.dll
C:\WINDOWS\system32\ecwsrger.ini
C:\WINDOWS\system32\eexogqlh.ini
C:\WINDOWS\system32\ehjunebt.ini
C:\WINDOWS\system32\gaxvtqfs.dll
C:\WINDOWS\system32\geykaifc.ini
C:\WINDOWS\system32\hdenltjw.dll
C:\WINDOWS\system32\hvkbowuc.ini
C:\WINDOWS\system32\idqkyllg.dll
C:\WINDOWS\system32\okjakdvf.dll
C:\WINDOWS\system32\qshmjdpc.dll
C:\WINDOWS\system32\quuiyqgx.dll
C:\WINDOWS\system32\rcltrtsa.dll
C:\WINDOWS\system32\rfkctjed.dll
C:\WINDOWS\system32\rubmvewf.dll
C:\WINDOWS\system32\syxwglek.ini
C:\WINDOWS\system32\uvrigkib.ini
C:\WINDOWS\system32\uxdiwkyr.dll
C:\WINDOWS\system32\vamldelp.ini
C:\WINDOWS\system32\vboneyaq.dll
C:\WINDOWS\system32\viskvarr.dll
C:\WINDOWS\system32\xmfcslov.dll
C:\WINDOWS\system32\xmilmpkf.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 22:48 . 2008-08-23 22:48 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-08-23 19:49 . 2008-08-23 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 19:49 . 2008-08-23 19:49 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Malwarebytes
2008-08-23 19:49 . 2008-08-23 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 19:49 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 19:49 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 17:24 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\Eidos
2008-08-23 14:01 . 2008-08-23 14:01 <DIR> d-------- C:\Program Files\Uniblue
2008-08-23 14:01 . 2008-08-23 14:01 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Uniblue
2008-08-22 22:57 . 2008-08-22 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-22 18:32 . 2008-08-22 18:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-17 20:39 . 2008-08-17 20:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 18:28 . 2008-08-15 19:06 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-08-15 18:28 . 2008-08-19 15:06 24 --a------ C:\Documents and Settings\USER\jagex_runescape_preferences.dat
2008-08-13 21:31 . 2008-08-13 21:31 1,409 --a------ C:\WINDOWS\system32\tmpD75DC.FOT
2008-08-10 18:48 . 2008-08-10 18:48 1,409 --a------ C:\WINDOWS\system32\tmpC448D.FOT
2008-08-10 09:13 . 2008-08-10 09:13 <DIR> d-------- C:\WINDOWS\Pre-Algebra
2008-08-09 21:43 . 2008-08-09 21:43 <DIR> d-------- C:\WINDOWS\Algebra 1
2008-08-09 21:43 . 2008-08-10 09:13 <DIR> d-------- C:\Program Files\Homeworkhelp.com
2008-08-09 21:43 . 2008-08-09 21:43 84 --a------ C:\WINDOWS\encore_launcher.ini
2008-08-07 17:53 . 2008-08-23 22:50 <DIR> d-------- C:\Documents and Settings\USER\Application Data\skypePM
2008-08-07 17:53 . 2008-08-07 17:53 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-07 17:50 . 2008-08-07 17:50 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-07 17:50 . 2008-08-23 23:08 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Skype
2008-08-07 17:49 . 2008-08-07 17:50 <DIR> dr------- C:\Program Files\Skype
2008-08-07 17:49 . 2008-08-07 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-29 22:10 . 2008-07-29 23:09 376 --a------ C:\WINDOWS\ODBC.INI
2008-07-29 21:55 . 2008-07-29 21:55 <DIR> d-------- C:\Documents and Settings\Rabi Avvali\Application Data\Microsoft Web Folders
2008-07-29 13:42 . 2006-10-04 18:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-07-29 13:42 . 2006-10-04 18:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-07-29 13:42 . 2006-10-04 18:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-07-29 13:41 . 2008-07-29 13:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-29 13:39 . 2008-07-29 13:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 19:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-23 18:48 --------- d-----w C:\Program Files\BitComet
2008-08-23 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-23 13:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-22 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-17 04:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-30 13:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 13:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-29 18:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 17:55 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-29 10:18 --------- d-----w C:\Program Files\Google
2008-07-29 09:46 --------- d-----w C:\Program Files\DivX
2008-07-20 07:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fitn17
2008-07-09 10:08 --------- d-----w C:\Program Files\Candleworks
2008-07-07 07:30 --------- d-----w C:\Program Files\AP Tuner
2008-07-07 07:27 --------- d-----w C:\Program Files\Guitar Studio
2008-07-07 07:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-07-07 07:26 249,856 ------w C:\WINDOWS\Setup1.exe
2008-07-07 07:08 --------- d-----w C:\Program Files\Acoustica Shared Effects
2008-07-07 07:08 --------- d-----w C:\Program Files\Acoustica Mixcraft
2008-06-23 10:58 --------- d-----w C:\Program Files\Mafia
2008-06-23 10:55 --------- d-----w C:\Program Files\Creative
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 14:26 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-11 15:35 68856]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-25 10:38 2196280]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 13:39 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-07-24 11:26 25506088]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-07-23 14:05 1927448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="C:\WINDOWS\system32\thpsrv" [X]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 16:37 174872]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-08-07 15:58 253952]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 09:40 196608]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 13:06 143360]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-09-04 17:12 90112]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" [2006-03-06 19:30 114688]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 14:42 49152]
"TAudEffect"="C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 22:48 344144]
"DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 14:49 495616]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 20:36 30208]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 15:48 577536]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-04-09 18:01 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-04-09 18:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-04-09 18:01 138008]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-08-05 15:54 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 08:53 714608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 04:05 16125440 C:\WINDOWS\RTHDCPL.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 07:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2007-04-18 16:34 102400 C:\WINDOWS\system32\TPSODDCtl.exe]
"TPSMain"="TPSMain.exe" [2007-04-18 16:34 299008 C:\WINDOWS\system32\TPSMain.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 21:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2006-04-11 05:14 622592 C:\WINDOWS\system32\TFNF5.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 16:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-04-24 21:24:00 2756608]
DSLMON.lnk - C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe [2008-01-28 16:55:52 929889]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40 233472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 20:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 06:54 65536 C:\WINDOWS\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15018:TCP"= 15018:TCP:BitComet 15018 TCP
"15018:UDP"= 15018:UDP:BitComet 15018 UDP
"18490:TCP"= 18490:TCP:BitComet 18490 TCP
"18490:UDP"= 18490:UDP:BitComet 18490 UDP
"15711:TCP"= 15711:TCP:BitComet 15711 TCP
"15711:UDP"= 15711:UDP:BitComet 15711 UDP

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2007-04-27 13:19]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2007-03-09 18:23]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 14:08]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 17:50]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 21:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 20:59]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 13:15]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 20:33]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2007-03-26 15:22]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;C:\WINDOWS\system32\DRIVERS\trudf.sys [2007-02-19 15:15]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-11 00:26]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2007-02-21 21:20]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 13:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b44fed-014b-11dd-a759-4d6564696130}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b44fee-014b-11dd-a759-4d6564696130}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{552d7bf0-0a66-11dd-a760-4d6564696130}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - USER.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 05:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A46297EB-66C7-4674-A5B8-40C6B4644446} - C:\WINDOWS\system32\awtqoMgd.dll
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-9xadiras - 9xadiras.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\ntn7bm02.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npoji610.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 23:28:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\davclnt.dll
-> ?:\WINDOWS\System32\davclnt.dll
-> ?:\WINDOWS\System32\davclnt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-23 23:36:41 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2008-08-23 19:36:35

Pre-Run: 9,399,037,952 bytes free
Post-Run: 11,617,730,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

306 --- E O F --- 2008-08-14 03:25:48
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 12:54 am

This is the latest scanner.exe (HJT) log file: -

Logfile of HijackThis v1.99.1
Scan saved at 8:52:19 AM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.pimpmysearch.com/home.html?gname=Morty
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1775002859
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27845FBC-99C6-4C0E-B907-FD1D2ED9CF94}: NameServer = 195.229.241.222 213.42.20.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 12:55 am

I am ready for any new instructions.
Thanks
Morty
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby chryssi2001 » August 24th, 2008, 3:24 am

Hello morty,

Before we proceed i want you to upload some files.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\tmpD75DC.FOT

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat the procedure for this file too:
C:\WINDOWS\system32\tmpC448D.FOT


Post back jotti results for both files.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 3:37 am

C:\WINDOWS\system32\tmpD75DC.FOT


Scan taken on 24 Aug 2008 07:33:36 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 3:43 am

File: tmpC448D.FOT
Status: OK
MD5: f6bd54f93f8f25af6960a523344d1544
Packers detected: -
Scanner results
Scan taken on 24 Aug 2008 07:39:14 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby chryssi2001 » August 24th, 2008, 3:55 am

Hello morty,

Thanks for Jotti results.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pimpmysearch.com/home.html?gname=Morty<< fix this line only if you didn't set it as your Start Page
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    C:\Program Files\BitComet
    C:\Program Files\AskTBar
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitComet"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "15018:TCP"=-
    "15018:UDP"=-
    "18490:TCP"=-
    "18490:UDP"=-
    "15711:TCP"=-
    "15711:UDP"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b44fed-014b-11dd-a759-4d6564696130}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b44fee-014b-11dd-a759-4d6564696130}]
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Update and run again Malwarebytes' Anti-Malware
----------------------------------------------
Post back:
Combofix report.
Malwarebytes' Anti-Malware report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 4:28 am

This is the log file for Combofix: -

ComboFix 08-08-21.02 - USER 2008-08-24 12:13:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1149 [GMT 4:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AskTBar
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
C:\Program Files\AskTBar\bar\Cache\02557075
C:\Program Files\AskTBar\bar\Cache\027D8FC2
C:\Program Files\AskTBar\bar\Cache\0AA745F2
C:\Program Files\AskTBar\bar\Cache\0AAA477A.bin
C:\Program Files\AskTBar\bar\Cache\0AAA5ECA.bin
C:\Program Files\AskTBar\bar\Cache\0AAA6979.bin
C:\Program Files\AskTBar\bar\Cache\0AAA732D.bin
C:\Program Files\AskTBar\bar\Cache\0AAA7A22.bin
C:\Program Files\AskTBar\bar\Cache\0AAA8435.bin
C:\Program Files\AskTBar\bar\Cache\0AAA8F12.bin
C:\Program Files\AskTBar\bar\Cache\0AAA9934.bin
C:\Program Files\AskTBar\bar\Cache\0AAAA326.bin
C:\Program Files\AskTBar\bar\Cache\0AAAADA6.bin
C:\Program Files\AskTBar\bar\Cache\0AAAB603.bin
C:\Program Files\AskTBar\bar\Cache\0AAACC98.bin
C:\Program Files\AskTBar\bar\Cache\0AAAD717.bin
C:\Program Files\AskTBar\bar\Cache\0AAAE10A.bin
C:\Program Files\AskTBar\bar\Cache\0AAAE715.bin
C:\Program Files\AskTBar\bar\Cache\0AAAEF72.bin
C:\Program Files\AskTBar\bar\Cache\0AAAF88A.bin
C:\Program Files\AskTBar\bar\Cache\0AAB0329.bin
C:\Program Files\AskTBar\bar\Cache\0B9F9B9D
C:\Program Files\AskTBar\bar\Cache\files.ini
C:\Program Files\AskTBar\bar\History\search2
C:\Program Files\AskTBar\bar\Settings\prevcfg2.htm
C:\Program Files\AskTBar\PopSwatr\History\allowed
C:\Program Files\AskTBar\PopSwatr\History\notallow
C:\Program Files\BitComet
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BitComet\BitComet.xml
C:\Program Files\BitComet\Downloads.xml
C:\Program Files\BitComet\fav\passport_info_en_us.mht
C:\Program Files\BitComet\fav\passport_info_zh_cn.mht
C:\Program Files\BitComet\Favourite.xml
C:\Program Files\BitComet\lang\lang_en_us.xml
C:\Program Files\BitComet\rules\dhtnodes.dat
C:\Program Files\BitComet\share\my_shares.xml
C:\Program Files\BitComet\tools\CRASH.DMP
C:\Program Files\BitComet\tools\CRASHLOG.DAT
C:\Program Files\BitComet\tools\CRASHLOG.TXT
C:\Program Files\BitComet\torrents\The.Godfather.Trilogy.1972-1990.DVDRip.x264-iBS.torrent
C:\Program Files\BitComet\torrents\The.Godfather.Trilogy.1972-1990.DVDRip.x264-iBS.xml

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 08:54 . 2008-08-24 08:54 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-23 22:48 . 2008-08-23 22:48 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-08-23 19:49 . 2008-08-23 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 19:49 . 2008-08-23 19:49 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Malwarebytes
2008-08-23 19:49 . 2008-08-23 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 19:49 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 19:49 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 17:24 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\Eidos
2008-08-23 14:01 . 2008-08-23 14:01 <DIR> d-------- C:\Program Files\Uniblue
2008-08-23 14:01 . 2008-08-23 14:01 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Uniblue
2008-08-22 22:57 . 2008-08-22 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-22 18:32 . 2008-08-22 18:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-17 20:39 . 2008-08-17 20:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 18:28 . 2008-08-15 19:06 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-08-15 18:28 . 2008-08-19 15:06 24 --a------ C:\Documents and Settings\USER\jagex_runescape_preferences.dat
2008-08-13 21:31 . 2008-08-13 21:31 1,409 --a------ C:\WINDOWS\system32\tmpD75DC.FOT
2008-08-10 18:48 . 2008-08-10 18:48 1,409 --a------ C:\WINDOWS\system32\tmpC448D.FOT
2008-08-10 09:13 . 2008-08-10 09:13 <DIR> d-------- C:\WINDOWS\Pre-Algebra
2008-08-09 21:43 . 2008-08-09 21:43 <DIR> d-------- C:\WINDOWS\Algebra 1
2008-08-09 21:43 . 2008-08-10 09:13 <DIR> d-------- C:\Program Files\Homeworkhelp.com
2008-08-09 21:43 . 2008-08-09 21:43 84 --a------ C:\WINDOWS\encore_launcher.ini
2008-08-07 17:53 . 2008-08-24 08:47 <DIR> d-------- C:\Documents and Settings\USER\Application Data\skypePM
2008-08-07 17:53 . 2008-08-07 17:53 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-07 17:50 . 2008-08-07 17:50 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-07 17:50 . 2008-08-24 11:51 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Skype
2008-08-07 17:49 . 2008-08-07 17:50 <DIR> dr------- C:\Program Files\Skype
2008-08-07 17:49 . 2008-08-07 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-29 22:10 . 2008-07-29 23:09 376 --a------ C:\WINDOWS\ODBC.INI
2008-07-29 21:55 . 2008-07-29 21:55 <DIR> d-------- C:\Documents and Settings\Rabi Avvali\Application Data\Microsoft Web Folders
2008-07-29 13:42 . 2006-10-04 18:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-07-29 13:42 . 2006-10-04 18:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-07-29 13:42 . 2006-10-04 18:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-07-29 13:41 . 2008-07-29 13:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-29 13:39 . 2008-07-29 13:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 05:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-24 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-23 13:48 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-23 13:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-22 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-17 04:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-30 13:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 13:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-29 18:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 17:55 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-29 10:18 --------- d-----w C:\Program Files\Google
2008-07-29 09:46 --------- d-----w C:\Program Files\DivX
2008-07-20 07:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fitn17
2008-07-09 10:08 --------- d-----w C:\Program Files\Candleworks
2008-07-07 07:30 --------- d-----w C:\Program Files\AP Tuner
2008-07-07 07:27 --------- d-----w C:\Program Files\Guitar Studio
2008-07-07 07:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-07-07 07:26 249,856 ------w C:\WINDOWS\Setup1.exe
2008-07-07 07:08 --------- d-----w C:\Program Files\Acoustica Shared Effects
2008-07-07 07:08 --------- d-----w C:\Program Files\Acoustica Mixcraft
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 10:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 10:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-06-09 04:43 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-08-23_23.36.21.43 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 14:26 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-11 15:35 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 13:39 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-07-24 11:26 25506088]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-07-23 14:05 1927448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="C:\WINDOWS\system32\thpsrv" [X]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 16:37 174872]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-08-07 15:58 253952]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 09:40 196608]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 13:06 143360]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-09-04 17:12 90112]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" [2006-03-06 19:30 114688]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 14:42 49152]
"TAudEffect"="C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 22:48 344144]
"DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 14:49 495616]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 20:36 30208]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 15:48 577536]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-04-09 18:01 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-04-09 18:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-04-09 18:01 138008]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-08-05 15:54 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 08:53 714608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 04:05 16125440 C:\WINDOWS\RTHDCPL.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 07:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2007-04-18 16:34 102400 C:\WINDOWS\system32\TPSODDCtl.exe]
"TPSMain"="TPSMain.exe" [2007-04-18 16:34 299008 C:\WINDOWS\system32\TPSMain.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 21:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2006-04-11 05:14 622592 C:\WINDOWS\system32\TFNF5.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 16:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-04-24 21:24:00 2756608]
DSLMON.lnk - C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe [2008-01-28 16:55:52 929889]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40 233472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 20:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 06:54 65536 C:\WINDOWS\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2007-04-27 13:19]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2007-03-09 18:23]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 14:08]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 17:50]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 21:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 20:59]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 13:15]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 20:33]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2007-03-26 15:22]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;C:\WINDOWS\system32\DRIVERS\trudf.sys [2007-02-19 15:15]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-11 00:26]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2007-02-21 21:20]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 13:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{552d7bf0-0a66-11dd-a760-4d6564696130}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - USER.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 05:19]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 12:16:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-24 12:17:36
ComboFix-quarantined-files.txt 2008-08-24 08:17:28
ComboFix2.txt 2008-08-23 19:36:42

Pre-Run: 11,271,274,496 bytes free
Post-Run: 11,263,500,288 bytes free

246 --- E O F --- 2008-08-24 04:48:27
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am

Re: Suffering from trojans. Help please!

Unread postby morty » August 24th, 2008, 4:29 am

Here is Malwarebytes Anti-Malware report: -

Malwarebytes' Anti-Malware 1.25
Database version: 1080
Windows 5.1.2600 Service Pack 2

12:25:07 PM 8/24/2008
mbam-log-08-24-2008 (12-25-07).txt

Scan type: Quick Scan
Objects scanned: 42228
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
morty
Regular Member
 
Posts: 32
Joined: August 19th, 2008, 8:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 68 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware