Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Laptop virtumonde infected?? HJT logs included

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 24th, 2008, 9:37 am

I'm seeking help, IE seems to be being hijacked, other windows being opened, it keeps wanting to load antivirus 360 then antivirus 2009, SypBot is warning of changes wanting to be made to the registry. From what I've seen from other posts I've included two logs from HJT: I'm especially concerned about these dll's mentioned in 04-sowimudu.dll, zowokepi.dll and bawirolo.dll, these are some of the changes SypBot reports.
Thanks in advance for any help you can provide.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:15:05, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9a59c73d-14e0-46e7-8cb3-66298fb29340} - C:\WINDOWS\system32\mulivusi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s
O4 - HKLM\..\Run: [58997b93] rundll32.exe "C:\WINDOWS\system32\zowokepi.dll",b
O4 - HKLM\..\Run: [CPM5baa480f] Rundll32.exe "c:\windows\system32\bawirolo.dll",a[/b]O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKUS\S-1-5-19\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6996412125
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Code ... ontrol.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.63.120.226/activex/AMC.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\Software\..\Telephony: DomainName = shire.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = shire.local
O20 - AppInit_DLLs: c:\windows\system32\vetidego.dll C:\WINDOWS\system32\fayizebi.dll c:\windows\system32\bawirolo.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bawirolo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bawirolo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 12945 bytes


Acrobat.com
Acrobat.com
Adaptec UDF Reader
Ad-Aware
Adobe After Effects 7.0
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
ALPS Touch Pad Driver
Apple Software Update
AttributeMagic Pro
avast! Antivirus
AXIS Media Control Embedded
Bejeweled
Bejeweled 2
Bejeweled 2 Deluxe
Bejeweled 2 Deluxe 1.1
Bejeweled Twist 1.0
Big Fish Games Client
Bluetooth Stack for Windows by Toshiba
Browser Mouse
CCleaner (remove only)
CD/DVD Drive Acoustic Silencer
Comcast Toolbar
Curitel PC Card Software
Desktop Dialer
DVD-RAM Driver
ffdshow [rev 2019] [2008-06-22]
FLV Player 2.0, build 23
FTDI USB Serial Converter Drivers
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD for TOSHIBA
Java(TM) 6 Update 11
Jewel Quest 3
Lexmark X73
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AutoRoute v11.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Location Finder
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Basic Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Press Interactive Training
Microsoft Silverlight
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mXML
mZConfig
Netflix Movie Viewer
Office 2003 Trial Assistant
OneOnOne Player
OneOnOne Player (c:\1on1\)
Palm Desktop
Penguins!
Properties Editor
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Registrar Registry Manager 6.01
Registrar Registry Manager 6.01 (Lite Edition)
Saturn_Calibrator_v1.9
SD Secure Module
SeaCOM
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956802)
Shoppers' Hotline Control Center
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Symantec pcAnywhere
TechRepublic Resource CD
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Display Devices Change Utility
TOSHIBA Dual Pointing Device Utility
TOSHIBA HDD Protection
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA Mobile Extension3 for Windows XP V3.80.00.XP
TOSHIBA Password Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Boot Utility
TOSHIBA SD Memory Card Format
TOSHIBA Security Assist
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Utilities
TOSHIBA Zooming Utility
Update for Windows XP (KB955839)
Viewpoint Media Player
Virtual Earth 3D (Beta)
VZAccess Manager
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wireless Hotkey
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am
Advertisement
Register to Remove

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Trogan » December 24th, 2008, 10:13 am

Hi Jesetty,

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Ad-Aware <-- outdated
Spybot - Search & Destroy <-- outdated.

2. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
  • Double-click ATF Cleaner.exe to open it.
  • Under Main select the following:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program

3. Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt
4. Please post the following...

Malwarebytes log
New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 24th, 2008, 6:43 pm

Hello Trogan
Thanks much for your response and recommended solutions. I was under the impression I had the latest SpyBot and Ad-Adware versions or do you mean the software itself is outdated?
My system does seem to be running better at this point, and I thank you for that. What would your recommendations be for antispyware/malware and antivirus solutions?
Also would you know what's up with this entry:
HKUS\S-1-5-19\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s (User 'LOCAL SERVICE') I can't find anything on the net concerning "vonagenuro" and I noticed in the Malwarebytes' log that particular .dll had been deleted.


Malwarebytes' Anti-Malware 1.31
Database version: 1542
Windows 5.1.2600 Service Pack 3

12/24/2008 5:20:12 PM
mbam-log-2008-12-24 (17-20-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 141240
Time elapsed: 58 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 14
Registry Values Infected: 6
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fayizebi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fujegifu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mulivusi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sowimudu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lelizomo.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\bawirolo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a59c73d-14e0-46e7-8cb3-66298fb29340} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9a59c73d-14e0-46e7-8cb3-66298fb29340} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9a59c73d-14e0-46e7-8cb3-66298fb29340} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58997b93 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vonagenuro (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5baa480f (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fayizebi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fayizebi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fayizebi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\lelizomo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\lelizomo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bawirolo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\bawirolo.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fujegifu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ufigejuf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kojizayu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uyazijok.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zowokepi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipekowoz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sowimudu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\bawirolo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mulivusi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fayizebi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lelizomo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\zawibavu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Fraud\hupetetu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\akllwrpt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\baiajo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\digeste.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcYQIbb.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iunvmnar.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kceuxtio.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kltfgefd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lcsbdwbw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ocxkaqao.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ogberxqo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qdmjpn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vlkjhc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xnqmbjyy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-868465093-108319840-1555409658-1005\Dc21.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bekozije.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dufogawi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\goborola.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mulipiza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pejolido.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vetidego.dll.virus (Trojan.Vundo) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:35:40, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\TPSBattM.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKUS\S-1-5-19\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6996412125
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Code ... ontrol.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.63.120.226/activex/AMC.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\Software\..\Telephony: DomainName = shire.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shire.local
O20 - AppInit_DLLs: c:\windows\system32\vetidego.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 11570 bytes
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Trogan » December 24th, 2008, 8:57 pm

Hi,

Thanks much for your response and recommended solutions. I was under the impression I had the latest SpyBot and Ad-Adware versions or do you mean the software itself is outdated?

Both programs have newer versions. Ad-Aware 2008 is the latest Ad-Aware version, while Spybot 1.6 is the newer Spybot version. Looking at the Uninstall list showed you did not have these versions.

My system does seem to be running better at this point, and I thank you for that.

That's good to hear!

What would your recommendations be for antispyware/malware and antivirus solutions?

I'll give you some recommendations once we have cleaned the computer.

Also would you know what's up with this entry:
HKUS\S-1-5-19\..\Run: [vonagenuro] Rundll32.exe "C:\WINDOWS\system32\sowimudu.dll",s (User 'LOCAL SERVICE') I can't find anything on the net concerning "vonagenuro" and I noticed in the Malwarebytes' log that particular .dll had been deleted.

We'll deal with everything shorty; don't worry.

--------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT!!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 25th, 2008, 9:51 am

Here is the log from ComboFix, also I'm curious about this registry key that Malwarebyts id'd as infected and marked for deletion but could not delete
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot

BTW Merry Christmas.........One would think I'd have better things to do on Christmas morning :)

ComboFix 08-12-24.01 - Tom 2008-12-25 8:30:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.536 [GMT -5:00]
Running from: c:\documents and settings\GE Healthcare\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\opugezoh.ini
c:\windows\system32\uditivis.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\windows\x73_lut.dat
2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2100-02-08 15:53 . 2008-12-19 13:43 1,437 --a------ c:\windows\GtX73.ini
2008-12-24 16:16 . 2008-12-25 07:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 16:16 . 2008-12-24 16:16 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\Malwarebytes
2008-12-24 16:16 . 2008-12-24 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 16:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 16:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 20:35 . 2008-12-23 20:35 0 --a------ c:\windows\popcreg.dat
2008-12-23 20:31 . 2008-12-23 21:47 24 --a------ c:\windows\popcinfot.dat
2008-12-23 20:30 . 2008-12-23 20:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\PopCap Games
2008-12-23 14:31 . 2008-12-23 14:34 <DIR> d-------- c:\program files\Bejeweled 2
2008-12-23 14:31 . 2008-12-23 14:31 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\SpinTop
2008-12-22 17:34 . 2008-12-22 17:34 <DIR> d-------- c:\program files\Registrar Registry Manager
2008-12-22 17:34 . 2008-11-21 15:26 31,928 --a------ c:\windows\system32\rrMon.sys
2008-12-22 17:03 . 2008-12-22 17:03 <DIR> d-------- c:\documents and settings\MuseAdmin\Application Data\COMCASTTOOLBAR
2008-12-22 11:38 . 2008-12-22 11:37 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 11:38 . 2008-12-22 11:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-20 12:34 . 2008-12-20 12:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 15:11 . 2008-12-18 07:52 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-17 10:43 . 2008-12-17 10:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-17 10:42 . 2008-12-17 10:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-17 10:42 . 2008-12-17 10:42 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\SUPERAntiSpyware.com
2008-12-17 09:17 . 2008-12-17 09:17 <DIR> d-------- C:\VundoFix Backups
2008-12-16 21:47 . 2008-12-20 12:44 <DIR> d-------- c:\documents and settings\GE Healthcare\.housecall6.6
2008-12-16 19:42 . 2008-12-16 19:42 <DIR> d-------- c:\program files\Panda Security
2008-12-16 19:42 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-16 13:32 . 2008-12-16 13:32 <DIR> d-------- c:\program files\bfgclient
2008-12-16 13:31 . 2008-12-18 07:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-16 13:29 . 2008-12-16 13:29 <DIR> d-------- c:\program files\Common Files\Scanner
2008-12-16 13:29 . 2008-12-16 13:29 <DIR> d-------- c:\program files\ComcastToolbar
2008-12-16 13:29 . 2008-12-17 18:05 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\ComcastToolbar
2008-12-16 13:27 . 2008-12-23 15:11 31 --a------ c:\windows\popcinfo.dat
2008-12-16 06:40 . 2008-12-16 06:42 <DIR> d-------- C:\Misc Junk
2008-12-16 06:10 . 2008-12-25 07:33 <DIR> d-------- C:\Malware Removal
2008-12-15 18:26 . 2008-12-15 18:26 <DIR> d-------- c:\windows\Google Toolbar
2008-12-15 15:52 . 2008-12-23 13:50 <DIR> d-------- c:\program files\Oberon Media
2008-12-15 15:10 . 2008-12-15 15:10 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-15 15:10 . 2008-12-15 15:10 1,409 --a------ c:\windows\QTFont.for
2008-12-14 20:51 . 2008-12-14 20:51 <DIR> d-------- c:\program files\CCleaner
2008-12-14 12:00 . 1997-04-08 20:08 299,520 --a------ c:\windows\uninst.exe
2008-12-14 10:39 . 1999-12-17 09:13 86,016 --a------ c:\windows\unvise32.exe
2008-12-13 08:49 . 2001-10-12 07:42 643 --a------ c:\windows\LEXSTAT.INI
2008-12-11 15:10 . 2008-12-11 15:10 64 --a------ c:\windows\system32\Error.ldb
2008-12-11 10:45 . 2008-12-20 08:38 <DIR> d-------- c:\program files\Common
2008-12-08 13:32 . 2008-12-14 12:16 <DIR> d-------- C:\CD Key Change
2008-12-08 11:28 . 2004-04-19 08:26 119,371 --------- c:\windows\system32\drivers\SeaCOM2k.sys
2008-12-08 11:28 . 2004-04-20 10:05 57,404 --a------ c:\windows\system32\drivers\Ftser2k.sys
2008-12-08 11:28 . 2004-03-23 19:36 56,031 --a------ c:\windows\system32\drivers\Ftcser2k.sys
2008-12-08 11:28 . 2004-04-14 13:32 51,821 --a------ c:\windows\system32\ftserui2.dll
2008-12-08 11:28 . 2003-06-11 13:48 48,625 --a------ c:\windows\system32\Ftcsui2.dll
2008-12-08 11:28 . 2004-05-05 12:10 43,235 --a------ c:\windows\system32\drivers\Ftcusb.sys
2008-12-08 11:28 . 2003-06-26 10:25 32,768 --------- c:\windows\system32\SeaCOM2kCoInstaller.dll
2008-12-08 11:28 . 2004-04-20 10:04 24,209 --a------ c:\windows\system32\drivers\Ftdibus.sys
2008-12-08 11:28 . 2004-05-06 13:47 20,198 --a------ c:\windows\system32\Ftcserco.dll
2008-12-08 10:50 . 2008-12-08 10:50 0 --a------ c:\windows\Calibrator.INI
2008-12-07 13:04 . 2008-12-07 13:04 <DIR> d-------- c:\program files\TCS John Huxley
2008-12-07 08:49 . 2008-12-08 11:28 <DIR> d-------- c:\program files\SeaCOM
2008-11-26 16:10 . 2008-11-26 16:10 81,864 --a------ c:\documents and settings\GE Healthcare\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 21:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 21:11 --------- d-----w c:\program files\Lavasoft
2008-12-24 21:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 01:30 --------- d-----w c:\program files\PopCap Games
2008-12-23 20:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 16:37 --------- d-----w c:\program files\Java
2008-12-16 18:18 --------- d-----w c:\program files\Chill
2008-12-16 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-14 17:32 --------- d-----w c:\program files\Coupons
2008-12-14 16:39 --------- d-----w c:\program files\LexmarkX73
2008-12-11 21:58 --------- d-----w c:\documents and settings\GE Healthcare\Application Data\Move Networks
2008-12-08 16:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 17:53 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-07 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2008-11-18 18:49 --------- d-----w c:\documents and settings\GE Healthcare\Application Data\Azureus
2008-11-18 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-11-06 20:24 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-06 20:24 --------- d-----w c:\program files\Common Files\L&H
2008-10-31 13:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-02-19 18:26 5,632 --sha-w c:\program files\Thumbs.db
2007-12-20 13:45 1,059,038 ----a-w c:\program files\B & W Stump.jpg
2001-07-26 21:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 21:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w c:\program files\gtx73.ini
2008-07-25 16:46 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072520080726\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_ 8.47.23.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-25 16:46:53 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-24 16:02:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-25 16:46:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-24 16:02:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-25 16:46:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-24 16:02:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-20 13:42:50 224,158 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-25 13:35:50 224,158 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2005-11-10 18:27:06 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-12-22 16:37:57 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 18:27:16 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-22 16:37:57 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 20:03:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-22 16:37:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-21 20:26:02 120,376 ----a-w c:\windows\system32\rrsec.dll
+ 2008-11-21 20:25:58 97,888 ----a-w c:\windows\system32\rrsec2k.exe
+ 2008-12-23 11:51:00 97,997 --sha-w c:\windows\system32\wulubuvo.dll
+ 2008-12-25 13:35:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_148.dat
+ 2008-12-25 13:35:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-24 20:09 253952]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-02-22 86016]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\mouse32a.exe" [2007-10-15 356352]
"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-28 155648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"000StTHK"="000StTHK.exe" [2001-06-23 06:28 24576 c:\windows\system32\000StTHK.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-24 c:\windows\system32\TPSODDCtl.exe]
"TPSMain"="TPSMain.exe" [2006-04-24 c:\windows\system32\TPSMain.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 c:\windows\system32\TOSDCR.exe]
"TFNF5"="TFNF5.exe" [2006-04-10 c:\windows\system32\TFNF5.exe]
"SkyTel"="SkyTel.EXE" [2006-04-24 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-30 c:\windows\agrsmmsg.exe]

c:\documents and settings\MuseAdmin\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\GE Healthcare\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-28 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-05-20 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 14:01 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Thpsrv"=2 (0x2)
"Swupdtmr"=2 (0x2)
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"ose"=3 (0x3)
"MUSE Print"=3 (0x3)
"MUSE Normal"=3 (0x3)
"MUSE MT Host"=3 (0x3)
"MUSE Generacq"=3 (0x3)
"MUSE FTP Copy"=3 (0x3)
"MUSE Format"=3 (0x3)
"MUSE File Copy"=3 (0x3)
"MUSE Email"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"CFSvcs"=2 (0x2)
"awhost32"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-16 28544]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2006-05-20 6144]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R1 TMEI3E;TMEI3E;c:\windows\system32\Drivers\TMEI3E.SYS [2006-05-20 5888]
R2 Tmesrv;Tmesrv3;"c:\program files\TOSHIBA\TME3\Tmesrv31.exe" /Service [2006-05-20 126976]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2006-05-20 35968]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys [2007-04-23 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys [2007-04-23 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys [2007-04-23 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys [2007-04-23 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys [2007-04-23 69632]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 MUSE Email;MUSE Email;c:\program files\MUSE\museemail.exe [2007-07-13 598016]
S4 MUSE File Copy;MUSE File Copy;c:\program files\MUSE\musefilecopy.exe [2007-07-13 561152]
S4 MUSE Format;MUSE Format;c:\program files\MUSE\museformat.exe [2007-07-13 905216]
S4 MUSE FTP Copy;MUSE FTP Copy;c:\program files\MUSE\museftpcopy.exe [2007-07-13 565248]
S4 MUSE Generacq;MUSE Generacq;c:\program files\MUSE\musegeneracq.exe [2007-07-13 462848]
S4 MUSE MT Host;MUSE MT Host;c:\program files\MUSE\musemthost.exe [2007-07-13 45056]
S4 MUSE Normal;MUSE Normal;c:\program files\MUSE\musenormal.exe [2007-07-13 49152]
S4 MUSE Print;MUSE Print;c:\program files\MUSE\museprint.exe [2007-07-13 565248]
S4 MUSE;MUSE;c:\program files\MUSE\musescm.exe [2007-07-13 438272]
S4 qsa;GE MUSE InSite Service Agent;"c:\program files\InSite 2.0\bin\qsaMain.exe" -service "qsa" [2007-04-23 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##mainman#e]
\Shell\AutoRun\command - Y:\AutoPlay.exe -c
.
Contents of the 'Scheduled Tasks' folder

2008-03-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 11:01]

2007-03-21 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 04:42]

2007-03-21 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 04:42]

2008-09-04 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-05 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-12-24 c:\windows\Tasks\User_Feed_Synchronization-{28711A51-F4A9-4EBE-B81A-841047706F84}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://66.63.120.226/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 08:36:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TME3\TMEEJME.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\igfxext.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-12-25 8:40:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-25 13:40:51
ComboFix2.txt 2008-12-20 13:47:56

Pre-Run: 37,346,914,304 bytes free
Post-Run: 37,492,506,624 bytes free

321 --- E O F --- 2008-12-18 11:09:06
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Trogan » December 25th, 2008, 1:05 pm

Hi,

also I'm curious about this registry key that Malwarebyts id'd as infected and marked for deletion but could not delete
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot

Malwarebytes requires the computer to be restarted in order for the entry to be deleted.

----------------------

I'd like a couple files scanned...
  • Go to VirusTotal
  • Using Internet Explorer, copy and paste the following file path into the Search Box in the middle of the page:
    • c:\windows\popcreg.dat
  • Now click on the Send File button
      NOTE:
    • If you come to the "File has already been analysed:" page, select "Reanalyse file now" to get a fresh scan.
  • Save a copy of the Anti-Virus results only. Post the results in your next reply.
Do the same for the following file:

c:\windows\popcinfot.dat

Please post the results back here, along with a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 25th, 2008, 10:03 pm

Trogan
also I'm curious about this registry key that Malwarebyts id'd as infected and marked for deletion but could not delete
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot

That was after a reboot and re-running Malwarebytes again that entry is still listed. Also tried running in Safe Mode.


Popcreg.dat is 0 bytes so it does not scan

File popcinfot.dat received on 12.26.2008 02:40:32 (CET)Antivirus Version Last Update Result:

a-squared 4.0.0.73 2008.12.26 -
AhnLab-V3 2008.12.25.0 2008.12.25 -
AntiVir 7.9.0.45 2008.12.25 -
Authentium 5.1.0.4 2008.12.25 -
Avast 4.8.1281.0 2008.12.25 -
AVG 8.0.0.199 2008.12.25 -
BitDefender 7.2 2008.12.26 -
CAT-QuickHeal 10.00 2008.12.24 -
ClamAV 0.94.1 2008.12.26 -
Comodo 811 2008.12.25 -
DrWeb 4.44.0.09170 2008.12.25 -
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.25 -
F-Prot 4.4.4.56 2008.12.24 -
F-Secure 8.0.14332.0 2008.12.26 -
Fortinet 3.117.0.0 2008.12.25 -
GData 19 2008.12.26 -
Ikarus T3.1.1.45.0 2008.12.26 -
K7AntiVirus 7.10.566 2008.12.25 -
Kaspersky 7.0.0.125 2008.12.26 -
McAfee 5474 2008.12.24 -
McAfee+Artemis 5474 2008.12.24 -
Microsoft 1.4205 2008.12.26 -
NOD32 3717 2008.12.25 -
Norman 5.80.02 2008.12.24 -
Panda 9.0.0.4 2008.12.25 -
PCTools 4.4.2.0 2008.12.25 -
Prevx1 V2 2008.12.26 -
Rising 21.09.32.00 2008.12.25 -
SecureWeb-Gateway 6.7.6 2008.12.25 -
Sophos 4.37.0 2008.12.25 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.26 -
TheHacker 6.3.1.4.199 2008.12.23 -
TrendMicro 8.700.0.1004 2008.12.25 -
VBA32 3.12.8.10 2008.12.25 -
ViRobot 2008.12.24.1534 2008.12.24 -
VirusBuster 4.5.11.0 2008.12.25 -

Additional information
File size: 24 bytes
MD5...: 89985d96179246288c9e801a76a8311f
SHA1..: 7a4e702ce154157bb43787bfb4a3dcc3f72dcd73
SHA256: 5c2b7f3bb6a458420bfec3f045fefe70f4fae4438bd43b24b0d2bec42adacd76
SHA512: c9f427b2a23ee1d16a72a060e48f954a651659b3b2737a1d4050774d07fae5f3<BR>52a69cd005bad63e62dafb26ecd9865fd5dbcd9d3840efe3cbc9bed5a0741a0c<BR>
ssdeep: 3:hq3A/9/H0s:I34Us<BR>
PEiD..: -
TrID..: File type identification<BR>Unknown!
PEInfo: -



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54:36, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6996412125
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Code ... ontrol.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.63.120.226/activex/AMC.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\Software\..\Telephony: DomainName = shire.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shire.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 11064 bytes
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Trogan » December 26th, 2008, 6:36 am

Hi Jesetty,

Please do the following...

Open Notepad and copy/paste the text in the Quote Box below into it:

Registry::
[-HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}]


Save this as CFScript.txt to your Desktop

Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also, run a new scan with Malwarebytes and let me know if the entry returns.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 26th, 2008, 9:35 am

Here you go:

ComboFix 08-12-24.01 - Tom 2008-12-26 8:21:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.505 [GMT -5:00]
Running from: c:\documents and settings\GE Healthcare\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\GE Healthcare\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\windows\x73_lut.dat
2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2100-02-08 15:53 . 2008-12-19 13:43 1,437 --a------ c:\windows\GtX73.ini
2008-12-24 16:16 . 2008-12-26 08:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 16:16 . 2008-12-24 16:16 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\Malwarebytes
2008-12-24 16:16 . 2008-12-24 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 16:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 16:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 20:35 . 2008-12-23 20:35 0 --a------ c:\windows\popcreg.dat
2008-12-23 20:31 . 2008-12-23 21:47 24 --a------ c:\windows\popcinfot.dat
2008-12-23 20:30 . 2008-12-23 20:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\PopCap Games
2008-12-23 14:31 . 2008-12-23 14:34 <DIR> d-------- c:\program files\Bejeweled 2
2008-12-23 14:31 . 2008-12-23 14:31 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\SpinTop
2008-12-22 17:34 . 2008-12-22 17:34 <DIR> d-------- c:\program files\Registrar Registry Manager
2008-12-22 17:34 . 2008-11-21 15:26 31,928 --a------ c:\windows\system32\rrMon.sys
2008-12-22 17:03 . 2008-12-22 17:03 <DIR> d-------- c:\documents and settings\MuseAdmin\Application Data\COMCASTTOOLBAR
2008-12-22 11:38 . 2008-12-22 11:37 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 11:38 . 2008-12-22 11:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-20 12:34 . 2008-12-20 12:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 15:11 . 2008-12-18 07:52 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-17 10:43 . 2008-12-17 10:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-17 10:42 . 2008-12-17 10:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-17 10:42 . 2008-12-17 10:42 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\SUPERAntiSpyware.com
2008-12-17 09:17 . 2008-12-17 09:17 <DIR> d-------- C:\VundoFix Backups
2008-12-16 21:47 . 2008-12-20 12:44 <DIR> d-------- c:\documents and settings\GE Healthcare\.housecall6.6
2008-12-16 19:42 . 2008-12-25 11:35 <DIR> d-------- c:\program files\Panda Security
2008-12-16 13:32 . 2008-12-16 13:32 <DIR> d-------- c:\program files\bfgclient
2008-12-16 13:31 . 2008-12-18 07:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-16 13:29 . 2008-12-16 13:29 <DIR> d-------- c:\program files\Common Files\Scanner
2008-12-16 13:29 . 2008-12-16 13:29 <DIR> d-------- c:\program files\ComcastToolbar
2008-12-16 13:29 . 2008-12-17 18:05 <DIR> d-------- c:\documents and settings\GE Healthcare\Application Data\ComcastToolbar
2008-12-16 13:27 . 2008-12-23 15:11 31 --a------ c:\windows\popcinfo.dat
2008-12-16 06:40 . 2008-12-16 06:42 <DIR> d-------- C:\Misc Junk
2008-12-16 06:10 . 2008-12-26 08:17 <DIR> d-------- C:\Malware Removal
2008-12-15 18:26 . 2008-12-15 18:26 <DIR> d-------- c:\windows\Google Toolbar
2008-12-15 15:52 . 2008-12-23 13:50 <DIR> d-------- c:\program files\Oberon Media
2008-12-15 15:10 . 2008-12-15 15:10 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-15 15:10 . 2008-12-15 15:10 1,409 --a------ c:\windows\QTFont.for
2008-12-14 20:51 . 2008-12-14 20:51 <DIR> d-------- c:\program files\CCleaner
2008-12-14 12:00 . 1997-04-08 20:08 299,520 --a------ c:\windows\uninst.exe
2008-12-14 10:39 . 1999-12-17 09:13 86,016 --a------ c:\windows\unvise32.exe
2008-12-13 08:49 . 2001-10-12 07:42 643 --a------ c:\windows\LEXSTAT.INI
2008-12-11 15:10 . 2008-12-11 15:10 64 --a------ c:\windows\system32\Error.ldb
2008-12-11 10:45 . 2008-12-20 08:38 <DIR> d-------- c:\program files\Common
2008-12-08 13:32 . 2008-12-14 12:16 <DIR> d-------- C:\CD Key Change
2008-12-08 11:28 . 2004-04-19 08:26 119,371 --------- c:\windows\system32\drivers\SeaCOM2k.sys
2008-12-08 11:28 . 2004-04-20 10:05 57,404 --a------ c:\windows\system32\drivers\Ftser2k.sys
2008-12-08 11:28 . 2004-03-23 19:36 56,031 --a------ c:\windows\system32\drivers\Ftcser2k.sys
2008-12-08 11:28 . 2004-04-14 13:32 51,821 --a------ c:\windows\system32\ftserui2.dll
2008-12-08 11:28 . 2003-06-11 13:48 48,625 --a------ c:\windows\system32\Ftcsui2.dll
2008-12-08 11:28 . 2004-05-05 12:10 43,235 --a------ c:\windows\system32\drivers\Ftcusb.sys
2008-12-08 11:28 . 2003-06-26 10:25 32,768 --------- c:\windows\system32\SeaCOM2kCoInstaller.dll
2008-12-08 11:28 . 2004-04-20 10:04 24,209 --a------ c:\windows\system32\drivers\Ftdibus.sys
2008-12-08 11:28 . 2004-05-06 13:47 20,198 --a------ c:\windows\system32\Ftcserco.dll
2008-12-08 10:50 . 2008-12-08 10:50 0 --a------ c:\windows\Calibrator.INI
2008-12-07 13:04 . 2008-12-07 13:04 <DIR> d-------- c:\program files\TCS John Huxley
2008-12-07 08:49 . 2008-12-08 11:28 <DIR> d-------- c:\program files\SeaCOM
2008-11-26 16:10 . 2008-11-26 16:10 81,864 --a------ c:\documents and settings\GE Healthcare\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 17:02 --------- d-----w c:\program files\Chill
2008-12-25 16:34 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-24 21:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 21:11 --------- d-----w c:\program files\Lavasoft
2008-12-24 21:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 01:30 --------- d-----w c:\program files\PopCap Games
2008-12-23 20:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-23 11:51 97,997 --sha-w c:\windows\system32\wulubuvo.dll
2008-12-22 16:37 --------- d-----w c:\program files\Java
2008-12-16 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-14 17:32 --------- d-----w c:\program files\Coupons
2008-12-14 16:39 --------- d-----w c:\program files\LexmarkX73
2008-12-11 21:58 --------- d-----w c:\documents and settings\GE Healthcare\Application Data\Move Networks
2008-12-08 16:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 17:53 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-07 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2008-11-18 18:49 --------- d-----w c:\documents and settings\GE Healthcare\Application Data\Azureus
2008-11-18 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-11-06 20:24 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-06 20:24 --------- d-----w c:\program files\Common Files\L&H
2008-10-31 13:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-19 18:26 5,632 --sha-w c:\program files\Thumbs.db
2007-12-20 13:45 1,059,038 ----a-w c:\program files\B & W Stump.jpg
2004-05-05 17:10 43,235 ----a-w c:\windows\inf\Ftcusb.sys
2001-07-26 21:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 21:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w c:\program files\gtx73.ini
2008-07-25 16:46 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072520080726\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_ 8.47.23.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-25 16:46:53 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-24 16:02:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-25 16:46:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-24 16:02:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-25 16:46:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-24 16:02:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-20 13:42:50 224,158 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-25 16:46:08 224,157 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2005-11-10 18:27:06 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-12-22 16:37:57 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 18:27:16 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-22 16:37:57 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 20:03:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-22 16:37:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-21 20:26:02 120,376 ----a-w c:\windows\system32\rrsec.dll
+ 2008-11-21 20:25:58 97,888 ----a-w c:\windows\system32\rrsec2k.exe
+ 2008-12-25 13:35:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_148.dat
+ 2008-12-25 13:35:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-24 20:09 253952]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-02-22 86016]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\mouse32a.exe" [2007-10-15 356352]
"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-28 155648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"000StTHK"="000StTHK.exe" [2001-06-23 06:28 24576 c:\windows\system32\000StTHK.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-24 c:\windows\system32\TPSODDCtl.exe]
"TPSMain"="TPSMain.exe" [2006-04-24 c:\windows\system32\TPSMain.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 c:\windows\system32\TOSDCR.exe]
"TFNF5"="TFNF5.exe" [2006-04-10 c:\windows\system32\TFNF5.exe]
"SkyTel"="SkyTel.EXE" [2006-04-24 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-30 c:\windows\agrsmmsg.exe]

c:\documents and settings\MuseAdmin\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\GE Healthcare\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-28 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-05-20 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 14:01 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Thpsrv"=2 (0x2)
"Swupdtmr"=2 (0x2)
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"ose"=3 (0x3)
"MUSE Print"=3 (0x3)
"MUSE Normal"=3 (0x3)
"MUSE MT Host"=3 (0x3)
"MUSE Generacq"=3 (0x3)
"MUSE FTP Copy"=3 (0x3)
"MUSE Format"=3 (0x3)
"MUSE File Copy"=3 (0x3)
"MUSE Email"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"CFSvcs"=2 (0x2)
"awhost32"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2006-05-20 6144]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R1 TMEI3E;TMEI3E;c:\windows\system32\Drivers\TMEI3E.SYS [2006-05-20 5888]
R2 Tmesrv;Tmesrv3;"c:\program files\TOSHIBA\TME3\Tmesrv31.exe" /Service [2006-05-20 126976]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2006-05-20 35968]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys [2007-04-23 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys [2007-04-23 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys [2007-04-23 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys [2007-04-23 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys [2007-04-23 69632]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 MUSE Email;MUSE Email;c:\program files\MUSE\museemail.exe [2007-07-13 598016]
S4 MUSE File Copy;MUSE File Copy;c:\program files\MUSE\musefilecopy.exe [2007-07-13 561152]
S4 MUSE Format;MUSE Format;c:\program files\MUSE\museformat.exe [2007-07-13 905216]
S4 MUSE FTP Copy;MUSE FTP Copy;c:\program files\MUSE\museftpcopy.exe [2007-07-13 565248]
S4 MUSE Generacq;MUSE Generacq;c:\program files\MUSE\musegeneracq.exe [2007-07-13 462848]
S4 MUSE MT Host;MUSE MT Host;c:\program files\MUSE\musemthost.exe [2007-07-13 45056]
S4 MUSE Normal;MUSE Normal;c:\program files\MUSE\musenormal.exe [2007-07-13 49152]
S4 MUSE Print;MUSE Print;c:\program files\MUSE\museprint.exe [2007-07-13 565248]
S4 MUSE;MUSE;c:\program files\MUSE\musescm.exe [2007-07-13 438272]
S4 qsa;GE MUSE InSite Service Agent;"c:\program files\InSite 2.0\bin\qsaMain.exe" -service "qsa" [2007-04-23 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##mainman#e]
\Shell\AutoRun\command - Y:\AutoPlay.exe -c
.
Contents of the 'Scheduled Tasks' folder

2008-03-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 11:01]

2007-03-21 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 04:42]

2007-03-21 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 04:42]

2008-09-04 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-05 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-12-26 c:\windows\Tasks\User_Feed_Synchronization-{28711A51-F4A9-4EBE-B81A-841047706F84}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://66.63.120.226/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 08:24:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-26 8:25:38
ComboFix-quarantined-files.txt 2008-12-26 13:25:35
ComboFix2.txt 2008-12-25 13:40:55
ComboFix3.txt 2008-12-20 13:47:56

Pre-Run: 37,755,682,816 bytes free
Post-Run: 37,748,944,896 bytes free

308 --- E O F --- 2008-12-18 11:09:06




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:34:40, on 12/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6996412125
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Code ... ontrol.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.63.120.226/activex/AMC.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\Software\..\Telephony: DomainName = shire.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shire.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shire.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 11064 bytes
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 26th, 2008, 9:57 am

FYI
Here is the data in that Key C:\WINDOWS\system32\wbem\wmipiprt.dll, it is in the "Default" String Value
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Trogan » December 27th, 2008, 1:48 pm

Jesetty wrote:FYI
Here is the data in that Key C:\WINDOWS\system32\wbem\wmipiprt.dll, it is in the "Default" String Value

That file belongs to Microsoft, so it is safe.

Before we continue, can you tell me if the previous entry still comes up in Malwarebytes.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 27th, 2008, 4:37 pm

I assume you mean this one:

Malwarebytes' Anti-Malware 1.31
Database version: 1542
Windows 5.1.2600 Service Pack 3

12/27/2008 3:37:07 PM
mbam-log-2008-12-27 (15-36-58).txt

Scan type: Quick Scan
Objects scanned: 76537
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » December 30th, 2008, 7:47 am

Is there anything more to do or do you feel I'm all cleaned up?
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Trogan » December 30th, 2008, 12:05 pm

Hi,

Sorry for the delay; just been busy.

The logs look clean. It is just that entry in Malwarebytes that you say is not going.

Can you update Malwarebytes and run a new scan. Remove what it finds and post the log back here please.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Laptop virtumonde infected?? HJT logs included

Unread postby Jesetty » January 2nd, 2009, 1:35 pm

I've updated to the latest Malwarebytes and Ad-ware definitions, both programs detect as Virtumonde but never delete it, what has changed is that now there is no data in that key, RegEdit shows:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}\InProcServer32 "value not set" under the data column. So I guess that's a good thing?
Where as before there was this entry: C:\WINDOWS\system32\wbem\wmipiprt.dll instead of
"value not set"



Below is the log from Malwarebytes

Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 5.1.2600 Service Pack 3

1/2/2009 12:09:07 PM
mbam-log-2009-01-02 (12-09-07).txt

Scan type: Quick Scan
Objects scanned: 85261
Time elapsed: 13 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Jesetty
Active Member
 
Posts: 12
Joined: December 24th, 2008, 9:01 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware