Computer Hope

Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: pims on April 24, 2010, 03:52:56 PM

Title: Need help removing malware
Post by: pims on April 24, 2010, 03:52:56 PM

Hi everyone

I have been infected by some sort of malware..I don't know which ones specifically but I keep getting redirected to websites and get anti virus spam messages all the time

Can someone help...i have mbam and hijack logs i can post.

Thanks

Title: Re: Need help removing malware
Post by: Dr Jay on April 25, 2010, 01:11:59 PM

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Title: Re: Need help removing malware
Post by: pims on April 26, 2010, 08:05:43 PM

here is my combo fix log

ComboFix 10-04-26.02 - gtsou 04/26/10  21:36:05.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1535.854 [GMT -4:00]
Running from: c:\documents and settings\gtsou\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\gtsou\LOCALS~1\Temp\csrss.exe
c:\docume~1\gtsou\LOCALS~1\Temp\lsass.exe
c:\docume~1\gtsou\LOCALS~1\Temp\services.exe
c:\docume~1\gtsou\LOCALS~1\Temp\svchost.exe
c:\docume~1\gtsou\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\gtsou\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\gtsou\Application Data\FE047E8011B595365A7C8D5BE2323621
c:\documents and settings\gtsou\Application Data\FE047E8011B595365A7C8D5BE2323621\enemies-names.txt
c:\documents and settings\gtsou\Application Data\FE047E8011B595365A7C8D5BE2323621\newupdate1142C.exe
c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}
c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\chrome.manifest
c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\chrome\content\_cfg.js
c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\chrome\content\overlay.xul
c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\install.rdf
c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\6JN1P.jpg
c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\s84k2jR.jpg
c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\w5Mv5N.jpg
c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\Wl06mBI.jpg
c:\program files\Common
c:\recycler\S-1-5-21-1884730776-40631320-2592372106-500
c:\recycler\S-1-5-21-4044921709-3110831750-2273475995-500
c:\recycler\S-1-5-21-596388085-2865526809-506721320-500
c:\windows\arilihiwekesu.dll
c:\windows\epuyiyoh.dll
c:\windows\system32\0041.DLL
c:\windows\system32\iyrvfeqigycspuwks.dll
c:\windows\system32\pragmabbr.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\Thumbs.db
c:\windows\system32\tvsimpw.dll

----- BITS: Possible infected sites -----

hxxp://LCLNTHQ67:80
Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-03-27 to 2010-04-27  )))))))))))))))))))))))))))))))
.

2010-04-24 21:41 . 2010-04-24 21:41   54016   ----a-w-   c:\windows\system32\drivers\fjgjcbj.sys
2010-04-24 21:14 . 2010-04-24 21:14   --------   d-----w-   c:\documents and settings\gtsou\Local Settings\Application Data\avG
2010-04-24 21:14 . 2010-04-24 21:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\avG
2010-04-24 04:44 . 2010-04-24 11:48   0   ----a-w-   c:\windows\system32\drivers\odpgjfqr.sys
2010-04-24 04:42 . 2010-04-24 04:42   70656   --sha-r-   c:\windows\system32\shimengp.dll
2010-04-24 03:59 . 2010-04-24 03:59   --------   d-----w-   c:\program files\DAEMON Tools Lite
2010-04-21 11:55 . 2010-04-21 11:55   299008   ----a-w-   c:\windows\system32\jnhtsnjj.dll
2010-04-20 23:10 . 2010-04-20 23:10   --------   d-----w-   c:\program files\Common Files\Skype
2010-04-03 23:49 . 2010-04-03 23:49   --------   d-----w-   C:\Impressions Games
2010-04-03 22:59 . 2010-04-03 23:12   --------   d-----w-   c:\program files\American Civil War Gettysburg
2010-04-03 22:56 . 2010-04-03 22:58   --------   d-----w-   c:\documents and settings\gtsou\Application Data\DAEMON Tools Pro
2010-04-03 22:56 . 2010-04-03 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2010-04-03 20:52 . 2010-04-03 20:52   --------   d-----w-   c:\program files\uTorrent
2010-04-03 20:52 . 2010-04-27 01:55   --------   d-----w-   c:\documents and settings\gtsou\Application Data\uTorrent
2010-04-03 02:24 . 2010-04-03 02:24   --------   d-----w-   c:\program files\Trend Micro
2010-04-02 23:50 . 2010-04-02 23:50   --------   d-----w-   c:\documents and settings\gtsou\Application Data\Malwarebytes
2010-04-02 23:17 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 23:17 . 2010-04-02 23:45   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-02 23:17 . 2010-04-02 23:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-02 23:17 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-02 22:42 . 2010-04-02 22:42   --------   d--h--w-   c:\windows\PIF
2010-04-02 22:18 . 2010-04-02 22:29   --------   d-----w-   c:\documents and settings\gtsou\Application Data\QuickScan
2010-04-02 22:03 . 2010-04-03 00:34   --------   d-----w-   c:\documents and settings\gtsou\Local Settings\Application Data\iaddkeccw
2010-04-02 20:50 . 2010-04-02 20:50   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-04-02 20:49 . 2010-04-02 20:49   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\InstallShield
2010-04-02 20:26 . 2010-04-02 20:26   135168   ----a-w-   c:\windows\system32\zoqvs.exe
2010-04-02 19:01 . 2010-04-26 19:13   120   ----a-w-   c:\windows\Fqovusije.dat
2010-04-02 19:01 . 2010-04-26 15:12   0   ----a-w-   c:\windows\Nyaqiwedoke.bin
2010-04-02 18:58 . 2010-04-02 18:58   135168   ----a-w-   c:\windows\system32\lkwsl.exe
2010-04-02 18:58 . 2010-04-02 18:58   135168   ----a-w-   c:\windows\system32\jrvs.exe
2010-04-02 18:58 . 2010-04-02 18:58   135168   ----a-w-   c:\windows\system32\bqdv.exe
2010-04-02 18:51 . 2010-04-02 18:51   --------   d-----w-   c:\program files\Trymedia

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 01:58 . 2009-11-06 03:22   --------   d-----w-   c:\documents and settings\gtsou\Application Data\Skype
2010-04-27 01:55 . 2010-03-26 02:04   --------   d-----w-   c:\program files\Common Files\Akamai
2010-04-27 01:53 . 2006-05-03 14:27   --------   d-----w-   c:\program files\Symantec AntiVirus
2010-04-27 01:21 . 2006-01-10 18:52   4224   ----a-w-   c:\windows\system32\drivers\rdpcdd.sys
2010-04-27 01:15 . 2009-03-26 15:46   --------   d-----w-   c:\documents and settings\gtsou\Application Data\skypePM
2010-04-24 23:01 . 2007-07-29 17:28   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-04-24 21:14 . 2006-05-03 12:42   43888   ----a-w-   c:\documents and settings\desktop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-24 16:33 . 2006-01-10 21:02   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-04-24 16:33 . 2009-12-05 01:09   --------   d-----w-   c:\program files\Microsoft Games
2010-04-24 16:29 . 2006-01-10 21:00   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-04-03 23:01 . 2010-04-03 23:01   49152   ----a-r-   c:\documents and settings\gtsou\Application Data\Microsoft\Installer\{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}\GettysburgStart.exe1_996F1BF8D7BB40A180E313DF6C2866F0.exe
2010-04-03 23:01 . 2010-04-03 23:01   49152   ----a-r-   c:\documents and settings\gtsou\Application Data\Microsoft\Installer\{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}\GettysburgStart.exe_996F1BF8D7BB40A180E313DF6C2866F0.exe
2010-04-03 23:01 . 2010-04-03 23:01   49152   ----a-r-   c:\documents and settings\gtsou\Application Data\Microsoft\Installer\{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}\ARPPRODUCTICON.exe
2010-04-03 22:42 . 2007-08-02 06:52   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-03 20:47 . 2009-04-12 01:56   --------   d-----w-   c:\documents and settings\gtsou\Application Data\LimeWire
2010-04-03 02:29 . 2009-01-26 18:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\AR System
2010-04-03 02:29 . 2009-12-13 00:43   --------   d-----w-   c:\program files\DAEMON Tools Toolbar
2010-04-02 18:29 . 2009-09-19 18:44   --------   d-----w-   c:\program files\Oberon Media
2010-04-01 02:05 . 2007-02-24 20:49   --------   d-----w-   c:\program files\lx_Cats
2010-03-12 03:59 . 2010-03-12 03:51   --------   d-----w-   c:\documents and settings\gtsou\Application Data\OxelonMC
2010-03-12 03:51 . 2010-03-12 03:51   --------   d-----w-   c:\program files\OxelonMedia
2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-12 03:44 . 2010-03-12 03:44   329312   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-12 03:44 . 2010-03-12 03:44   300616   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-12 03:44 . 2010-03-12 03:43   --------   d-----w-   c:\program files\Common Files\Real
2010-03-12 03:44 . 2010-03-12 03:43   --------   d-----w-   c:\program files\Real
2010-03-12 03:44 . 2010-03-12 03:44   --------   d-----w-   c:\program files\Common Files\xing shared
2010-03-12 03:43 . 2003-02-21 12:42   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2010-03-12 03:42 . 2008-02-14 20:07   --------   d-----w-   c:\program files\Google
2010-02-06 19:11 . 2010-02-06 19:11   9   ----a-w-   c:\program files\install_log.dat
2010-02-04 15:01 . 2010-03-01 02:17   74072   ----a-w-   c:\windows\system32\XAPOFX1_4.dll
2010-02-04 15:01 . 2010-03-01 02:17   528216   ----a-w-   c:\windows\system32\XAudio2_6.dll
2010-02-04 15:01 . 2010-03-01 02:17   238936   ----a-w-   c:\windows\system32\xactengine3_6.dll
2010-02-04 15:01 . 2010-03-01 02:17   22360   ----a-w-   c:\windows\system32\X3DAudio1_7.dll
2008-06-13 19:17 . 2008-06-13 19:17   0   ----a-w-   c:\program files\temp01
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-08-18 5137648]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-03 319792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-03-01 245760]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-16 7340032]
"nwiz"="nwiz.exe" [2005-12-16 1519616]
"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2005-12-16 49152]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
"TFNF5"="TFNF5.exe" [2005-12-26 581632]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"TPSMain"="TPSMain.exe" [2005-12-15 315392]
"TPSODDCtl"="TPSODDCtl.exe" [2005-12-15 110592]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2005-12-20 86016]
"TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2003-08-01 86016]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2005-10-05 344144]
"TFncKy"="TFncKy.exe" [BU]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 85744]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-09-14 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"VX6000"="c:\windows\vVX6000.exe" [2006-10-13 994096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-10 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2005-12-27 04:31   57344   ----a-w-   c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1472311023-2527176863-257251319-8139\Scripts\Logon\0\0]
"Script"=IE_HP.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1136:TCP"= 1136:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/28/04 3:31 AM 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [1/10/06 5:15 PM 6144]
R0 VSP;VERITAS Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [11/08/05 2:45 PM 51896]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/06 5:24 PM 5888]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/06 2:52 PM 14336]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [6/05/08 5:40 PM 344161]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/27/06 4:06 PM 169200]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [1/10/06 5:24 PM 86016]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/06 5:24 PM 126976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [4/02/10 9:46 PM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/06 4:16 PM 35968]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [1/10/06 5:35 PM 595072]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/12/06 6:14 PM 120976]
S2 FdRedir;FdRedir;\??\c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys --> c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [?]
S2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys --> c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [?]
S2 gupdate1cac195f179d7e4;Google Update Service (gupdate1cac195f179d7e4);c:\program files\Google\Update\GoogleUpdate.exe [3/11/10 11:41 PM 133104]
S2 smihlp;SMI helper driver;\??\c:\program files\Protector Suite QL\smihlp.sys --> c:\program files\Protector Suite QL\smihlp.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/02/10 7:17 PM 38224]
S3 OracleOracle9iClientCache;OracleOracle9iClientCache;c:\oracle9i\bin\ONRSD.EXE [4/26/02 7:34 PM 242328]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/06 7:56 PM 2383152]
S3 XDva042;XDva042;\??\c:\windows\system32\XDva042.sys --> c:\windows\system32\XDva042.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/12/09 8:43 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]
2004-08-04 12:00   99840   ----a-w-   c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 03:41]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 03:41]

2010-04-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1472311023-2527176863-257251319-5225.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-04-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1472311023-2527176863-257251319-5225.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2007-01-20 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-10 12:00]

2007-01-20 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-10 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {2DE0C501-4D2A-11D4-BA31-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposOperations.cab
DPF: {32998E04-50FF-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposReports.cab
DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - hxxp://lclntfl1/encore/ActiveX/HHActiveX.cab
DPF: {40C52972-E535-42A0-9D3B-BC76217E63D9} - hxxp://lclntfl1/encore/ActiveX/eposVersionCtl.cab
DPF: {47D39363-D193-47EA-8A75-41144B099491} - hxxp://lclntfl1/encore/ActiveX/eposHostView.cab
DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://www.powerchallenge.com/applet/PowerLoader.cab
DPF: {594EF4A4-50F2-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposLogTrace.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://aolsvc.aol.com/onlinegames/free-trial-doggie-dash/DoggieDash.1.0.0.6.cab
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://aolsvc.aol.com/onlinegames/ghadventureball/abxgh.cab
DPF: {7BEA4D18-62F2-11D4-9917-00010233DC97} - hxxp://lclntfl1/encore/ActiveX/eposEDBFormCtl.cab
DPF: {7D492D61-303A-45C3-8A55-63449339943D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-the-nightshift-code/NightShiftCodeWeb.1.0.0.5.cab
DPF: {94811A83-D5BA-46D3-96AF-BC94B9C311EB} - hxxp://lclntfl1/encore/ActiveX/EposHelpMenu.cab
DPF: {96556AA0-4325-11d5-8AA7-006008A71E67} - hxxp://lclntfl1/encore/ActiveX/ROAMUser.cab
DPF: {97A789C6-8C70-11D3-B390-006008A71FAA} - hxxp://lclntfl1/encore/ActiveX/eposACCA.cab
DPF: {A44B2DE3-7AD0-42A8-B428-E44283B3973E} - hxxp://lclntfl1/encore/ActiveX/eposDisplay.cab
DPF: {A9699323-B893-4DE4-8A77-35167ECFFDD7} - hxxp://lclntfl1/encore/ActiveX/EposMaintenance.cab
DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://vwhqdsvp2/dsview/applets/viewerLauncher.cab
DPF: {B213E7A3-9E5D-4B42-9091-7A913D2D7A59} - hxxp://lclntfl1/encore/ActiveX/EposFileDown.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://lclvpn1.loblaw.ca/SNX/CSHELL/extender.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} - hxxp://aolsvc.aol.com/onlinegames/free-trial-pet-shop-hop/petshophopweb.1.0.0.16.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase81/OrgPubX.cab
DPF: {C55910F4-2EC6-404F-8545-476CA94E7503} - hxxp://lclntfl1/encore/ActiveX/eposHelpView.cab
DPF: {C7442243-FAEC-46AF-8157-E1736636C037} - hxxp://lclntfl1/encore/ActiveX/eposDBMaintenance.cab
DPF: {C8671BE3-53EA-4460-A830-4C508F09EA19} - hxxp://lclntfl1/encore/ActiveX/eposLog.cab
DPF: {D2BBE042-8152-4B0B-9674-9A7292B83355} - hxxp://lclntfl1/encore/ActiveX/eposActiveSetup.cab
DPF: {DCEA263C-75E9-4029-F6AA-37F011CC4EF1} - hxxp://dialcom.com/spontania/download/SpontaniaVideoCollaboration.cab
FF - ProfilePath - c:\documents and settings\gtsou\Application Data\Mozilla\Firefox\Profiles\3cb7peef.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15153&l=dis
FF - prefs.js: network.proxy.ftp - lclproxy3
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - lclproxy3
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - lclproxy3
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - lclproxy3
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - lclproxy3
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: XULRunner: {C1336CB7-D7AA-4A17-BCB2-592A031470DA} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{C1336CB7-D7AA-4A17-BCB2-592A031470DA}\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2BA40A0-74F1-52BD-F411-00B15A2C8953} - c:\windows\system32\tvsimpw.dll
HKLM-Run-VERITAS NetBackup Client Job Tracker - \NetBackup\bin\tracker.exe
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
HKLM-Run-Eqezo - c:\windows\epuyiyoh.dll
SharedTaskScheduler-{A2BA40A0-74F1-52BD-F411-00B15A2C8953} - c:\windows\system32\tvsimpw.dll
Notify-ckpNotify - (no file)
AddRemove-ActiveTouchMeetingClient - c:\windows\DOWNLO~1\atcliun.exe
AddRemove-PharaohDemo - c:\sierra\PharaohDemo\Uninst.isu
AddRemove-Thief2X: Shadows Of The Metal Age_is1 - c:\program files\Thief2\unins000.exe
AddRemove-Sparkplayer (Beta) - c:\documents and settings\gtsou\My Documents\Sparkplay Media\Sparkplayer (Beta)\Update.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 21:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89559AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74827b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d6d
 ParseProcedure -> ntoskrnl.exe @ 0x8057950b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d6d
 ParseProcedure -> ntoskrnl.exe @ 0x8057950b
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7858ba0
 PacketIndicateHandler -> NDIS.sys @ 0xf7865b21
 SendHandler -> NDIS.sys @ 0xf784387b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1472311023-2527176863-257251319-5225\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\system32\TosBtNP.dll

- - - - - - - > 'explorer.exe'(2952)
c:\windows\system32\nview.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\lxcfcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\oracle9i\bin\omtsreco.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\TOSHIBA\TME3\TMEEJME.EXE
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\thpsrv.exe
c:\windows\system32\TFNF5.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSODDCtl.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-04-26  22:05:14 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-27 02:05

Pre-Run: 5,105,025,024 bytes free
Post-Run: 5,000,384,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

- - End Of File - - 68F78DDFB3C1BEDFFA751FC24B9982FB

Title: Re: Need help removing malware
Post by: Dr Jay on April 26, 2010, 08:32:52 PM

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the box below into it:
  

Code: [Select]

killall::
http://www.computerhope.com/forum/index.php?topic=103847

Collect::
c:\windows\system32\drivers\odpgjfqr.sys
c:\windows\system32\shimengp.dll
c:\windows\system32\drivers\fjgjcbj.sys
c:\windows\system32\jnhtsnjj.dll
c:\windows\system32\zoqvs.exe
c:\windows\Fqovusije.dat
c:\windows\Nyaqiwedoke.bin
c:\windows\system32\lkwsl.exe
c:\windows\system32\jrvs.exe
c:\windows\system32\bqdv.exe

DirLook::
c:\documents and settings\gtsou\Local Settings\Application Data\avG
c:\documents and settings\gtsou\Local Settings\Application Data\iaddkeccw

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"=-

DDS::
DPF: {2DE0C501-4D2A-11D4-BA31-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposOperations.cab
DPF: {32998E04-50FF-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposReports.cab
DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - hxxp://lclntfl1/encore/ActiveX/HHActiveX.cab
DPF: {40C52972-E535-42A0-9D3B-BC76217E63D9} - hxxp://lclntfl1/encore/ActiveX/eposVersionCtl.cab
DPF: {47D39363-D193-47EA-8A75-41144B099491} - hxxp://lclntfl1/encore/ActiveX/eposHostView.cab
DPF: {594EF4A4-50F2-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposLogTrace.cab
DPF: {7BEA4D18-62F2-11D4-9917-00010233DC97} - hxxp://lclntfl1/encore/ActiveX/eposEDBFormCtl.cab
DPF: {94811A83-D5BA-46D3-96AF-BC94B9C311EB} - hxxp://lclntfl1/encore/ActiveX/EposHelpMenu.cab
DPF: {96556AA0-4325-11d5-8AA7-006008A71E67} - hxxp://lclntfl1/encore/ActiveX/ROAMUser.cab
DPF: {97A789C6-8C70-11D3-B390-006008A71FAA} - hxxp://lclntfl1/encore/ActiveX/eposACCA.cab
DPF: {A44B2DE3-7AD0-42A8-B428-E44283B3973E} - hxxp://lclntfl1/encore/ActiveX/eposDisplay.cab
DPF: {A9699323-B893-4DE4-8A77-35167ECFFDD7} - hxxp://lclntfl1/encore/ActiveX/EposMaintenance.cab
DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://vwhqdsvp2/dsview/applets/viewerLauncher.cab
DPF: {B213E7A3-9E5D-4B42-9091-7A913D2D7A59} - hxxp://lclntfl1/encore/ActiveX/EposFileDown.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://lclvpn1.loblaw.ca/SNX/CSHELL/extender.cab
DPF: {C55910F4-2EC6-404F-8545-476CA94E7503} - hxxp://lclntfl1/encore/ActiveX/eposHelpView.cab
DPF: {C7442243-FAEC-46AF-8157-E1736636C037} - hxxp://lclntfl1/encore/ActiveX/eposDBMaintenance.cab
DPF: {C8671BE3-53EA-4460-A830-4C508F09EA19} - hxxp://lclntfl1/encore/ActiveX/eposLog.cab
DPF: {D2BBE042-8152-4B0B-9674-9A7292B83355} - hxxp://lclntfl1/encore/ActiveX/eposActiveSetup.cab

Reboot::


• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  (http://i35.tinypic.com/2v3rg44.jpg)
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.