Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Need help removing malware  (Read 6151 times)

0 Members and 1 Guest are viewing this topic.

pims

    Topic Starter


    Rookie

    Need help removing malware
    « on: April 24, 2010, 03:52:56 PM »
    Hi everyone

    I have been infected by some sort of malware..I don't know which ones specifically but I keep getting redirected to websites and get anti virus spam messages all the time

    Can someone help...i have mbam and hijack logs i can post.

    Thanks
    Logged

    Dr Jay

    • Malware Removal Specialist


      • Specialist
    • Moderator emeritus
      • Thanked: 119
    • Experience: Guru
    • OS: Windows 10
    Re: Need help removing malware
    « Reply #1 on: April 25, 2010, 01:11:59 PM »
    Please visit this webpage for a tutorial on downloading and running ComboFix:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    See the area: Using ComboFix, and when done, post the log back here.
    Logged
    ~Dr Jay

    pims

      Topic Starter


      Rookie

      Re: Need help removing malware
      « Reply #2 on: April 26, 2010, 08:05:43 PM »
      here is my combo fix log

      ComboFix 10-04-26.02 - gtsou 04/26/10  21:36:05.1.2 - x86
      Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1535.854 [GMT -4:00]
      Running from: c:\documents and settings\gtsou\Desktop\ComboFix.exe
      AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\docume~1\gtsou\LOCALS~1\Temp\csrss.exe
      c:\docume~1\gtsou\LOCALS~1\Temp\lsass.exe
      c:\docume~1\gtsou\LOCALS~1\Temp\services.exe
      c:\docume~1\gtsou\LOCALS~1\Temp\svchost.exe
      c:\docume~1\gtsou\LOCALS~1\Temp\taskmgr.exe
      c:\docume~1\gtsou\LOCALS~1\Temp\winlogon.exe
      c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
      c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
      c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
      c:\documents and settings\All Users\Favorites\_favdata.dat
      c:\documents and settings\gtsou\Application Data\FE047E8011B595365A7C8D5BE2323621
      c:\documents and settings\gtsou\Application Data\FE047E8011B595365A7C8D5BE2323621\enemies-names.txt
      c:\documents and settings\gtsou\Application Data\FE047E8011B595365A7C8D5BE2323621\newupdate1142C.exe
      c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}
      c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\chrome.manifest
      c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\chrome\content\_cfg.js
      c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\chrome\content\overlay.xul
      c:\documents and settings\gtsou\Local Settings\Application Data\{4AF4C274-7EDA-4E54-8233-5AD2B3FB6443}\install.rdf
      c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\6JN1P.jpg
      c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\s84k2jR.jpg
      c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\w5Mv5N.jpg
      c:\documents and settings\gtsou\Local Settings\Temporary Internet Files\Wl06mBI.jpg
      c:\program files\Common
      c:\recycler\S-1-5-21-1884730776-40631320-2592372106-500
      c:\recycler\S-1-5-21-4044921709-3110831750-2273475995-500
      c:\recycler\S-1-5-21-596388085-2865526809-506721320-500
      c:\windows\arilihiwekesu.dll
      c:\windows\epuyiyoh.dll
      c:\windows\system32\0041.DLL
      c:\windows\system32\iyrvfeqigycspuwks.dll
      c:\windows\system32\pragmabbr.dll
      c:\windows\system32\PRAGMAsrcr.dat
      c:\windows\system32\Thumbs.db
      c:\windows\system32\tvsimpw.dll

      ----- BITS: Possible infected sites -----

      hxxp://LCLNTHQ67:80
      Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
      Restored copy from - Kitty had a snack :p
      .
      (((((((((((((((((((((((((   Files Created from 2010-03-27 to 2010-04-27  )))))))))))))))))))))))))))))))
      .

      2010-04-24 21:41 . 2010-04-24 21:41   54016   ----a-w-   c:\windows\system32\drivers\fjgjcbj.sys
      2010-04-24 21:14 . 2010-04-24 21:14   --------   d-----w-   c:\documents and settings\gtsou\Local Settings\Application Data\avG
      2010-04-24 21:14 . 2010-04-24 21:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\avG
      2010-04-24 04:44 . 2010-04-24 11:48   0   ----a-w-   c:\windows\system32\drivers\odpgjfqr.sys
      2010-04-24 04:42 . 2010-04-24 04:42   70656   --sha-r-   c:\windows\system32\shimengp.dll
      2010-04-24 03:59 . 2010-04-24 03:59   --------   d-----w-   c:\program files\DAEMON Tools Lite
      2010-04-21 11:55 . 2010-04-21 11:55   299008   ----a-w-   c:\windows\system32\jnhtsnjj.dll
      2010-04-20 23:10 . 2010-04-20 23:10   --------   d-----w-   c:\program files\Common Files\Skype
      2010-04-03 23:49 . 2010-04-03 23:49   --------   d-----w-   C:\Impressions Games
      2010-04-03 22:59 . 2010-04-03 23:12   --------   d-----w-   c:\program files\American Civil War Gettysburg
      2010-04-03 22:56 . 2010-04-03 22:58   --------   d-----w-   c:\documents and settings\gtsou\Application Data\DAEMON Tools Pro
      2010-04-03 22:56 . 2010-04-03 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
      2010-04-03 20:52 . 2010-04-03 20:52   --------   d-----w-   c:\program files\uTorrent
      2010-04-03 20:52 . 2010-04-27 01:55   --------   d-----w-   c:\documents and settings\gtsou\Application Data\uTorrent
      2010-04-03 02:24 . 2010-04-03 02:24   --------   d-----w-   c:\program files\Trend Micro
      2010-04-02 23:50 . 2010-04-02 23:50   --------   d-----w-   c:\documents and settings\gtsou\Application Data\Malwarebytes
      2010-04-02 23:17 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2010-04-02 23:17 . 2010-04-02 23:45   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
      2010-04-02 23:17 . 2010-04-02 23:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
      2010-04-02 23:17 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2010-04-02 22:42 . 2010-04-02 22:42   --------   d--h--w-   c:\windows\PIF
      2010-04-02 22:18 . 2010-04-02 22:29   --------   d-----w-   c:\documents and settings\gtsou\Application Data\QuickScan
      2010-04-02 22:03 . 2010-04-03 00:34   --------   d-----w-   c:\documents and settings\gtsou\Local Settings\Application Data\iaddkeccw
      2010-04-02 20:50 . 2010-04-02 20:50   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\AdobeUM
      2010-04-02 20:49 . 2010-04-02 20:49   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\InstallShield
      2010-04-02 20:26 . 2010-04-02 20:26   135168   ----a-w-   c:\windows\system32\zoqvs.exe
      2010-04-02 19:01 . 2010-04-26 19:13   120   ----a-w-   c:\windows\Fqovusije.dat
      2010-04-02 19:01 . 2010-04-26 15:12   0   ----a-w-   c:\windows\Nyaqiwedoke.bin
      2010-04-02 18:58 . 2010-04-02 18:58   135168   ----a-w-   c:\windows\system32\lkwsl.exe
      2010-04-02 18:58 . 2010-04-02 18:58   135168   ----a-w-   c:\windows\system32\jrvs.exe
      2010-04-02 18:58 . 2010-04-02 18:58   135168   ----a-w-   c:\windows\system32\bqdv.exe
      2010-04-02 18:51 . 2010-04-02 18:51   --------   d-----w-   c:\program files\Trymedia

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-04-27 01:58 . 2009-11-06 03:22   --------   d-----w-   c:\documents and settings\gtsou\Application Data\Skype
      2010-04-27 01:55 . 2010-03-26 02:04   --------   d-----w-   c:\program files\Common Files\Akamai
      2010-04-27 01:53 . 2006-05-03 14:27   --------   d-----w-   c:\program files\Symantec AntiVirus
      2010-04-27 01:21 . 2006-01-10 18:52   4224   ----a-w-   c:\windows\system32\drivers\rdpcdd.sys
      2010-04-27 01:15 . 2009-03-26 15:46   --------   d-----w-   c:\documents and settings\gtsou\Application Data\skypePM
      2010-04-24 23:01 . 2007-07-29 17:28   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
      2010-04-24 21:14 . 2006-05-03 12:42   43888   ----a-w-   c:\documents and settings\desktop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2010-04-24 16:33 . 2006-01-10 21:02   --------   d--h--w-   c:\program files\InstallShield Installation Information
      2010-04-24 16:33 . 2009-12-05 01:09   --------   d-----w-   c:\program files\Microsoft Games
      2010-04-24 16:29 . 2006-01-10 21:00   --------   d-----w-   c:\program files\Common Files\InstallShield
      2010-04-03 23:01 . 2010-04-03 23:01   49152   ----a-r-   c:\documents and settings\gtsou\Application Data\Microsoft\Installer\{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}\GettysburgStart.exe1_996F1BF8D7BB40A180E313DF6C2866F0.exe
      2010-04-03 23:01 . 2010-04-03 23:01   49152   ----a-r-   c:\documents and settings\gtsou\Application Data\Microsoft\Installer\{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}\GettysburgStart.exe_996F1BF8D7BB40A180E313DF6C2866F0.exe
      2010-04-03 23:01 . 2010-04-03 23:01   49152   ----a-r-   c:\documents and settings\gtsou\Application Data\Microsoft\Installer\{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}\ARPPRODUCTICON.exe
      2010-04-03 22:42 . 2007-08-02 06:52   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
      2010-04-03 20:47 . 2009-04-12 01:56   --------   d-----w-   c:\documents and settings\gtsou\Application Data\LimeWire
      2010-04-03 02:29 . 2009-01-26 18:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\AR System
      2010-04-03 02:29 . 2009-12-13 00:43   --------   d-----w-   c:\program files\DAEMON Tools Toolbar
      2010-04-02 18:29 . 2009-09-19 18:44   --------   d-----w-   c:\program files\Oberon Media
      2010-04-01 02:05 . 2007-02-24 20:49   --------   d-----w-   c:\program files\lx_Cats
      2010-03-12 03:59 . 2010-03-12 03:51   --------   d-----w-   c:\documents and settings\gtsou\Application Data\OxelonMC
      2010-03-12 03:51 . 2010-03-12 03:51   --------   d-----w-   c:\program files\OxelonMedia
      2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
      2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
      2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
      2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
      2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
      2010-03-12 03:44 . 2010-03-12 03:44   329312   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
      2010-03-12 03:44 . 2010-03-12 03:44   300616   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
      2010-03-12 03:44 . 2010-03-12 03:44   118784   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
      2010-03-12 03:44 . 2010-03-12 03:43   --------   d-----w-   c:\program files\Common Files\Real
      2010-03-12 03:44 . 2010-03-12 03:43   --------   d-----w-   c:\program files\Real
      2010-03-12 03:44 . 2010-03-12 03:44   --------   d-----w-   c:\program files\Common Files\xing shared
      2010-03-12 03:43 . 2003-02-21 12:42   348160   ----a-w-   c:\windows\system32\msvcr71.dll
      2010-03-12 03:42 . 2008-02-14 20:07   --------   d-----w-   c:\program files\Google
      2010-02-06 19:11 . 2010-02-06 19:11   9   ----a-w-   c:\program files\install_log.dat
      2010-02-04 15:01 . 2010-03-01 02:17   74072   ----a-w-   c:\windows\system32\XAPOFX1_4.dll
      2010-02-04 15:01 . 2010-03-01 02:17   528216   ----a-w-   c:\windows\system32\XAudio2_6.dll
      2010-02-04 15:01 . 2010-03-01 02:17   238936   ----a-w-   c:\windows\system32\xactengine3_6.dll
      2010-02-04 15:01 . 2010-03-01 02:17   22360   ----a-w-   c:\windows\system32\X3DAudio1_7.dll
      2008-06-13 19:17 . 2008-06-13 19:17   0   ----a-w-   c:\program files\temp01
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
      "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-08-18 5137648]
      "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-03 319792]
      "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ThpSrv"="thpsrv" [X]
      "00THotkey"="c:\windows\system32\00THotkey.exe" [2005-03-01 245760]
      "000StTHK"="000StTHK.exe" [2001-06-23 24576]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-16 7340032]
      "nwiz"="nwiz.exe" [2005-12-16 1519616]
      "NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2005-12-16 49152]
      "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
      "DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]
      "AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
      "TFNF5"="TFNF5.exe" [2005-12-26 581632]
      "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
      "TPSMain"="TPSMain.exe" [2005-12-15 315392]
      "TPSODDCtl"="TPSODDCtl.exe" [2005-12-15 110592]
      "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
      "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2005-12-20 86016]
      "TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2003-08-01 86016]
      "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
      "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
      "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2005-10-05 344144]
      "TFncKy"="TFncKy.exe" [BU]
      "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
      "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
      "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
      "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
      "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 85744]
      "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-09-14 73728]
      "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
      "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
      "VX6000"="c:\windows\vVX6000.exe" [2006-10-13 994096]
      "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]

      c:\documents and settings\All Users\Start Menu\Programs\Startup\
      Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
      RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-10 155648]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
      2005-12-27 04:31   57344   ----a-w-   c:\windows\system32\TosBtNP.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1472311023-2527176863-257251319-8139\Scripts\Logon\0\0]
      "Script"=IE_HP.bat

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
      @="Service"

      [HKEY_LOCAL_MACHINE\software\microsoft\security center]
      "AntiVirusOverride"=dword:00000001
      "FirewallOverride"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)
      "DisableNotifications"= 1 (0x1)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\WINDOWS\\system32\\lxcfcoms.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
      "c:\\Program Files\\DNA\\btdna.exe"=
      "c:\\Program Files\\LimeWire\\LimeWire.exe"=
      "c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=
      "c:\\Program Files\\iTunes\\iTunes.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
      "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
      "c:\\Program Files\\uTorrent\\uTorrent.exe"=
      "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "1136:TCP"= 1136:TCP:Akamai NetSession Interface
      "5000:UDP"= 5000:UDP:Akamai NetSession Interface

      R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/28/04 3:31 AM 16384]
      R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [1/10/06 5:15 PM 6144]
      R0 VSP;VERITAS Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [11/08/05 2:45 PM 51896]
      R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/06 5:24 PM 5888]
      R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/06 2:52 PM 14336]
      R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [6/05/08 5:40 PM 344161]
      R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/27/06 4:06 PM 169200]
      R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [1/10/06 5:24 PM 86016]
      R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/06 5:24 PM 126976]
      R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [4/02/10 9:46 PM 102448]
      R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/06 4:16 PM 35968]
      R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [1/10/06 5:35 PM 595072]
      R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/12/06 6:14 PM 120976]
      S2 FdRedir;FdRedir;\??\c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys --> c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [?]
      S2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys --> c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [?]
      S2 gupdate1cac195f179d7e4;Google Update Service (gupdate1cac195f179d7e4);c:\program files\Google\Update\GoogleUpdate.exe [3/11/10 11:41 PM 133104]
      S2 smihlp;SMI helper driver;\??\c:\program files\Protector Suite QL\smihlp.sys --> c:\program files\Protector Suite QL\smihlp.sys [?]
      S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/02/10 7:17 PM 38224]
      S3 OracleOracle9iClientCache;OracleOracle9iClientCache;c:\oracle9i\bin\ONRSD.EXE [4/26/02 7:34 PM 242328]
      S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/06 7:56 PM 2383152]
      S3 XDva042;XDva042;\??\c:\windows\system32\XDva042.sys --> c:\windows\system32\XDva042.sys [?]
      S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/12/09 8:43 PM 691696]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      Akamai   REG_MULTI_SZ      Akamai

      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]
      2004-08-04 12:00   99840   ----a-w-   c:\windows\system32\advpack.dll
      .
      Contents of the 'Scheduled Tasks' folder

      2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
      - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

      2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 03:41]

      2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 03:41]

      2010-04-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1472311023-2527176863-257251319-5225.job
      - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

      2010-04-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1472311023-2527176863-257251319-5225.job
      - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

      2007-01-20 c:\windows\Tasks\Registration reminder 1.job
      - c:\windows\system32\OOBE\oobebaln.exe [2006-01-10 12:00]

      2007-01-20 c:\windows\Tasks\Registration reminder 2.job
      - c:\windows\system32\OOBE\oobebaln.exe [2006-01-10 12:00]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.google.ca/
      uInternet Connection Wizard,ShellNext = iexplore
      uInternet Settings,ProxyOverride = <local>
      IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
      DPF: {2DE0C501-4D2A-11D4-BA31-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposOperations.cab
      DPF: {32998E04-50FF-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposReports.cab
      DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - hxxp://lclntfl1/encore/ActiveX/HHActiveX.cab
      DPF: {40C52972-E535-42A0-9D3B-BC76217E63D9} - hxxp://lclntfl1/encore/ActiveX/eposVersionCtl.cab
      DPF: {47D39363-D193-47EA-8A75-41144B099491} - hxxp://lclntfl1/encore/ActiveX/eposHostView.cab
      DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://www.powerchallenge.com/applet/PowerLoader.cab
      DPF: {594EF4A4-50F2-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposLogTrace.cab
      DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://aolsvc.aol.com/onlinegames/free-trial-doggie-dash/DoggieDash.1.0.0.6.cab
      DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://aolsvc.aol.com/onlinegames/ghadventureball/abxgh.cab
      DPF: {7BEA4D18-62F2-11D4-9917-00010233DC97} - hxxp://lclntfl1/encore/ActiveX/eposEDBFormCtl.cab
      DPF: {7D492D61-303A-45C3-8A55-63449339943D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-the-nightshift-code/NightShiftCodeWeb.1.0.0.5.cab
      DPF: {94811A83-D5BA-46D3-96AF-BC94B9C311EB} - hxxp://lclntfl1/encore/ActiveX/EposHelpMenu.cab
      DPF: {96556AA0-4325-11d5-8AA7-006008A71E67} - hxxp://lclntfl1/encore/ActiveX/ROAMUser.cab
      DPF: {97A789C6-8C70-11D3-B390-006008A71FAA} - hxxp://lclntfl1/encore/ActiveX/eposACCA.cab
      DPF: {A44B2DE3-7AD0-42A8-B428-E44283B3973E} - hxxp://lclntfl1/encore/ActiveX/eposDisplay.cab
      DPF: {A9699323-B893-4DE4-8A77-35167ECFFDD7} - hxxp://lclntfl1/encore/ActiveX/EposMaintenance.cab
      DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://vwhqdsvp2/dsview/applets/viewerLauncher.cab
      DPF: {B213E7A3-9E5D-4B42-9091-7A913D2D7A59} - hxxp://lclntfl1/encore/ActiveX/EposFileDown.cab
      DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://lclvpn1.loblaw.ca/SNX/CSHELL/extender.cab
      DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
      DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} - hxxp://aolsvc.aol.com/onlinegames/free-trial-pet-shop-hop/petshophopweb.1.0.0.16.cab
      DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase81/OrgPubX.cab
      DPF: {C55910F4-2EC6-404F-8545-476CA94E7503} - hxxp://lclntfl1/encore/ActiveX/eposHelpView.cab
      DPF: {C7442243-FAEC-46AF-8157-E1736636C037} - hxxp://lclntfl1/encore/ActiveX/eposDBMaintenance.cab
      DPF: {C8671BE3-53EA-4460-A830-4C508F09EA19} - hxxp://lclntfl1/encore/ActiveX/eposLog.cab
      DPF: {D2BBE042-8152-4B0B-9674-9A7292B83355} - hxxp://lclntfl1/encore/ActiveX/eposActiveSetup.cab
      DPF: {DCEA263C-75E9-4029-F6AA-37F011CC4EF1} - hxxp://dialcom.com/spontania/download/SpontaniaVideoCollaboration.cab
      FF - ProfilePath - c:\documents and settings\gtsou\Application Data\Mozilla\Firefox\Profiles\3cb7peef.default\
      FF - prefs.js: browser.search.selectedEngine - Ask.com
      FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15153&l=dis
      FF - prefs.js: network.proxy.ftp - lclproxy3
      FF - prefs.js: network.proxy.ftp_port - 80
      FF - prefs.js: network.proxy.gopher - lclproxy3
      FF - prefs.js: network.proxy.gopher_port - 80
      FF - prefs.js: network.proxy.http - lclproxy3
      FF - prefs.js: network.proxy.http_port - 80
      FF - prefs.js: network.proxy.socks - lclproxy3
      FF - prefs.js: network.proxy.socks_port - 80
      FF - prefs.js: network.proxy.ssl - lclproxy3
      FF - prefs.js: network.proxy.ssl_port - 80
      FF - prefs.js: network.proxy.type - 2
      FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
      FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
      FF - HiddenExtension: XULRunner: {C1336CB7-D7AA-4A17-BCB2-592A031470DA} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{C1336CB7-D7AA-4A17-BCB2-592A031470DA}\

      ---- FIREFOX POLICIES ----
      c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
      c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
      c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
      c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
      .
      - - - - ORPHANS REMOVED - - - -

      BHO-{A2BA40A0-74F1-52BD-F411-00B15A2C8953} - c:\windows\system32\tvsimpw.dll
      HKLM-Run-VERITAS NetBackup Client Job Tracker - \NetBackup\bin\tracker.exe
      HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
      HKLM-Run-Eqezo - c:\windows\epuyiyoh.dll
      SharedTaskScheduler-{A2BA40A0-74F1-52BD-F411-00B15A2C8953} - c:\windows\system32\tvsimpw.dll
      Notify-ckpNotify - (no file)
      AddRemove-ActiveTouchMeetingClient - c:\windows\DOWNLO~1\atcliun.exe
      AddRemove-PharaohDemo - c:\sierra\PharaohDemo\Uninst.isu
      AddRemove-Thief2X: Shadows Of The Metal Age_is1 - c:\program files\Thief2\unins000.exe
      AddRemove-Sparkplayer (Beta) - c:\documents and settings\gtsou\My Documents\Sparkplay Media\Sparkplayer (Beta)\Update.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-04-26 21:54
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************

      Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

      device: opened successfully
      user: MBR read successfully
      called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89559AC8]<<
      kernel: MBR read successfully
      detected MBR rootkit hooks:
      \Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
      \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
      \Driver\atapi -> atapi.sys @ 0xf74827b4
      IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d6d
       ParseProcedure -> ntoskrnl.exe @ 0x8057950b
      \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d6d
       ParseProcedure -> ntoskrnl.exe @ 0x8057950b
      NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7858ba0
       PacketIndicateHandler -> NDIS.sys @ 0xf7865b21
       SendHandler -> NDIS.sys @ 0xf784387b
      user & kernel MBR OK

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_USERS\S-1-5-21-1472311023-2527176863-257251319-5225\Software\Microsoft\SystemCertificates\AddressBook*]
      @Allowed: (Read) (RestrictedCode)
      @Allowed: (Read) (RestrictedCode)
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(1176)
      c:\windows\system32\TosBtNP.dll

      - - - - - - - > 'explorer.exe'(2952)
      c:\windows\system32\nview.dll
      c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
      c:\windows\system32\nvwddi.dll
      c:\windows\system32\TPwrCfg.DLL
      c:\windows\system32\TPwrReg.dll
      c:\windows\system32\TPSTrace.DLL
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\program files\Intel\Wireless\Bin\EvtEng.exe
      c:\program files\Intel\Wireless\Bin\S24EvMon.exe
      c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
      c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
      c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
      c:\program files\Lavasoft\Ad-Aware\aawservice.exe
      c:\windows\system32\rundll32.exe
      c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
      c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
      c:\program files\Symantec AntiVirus\DefWatch.exe
      c:\windows\system32\DVDRAMSV.exe
      c:\windows\system32\lxcfcoms.exe
      c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
      c:\windows\system32\nvsvc32.exe
      c:\oracle9i\bin\omtsreco.exe
      c:\program files\Intel\Wireless\Bin\RegSrvc.exe
      c:\program files\Symantec AntiVirus\Rtvscan.exe
      c:\windows\system32\ThpSrv.exe
      c:\windows\system32\wdfmgr.exe
      c:\program files\TOSHIBA\TME3\TMEEJME.EXE
      c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
      c:\windows\system32\CCM\CcmExec.exe
      c:\windows\system32\rundll32.exe
      c:\windows\AGRSMMSG.exe
      c:\windows\system32\thpsrv.exe
      c:\windows\system32\TFNF5.exe
      c:\windows\system32\TPSMain.exe
      c:\windows\system32\TPSODDCtl.exe
      c:\windows\system32\rundll32.exe
      c:\windows\system32\TPSBattM.exe
      c:\program files\Apoint2K\Apntex.exe
      c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
      c:\program files\iPod\bin\iPodService.exe
      c:\program files\Skype\Phone\Skype.exe
      c:\program files\Skype\Plugin Manager\skypePM.exe
      .
      **************************************************************************
      .
      Completion time: 2010-04-26  22:05:14 - machine was rebooted
      ComboFix-quarantined-files.txt  2010-04-27 02:05

      Pre-Run: 5,105,025,024 bytes free
      Post-Run: 5,000,384,512 bytes free

      WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
      [boot loader]
      timeout=2
      default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
      [operating systems]
      c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
      multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

      - - End Of File - - 68F78DDFB3C1BEDFFA751FC24B9982FB
      Logged

      Dr Jay

      • Malware Removal Specialist


        • Specialist
      • Moderator emeritus
        • Thanked: 119
      • Experience: Guru
      • OS: Windows 10
      Re: Need help removing malware
      « Reply #3 on: April 26, 2010, 08:32:52 PM »
      Re-running ComboFix to remove infections:

      • Close any open browsers.
      • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Open notepad and copy/paste the text in the box below into it:
      Code: [Select]
      killall::
      http://www.computerhope.com/forum/index.php?topic=103847

      Collect::
      c:\windows\system32\drivers\odpgjfqr.sys
      c:\windows\system32\shimengp.dll
      c:\windows\system32\drivers\fjgjcbj.sys
      c:\windows\system32\jnhtsnjj.dll
      c:\windows\system32\zoqvs.exe
      c:\windows\Fqovusije.dat
      c:\windows\Nyaqiwedoke.bin
      c:\windows\system32\lkwsl.exe
      c:\windows\system32\jrvs.exe
      c:\windows\system32\bqdv.exe

      DirLook::
      c:\documents and settings\gtsou\Local Settings\Application Data\avG
      c:\documents and settings\gtsou\Local Settings\Application Data\iaddkeccw

      Registry::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ThpSrv"=-

      DDS::
      DPF: {2DE0C501-4D2A-11D4-BA31-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposOperations.cab
      DPF: {32998E04-50FF-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposReports.cab
      DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - hxxp://lclntfl1/encore/ActiveX/HHActiveX.cab
      DPF: {40C52972-E535-42A0-9D3B-BC76217E63D9} - hxxp://lclntfl1/encore/ActiveX/eposVersionCtl.cab
      DPF: {47D39363-D193-47EA-8A75-41144B099491} - hxxp://lclntfl1/encore/ActiveX/eposHostView.cab
      DPF: {594EF4A4-50F2-11D4-BA34-0008C7F472F4} - hxxp://lclntfl1/encore/ActiveX/eposLogTrace.cab
      DPF: {7BEA4D18-62F2-11D4-9917-00010233DC97} - hxxp://lclntfl1/encore/ActiveX/eposEDBFormCtl.cab
      DPF: {94811A83-D5BA-46D3-96AF-BC94B9C311EB} - hxxp://lclntfl1/encore/ActiveX/EposHelpMenu.cab
      DPF: {96556AA0-4325-11d5-8AA7-006008A71E67} - hxxp://lclntfl1/encore/ActiveX/ROAMUser.cab
      DPF: {97A789C6-8C70-11D3-B390-006008A71FAA} - hxxp://lclntfl1/encore/ActiveX/eposACCA.cab
      DPF: {A44B2DE3-7AD0-42A8-B428-E44283B3973E} - hxxp://lclntfl1/encore/ActiveX/eposDisplay.cab
      DPF: {A9699323-B893-4DE4-8A77-35167ECFFDD7} - hxxp://lclntfl1/encore/ActiveX/EposMaintenance.cab
      DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://vwhqdsvp2/dsview/applets/viewerLauncher.cab
      DPF: {B213E7A3-9E5D-4B42-9091-7A913D2D7A59} - hxxp://lclntfl1/encore/ActiveX/EposFileDown.cab
      DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://lclvpn1.loblaw.ca/SNX/CSHELL/extender.cab
      DPF: {C55910F4-2EC6-404F-8545-476CA94E7503} - hxxp://lclntfl1/encore/ActiveX/eposHelpView.cab
      DPF: {C7442243-FAEC-46AF-8157-E1736636C037} - hxxp://lclntfl1/encore/ActiveX/eposDBMaintenance.cab
      DPF: {C8671BE3-53EA-4460-A830-4C508F09EA19} - hxxp://lclntfl1/encore/ActiveX/eposLog.cab
      DPF: {D2BBE042-8152-4B0B-9674-9A7292B83355} - hxxp://lclntfl1/encore/ActiveX/eposActiveSetup.cab

      Reboot::
      • Save this as CFScript.txt, in the same location as ComboFix.exe



      • Referring to the picture above, drag CFScript into ComboFix.exe
      • When finished, it shall produce a log for you at C:\ComboFix.txt
      • Please post the contents of the log in your next reply.
      Logged
      ~Dr Jay
      Pages: [1]   Go Up
      « previous next »