Jump to content

Need help getting rid of trojan vundo

jehadsound
 Share

Recommended Posts

jehadsound

jehadsound

Posted
Posted

Hello everyone. I am having problems removing a virtumonde/trojan vundo. Ran a lot of scans and programs, but nothing can get it to leave. Here are my logs.

MBAM

Malwarebytes' Anti-Malware 1.32

Database version: 1627

Windows 5.1.2600 Service Pack 3

1/7/2009 6:26:53 PM

mbam-log-2009-01-07 (18-26-53).txt

Scan type: Quick Scan

Objects scanned: 66342

Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Active Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2009-01-07 20:35:01

PROTECTIONS: 2

MALWARE: 20

SUSPECTS: 4

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.4205.0 No No

Zone Alarm Security Suite 7.0.483.000 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_classes_root\clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@trafficmp[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@atdmt[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@247realmedia[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@com[3].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@com[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@bs.serving-sys[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@advertising[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@ads.pointroll[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@realmedia[2].txt

00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@uol.com[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@questionmarket[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@go[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@go[3].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@searchportal.information[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@target[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@target[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\John\Cookies\john@atwola[2].txt

03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\John\Desktop\SmitfraudFix.exe

03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\John\Desktop\SmitfraudFix.exe.XXX

03587590 Adware/Yassist Adware No 0 No No C:\Documents and Settings\John\Desktop\DivXInstaller.exe[

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-07 22:26:06

Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Looks okay, now run this please.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update - (Don't forget to UPDATE!!)

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

NEW MBAM

Malwarebytes' Anti-Malware 1.32

Database version: 1630

Windows 5.1.2600 Service Pack 3

1/8/2009 3:36:19 AM

mbam-log-2009-01-08 (03-36-19).txt

Scan type: Quick Scan

Objects scanned: 69474

Time elapsed: 15 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

NEW HJT

Logfile of HijackThis v1.99.1

Scan saved at 03:46:34, on 1/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\John\Desktop\HijackThis.exe

O2 - BHO: (no name) - {2E973BBE-4011-4804-95F5-83E7B3B15F63} - C:\WINDOWS\system32\rQheebYQ.dll (file missing)

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225294721828

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: opNFuSlm - opNFuSlm.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please DISABLE TEA TIMER as discussed in the pre-hijackthis post.

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe blocks Registry changes.

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Then run this again please.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update - (Don't forget to UPDATE!!)

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

Sorry about the screw up, thought I already turned that off.

MBAM

Malwarebytes' Anti-Malware 1.32

Database version: 1630

Windows 5.1.2600 Service Pack 3

1/8/2009 4:54:27 AM

mbam-log-2009-01-08 (04-54-27).txt

Scan type: Quick Scan

Objects scanned: 69402

Time elapsed: 14 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT

Logfile of HijackThis v1.99.1

Scan saved at 05:01:56, on 1/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\eHome\ehSched.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\John\Desktop\HijackThis.exe

O2 - BHO: (no name) - {2E973BBE-4011-4804-95F5-83E7B3B15F63} - C:\WINDOWS\system32\rQheebYQ.dll (file missing)

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225294721828

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: opNFuSlm - opNFuSlm.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download and run the following file to repair file and registry permissions

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

Download this INF repair file by MS-MVP Miekiemoes:
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder
VArestorepolicies
and
Right-click
the file inside,
VArestorepolicies.INF
and choose
Install

Run this file after to remove an invalid startup entry. Double click and say Yes to import the settings.

Download DDS and save it to your desktop from one of these 3 locations

1
http://www.techsupportforum.com/sectools/sUBs/dds

2
http://download.bleepingcomputer.com/sUBs/dds.scr

3
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click
dds.scr
to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]
    Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

DDS

DDS (Ver_09-01-07.01) - NTFSx86

Run by John at 19:25:17.64 on Thu 01/08/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.148 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {2e973bbe-4011-4804-95f5-83e7b3b15f63} - c:\windows\system32\rQheebYQ.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [Aim6]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: opNFuSlm - opNFuSlm.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\rQheebYQ

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-6 28544]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-29 97928]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-24 26824]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-8-9 394952]

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-29 231704]

R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-20 24652]

R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [2007-3-26 82432]

S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-12 127768]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

S4 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\sharshtl.sys [2007-3-26 18432]

=============== Created Last 30 ================

2009-01-07 22:24 250 a------- c:\windows\gmer.ini

2009-01-06 20:46 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2009-01-06 20:46 <DIR> --d----- c:\program files\Panda Security

2009-01-05 15:36 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes

2009-01-05 15:35 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-05 15:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-05 15:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-05 15:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-01-04 18:37 2,428 a------- c:\windows\system32\tmp.reg

2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll

2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll

2008-10-29 09:30 10,520 a------- c:\windows\system32\avgrsstx.dll

2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll

2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll

2007-03-31 18:08 0 a---h--- c:\documents and settings\john\hpothb07.dat

2006-10-29 10:17 37,024 a------- c:\docume~1\john\applic~1\GDIPFONTCACHEV1.DAT

2008-08-23 19:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 19:25:59.98 ===============

Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 8/9/2006 8:40:41 PM

System Uptime: 1/8/2009 6:47:57 PM (1 hours ago)

Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards

Processor: Genuine Intel® CPU T1350 @ 1.86GHz | U1 | 1862/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 63.03 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP314: 1/1/2009 2:40:36 AM - System Checkpoint

RP315: 1/1/2009 2:40:38 AM - System Checkpoint

RP316: 1/1/2009 2:40:40 AM - System Checkpoint

RP317: 1/1/2009 2:40:41 AM - System Checkpoint

RP318: 1/1/2009 2:40:43 AM - System Checkpoint

RP319: 1/1/2009 2:40:45 AM - System Checkpoint

RP320: 1/1/2009 2:40:46 AM - System Checkpoint

RP321: 1/1/2009 2:40:47 AM - System Checkpoint

RP322: 1/1/2009 2:40:49 AM - System Checkpoint

RP323: 1/1/2009 2:40:51 AM - System Checkpoint

RP324: 1/1/2009 2:40:52 AM - System Checkpoint

RP325: 1/1/2009 2:40:53 AM - Software Distribution Service 3.0

RP326: 1/1/2009 2:40:54 AM - Software Distribution Service 3.0

RP327: 1/1/2009 2:40:58 AM - System Checkpoint

RP328: 1/1/2009 2:41:00 AM - System Checkpoint

RP329: 1/1/2009 2:41:01 AM - System Checkpoint

RP330: 1/1/2009 2:41:02 AM - Installed Windows Defender

RP331: 1/1/2009 2:41:04 AM - Software Distribution Service 3.0

RP332: 1/1/2009 2:41:05 AM - Windows Defender Checkpoint

RP333: 1/1/2009 2:41:06 AM - Installed SUPERAntiSpyware Free Edition

RP334: 1/1/2009 2:41:07 AM - System Checkpoint

RP335: 1/1/2009 2:41:09 AM - Restore Operation

RP336: 1/1/2009 2:41:11 AM - Restore Operation

RP337: 1/1/2009 2:41:14 AM - Restore Operation

RP338: 1/1/2009 2:41:15 AM - Restore Operation

RP339: 1/1/2009 2:41:17 AM - Restore Operation

RP340: 1/1/2009 2:41:19 AM - Restore Operation

RP341: 1/1/2009 2:41:23 AM - Restore Operation

RP342: 1/1/2009 2:41:24 AM - Restore Operation

RP343: 1/1/2009 2:41:25 AM - System Checkpoint

RP344: 1/1/2009 2:41:26 AM - Software Distribution Service 3.0

RP345: 1/1/2009 2:41:28 AM -

RP346: 1/1/2009 2:41:29 AM - Shockwave Player

RP347: 1/1/2009 2:41:30 AM - Software Distribution Service 3.0

RP348: 1/1/2009 2:41:30 AM - Software Distribution Service 3.0

RP349: 1/1/2009 2:41:32 AM - System Checkpoint

RP350: 1/1/2009 2:41:33 AM - System Checkpoint

RP351: 1/1/2009 2:41:34 AM - System Checkpoint

RP352: 1/1/2009 2:41:35 AM - System Checkpoint

RP353: 1/1/2009 2:41:35 AM - october2908 after virus clean

RP354: 1/1/2009 2:41:37 AM - Installed AVG Free 8.0

RP355: 1/1/2009 2:41:38 AM - Software Distribution Service 3.0

RP356: 1/1/2009 2:41:39 AM - System Checkpoint

RP357: 1/1/2009 2:41:40 AM - Avg8 Update

RP358: 1/1/2009 2:41:41 AM - Software Distribution Service 3.0

RP359: 1/1/2009 2:41:43 AM - System Checkpoint

RP360: 1/1/2009 2:41:46 AM - System Checkpoint

RP361: 1/1/2009 2:41:48 AM - Software Distribution Service 3.0

RP362: 1/1/2009 2:41:49 AM - System Checkpoint

RP363: 1/1/2009 2:41:51 AM - Software Distribution Service 3.0

RP364: 1/1/2009 2:41:52 AM - System Checkpoint

RP365: 1/1/2009 2:41:53 AM - Software Distribution Service 3.0

RP366: 1/1/2009 2:41:54 AM - System Checkpoint

RP367: 1/1/2009 2:41:54 AM - System Checkpoint

RP368: 1/1/2009 2:41:56 AM - System Checkpoint

RP369: 1/1/2009 2:41:56 AM - Avg8 Update

RP370: 1/1/2009 2:41:57 AM - System Checkpoint

RP371: 1/1/2009 2:41:58 AM - Software Distribution Service 3.0

RP372: 1/1/2009 2:41:58 AM - Software Distribution Service 3.0

RP373: 1/1/2009 2:41:59 AM - Software Distribution Service 3.0

RP374: 1/1/2009 2:42:00 AM - System Checkpoint

RP375: 1/1/2009 2:42:01 AM - System Checkpoint

RP376: 1/1/2009 2:42:02 AM - System Checkpoint

RP377: 1/1/2009 2:42:03 AM - Installed Full Tilt Poker.Net

RP378: 1/1/2009 2:42:04 AM - System Checkpoint

RP379: 1/1/2009 2:42:04 AM - Software Distribution Service 3.0

RP380: 1/1/2009 2:42:05 AM - System Checkpoint

RP381: 1/1/2009 2:42:06 AM - Software Distribution Service 3.0

RP382: 1/1/2009 2:42:07 AM - System Checkpoint

RP383: 1/1/2009 2:42:09 AM - System Checkpoint

RP384: 1/1/2009 2:42:12 AM - System Checkpoint

RP385: 1/1/2009 2:42:13 AM - Software Distribution Service 3.0

RP386: 1/1/2009 2:42:14 AM - System Checkpoint

RP387: 1/1/2009 2:42:15 AM - Avg8 Update

RP388: 1/1/2009 2:42:16 AM - Software Distribution Service 3.0

RP389: 1/1/2009 2:42:17 AM - System Checkpoint

RP390: 1/1/2009 2:42:18 AM - System Checkpoint

RP391: 1/1/2009 2:42:19 AM - System Checkpoint

RP392: 1/1/2009 2:42:21 AM - Software Distribution Service 3.0

RP393: 1/1/2009 2:42:22 AM - System Checkpoint

RP394: 1/1/2009 2:42:24 AM - Software Distribution Service 3.0

RP395: 1/1/2009 2:42:25 AM - System Checkpoint

RP396: 1/1/2009 2:42:26 AM - System Checkpoint

RP397: 1/1/2009 2:42:26 AM - System Checkpoint

RP398: 1/1/2009 2:42:27 AM - Software Distribution Service 3.0

RP399: 1/1/2009 2:42:28 AM - System Checkpoint

RP400: 1/1/2009 2:42:30 AM - Software Distribution Service 3.0

RP401: 1/1/2009 2:42:32 AM - Avg8 Update

RP402: 1/1/2009 2:42:36 AM - System Checkpoint

RP403: 1/1/2009 2:42:37 AM - Software Distribution Service 3.0

RP404: 1/1/2009 2:42:38 AM - System Checkpoint

RP405: 1/1/2009 2:42:40 AM - Software Distribution Service 3.0

RP406: 1/1/2009 2:42:41 AM - System Checkpoint

RP407: 1/1/2009 2:42:42 AM - Software Distribution Service 3.0

RP408: 1/1/2009 2:42:43 AM - Software Distribution Service 3.0

RP409: 1/1/2009 2:42:44 AM - System Checkpoint

RP410: 1/1/2009 2:42:45 AM - System Checkpoint

RP411: 1/1/2009 2:42:47 AM - System Checkpoint

RP412: 1/1/2009 2:42:48 AM - Software Distribution Service 3.0

RP413: 1/1/2009 2:42:50 AM - System Checkpoint

RP414: 1/1/2009 2:42:51 AM - System Checkpoint

RP415: 1/1/2009 2:42:52 AM - Software Distribution Service 3.0

RP416: 1/1/2009 2:42:54 AM - System Checkpoint

RP417: 1/1/2009 2:42:56 AM - System Checkpoint

RP418: 1/1/2009 2:42:59 AM - System Checkpoint

RP419: 1/1/2009 2:43:00 AM - Last known good configuration

RP420: 1/1/2009 2:43:01 AM - Windows Defender Checkpoint

RP421: 1/1/2009 2:43:02 AM - Removed Ad-Aware 2007

RP422: 1/1/2009 2:43:04 AM - Installed Ad-Aware

RP423: 1/1/2009 2:43:05 AM - System Checkpoint

RP424: 1/1/2009 2:43:06 AM - Last known good configuration

RP425: 1/1/2009 2:43:07 AM - Windows Defender Checkpoint

RP426: 1/1/2009 2:43:47 AM - Last known good configuration

RP427: 1/1/2009 10:44:11 PM - Software Distribution Service 3.0

RP428: 1/2/2009 3:04:11 AM - Windows Defender Checkpoint

RP429: 1/6/2009 5:44:23 AM - Software Distribution Service 3.0

RP430: 1/7/2009 5:31:49 PM - System Checkpoint

RP431: 1/8/2009 7:01:45 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Ad-Aware

Adobe Flash Player 10 ActiveX

Adobe Reader 7.0

Adobe Shockwave Player 11

AIM 6

AOL Uninstaller (Choose which Products to Remove)

Apple Mobile Device Support

Apple Software Update

Audacity 1.2.4

AutoUpdate

AVG Free 8.0

Bluetooth Stack for Windows by Toshiba

Bonjour

CD/DVD Drive Acoustic Silencer

dBpoweramp Music Converter

DivX Codec

DivX Converter

DivX Player

DivX Web Player

DVD-RAM Driver

ESPNMotion

Free WMA to MP3 Converter 1.16

Full Tilt Poker.Net

G-Force

High Definition Audio Driver Package - KB888111

HijackThis 1.99.1

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

HP Driver Diagnostics

HP Photo and Imaging 2.0 - All-in-One

HP Photo and Imaging 2.0 - All-in-One Drivers

HP Photo and Imaging 2.0 - hp psc 2100 series

HP PrecisionScan and Utilities

HP Product Detection

hp psc 2100 series

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

Intel® PROSet/Wireless Software

InterVideo WinDVD Creator 2

InterVideo WinDVD for TOSHIBA

iPod for Windows 2005-03-23

iTunes

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 4

Java 6 Update 2

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

Macromedia Flash Player 8

Malwarebytes' Anti-Malware

mCore

mDrWiFi

mHelp

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft .NET Framework 3.0 Service Pack 1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Professional with FrontPage

Microsoft SQL Server Desktop Engine (PINNACLESYS)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

mIWA

mLogView

mMHouse

mPfMgr

mPfWiz

mProSafe

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

MSXML 6.0 Parser (KB933579)

mWlsSafe

mXML

mZConfig

Office 2003 Trial Assistant

Panda ActiveScan

Panda ActiveScan 2.0

Pinnacle Instant DVD Recorder

QuickTime

Readiris 7.5

RealPlayer Basic

Realtek High Definition Audio Driver

SD Secure Module

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Sonic DLA

Sonic Encoders

Sonic RecordNow!

SoulSeek Client 156c

Spybot - Search & Destroy

Spybot - Search & Destroy 1.4

Steinberg Cubase SE

SUPERAntiSpyware Free Edition

Synaptics Pointing Device Driver

Texas Instruments PCIxx21/x515/xx12 drivers.

TIPCI

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Controls

TOSHIBA Game Console

TOSHIBA Hotkey Utility

TOSHIBA PC Diagnostic Tool

TOSHIBA Power Saver

Toshiba Registration

TOSHIBA SD Memory Card Format

TOSHIBA Software Modem

TOSHIBA Software Upgrades

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA TouchPad ON/Off Utility

TOSHIBA TV Tuner 4.0.12.73

TOSHIBA Utilities

TOSHIBA Virtual Sound

TOSHIBA Zooming Utility

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update Rollup 2 for Windows XP Media Center Edition 2005

Viewpoint Media Player

WebFldrs XP

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Player 11

Windows Presentation Foundation

Windows XP Media Center Edition 2005 KB888316

Windows XP Media Center Edition 2005 KB894553

Windows XP Media Center Edition 2005 KB895678

Windows XP Media Center Edition 2005 KB925766

Windows XP Service Pack 3

XML Paper Specification Shared Components Pack 1.0

Yahoo! Anti-Spy

Yahoo! Messenger

Yahoo! Toolbar

ZoneAlarm

==== Event Viewer Messages From Past Week ========

1/5/2009 2:50:03 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

1/6/2009 3:01:17 AM, error: Service Control Manager [7000] - The KLIF service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The following programs are out of date and have code that is susceptible to attack by Malware

You should uninstall them and if you want or need the program then download the lastest versions from the Website for the program.

Adobe Reader 7.0 {from Adobe}

J2SE Runtime Environment 5.0 Update 10 {from Sun Java}

J2SE Runtime Environment 5.0 Update 11 {from Sun Java}

J2SE Runtime Environment 5.0 Update 4 {from Sun Java}

Java

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

MBAM

Malwarebytes' Anti-Malware 1.32

Database version: 1634

Windows 5.1.2600 Service Pack 3

1/9/2009 11:12:31 AM

mbam-log-2009-01-09 (11-12-31).txt

Scan type: Quick Scan

Objects scanned: 71736

Time elapsed: 15 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\aamd532.dll (Rogue.EAntispy) -> Quarantined and deleted successfully.

HLogfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:19:28, on 1/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {2E973BBE-4011-4804-95F5-83E7B3B15F63} - C:\WINDOWS\system32\rQheebYQ.dll (file missing)

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225294721828

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: opNFuSlm - opNFuSlm.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5085 bytes

JT

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Close ALL open browsers and chat programs

Then start HJT and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: (no name) - {2E973BBE-4011-4804-95F5-83E7B3B15F63} - C:\WINDOWS\system32\rQheebYQ.dll (file missing)
  • O20 - Winlogon Notify: opNFuSlm - opNFuSlm.dll (file missing)
    Then click on Fix checked and then quit HJT
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup215.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Then run the following one more time please.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

Then post back NEW MBAM and HJT logs in that order please.

Please note that I may be out of Town tonight but will try to get back with you this weekend.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

MBAM

Malwarebytes' Anti-Malware 1.32

Database version: 1634

Windows 5.1.2600 Service Pack 3

1/10/2009 5:26:02 PM

mbam-log-2009-01-10 (17-26-02).txt

Scan type: Quick Scan

Objects scanned: 59150

Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:33:31, on 1/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225294721828

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 4911 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please run the following scanner.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-10 18:53:50

Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay please run this one more time and then let me know how the computer is running now and if there are still any signs of an infection.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

MBAM

Malwarebytes' Anti-Malware 1.32

Database version: 1643

Windows 5.1.2600 Service Pack 3

1/11/2009 3:27:38 PM

mbam-log-2009-01-11 (15-27-38).txt

Scan type: Quick Scan

Objects scanned: 62004

Time elapsed: 11 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:45:26, on 1/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225294721828

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 4847 bytes

Everything seems to be running smoothly.

Link to post
Share on other sites
jehadsound

jehadsound

Posted
  • Author
Posted

Everything still seems to be running well. I was able to switch the clock back from military time, and all my firewall and auto update settings don't get changed on startup. So it seems like everything has been taken care of. Thanks again so much for all the help, I was worried I was going to have to wipe the harddrive for a while.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.