Solved AntiSpyware Master

[Resolved]AntiSpyware Master

I was just talking with my sister in law and she told me about this warning popping up on her laptop (XP). I googled it and found out what it was. There are many sites listing instructions and removal tools for AntiSpyware Master , but none that I am really familiar with. I don't want to have her do something that will make matters worse.

I don't know what kind of antivirus, anti spyware, etc that she might have. On one site someone did mention SUPERAntiSpyware. Any help you can give me will be appreciated.

moonpie

 

Hi moonpie

It would be best if she could post a HJT log here for review.

If that is not possible then have her do this.

Go to Add/Remove Programs and remove AntiSpyware Master if it is listed.

Then have here download and run this. make sure she follows the directions exactly.

Now download Malwarebytes' Anti-Malware (MBAM) from here and save the file to your desktop.
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Then she should run a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

If Kaspersky finds anything then she will need to come here for help.

That's as far as I can go help wise without seeing any logs.

Geri

 

It took some doing, but she got a HJT file for you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:42 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\xwusuhzh.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe
C:\Program Files\USS\USS.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QdrModule\QdrModule16.exe
C:\Documents and Settings\Mimi\Application Data\Microsoft\dtsc\10423.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\wasffNT.exe
C:\WINDOWS\explorer.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {133FAFD6-4216-49B0-B36C-F22122D1297C} - C:\WINDOWS\system32\yayyWmmK.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {202555BF-0F92-41F8-927D-19C62F28CB7C} - C:\WINDOWS\system32\geBuSKbY.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: {6712cf5f-5a55-6619-3234-7c057c6db166} - {661bd6c7-50c7-4323-9166-55a5f5fc2176} - C:\WINDOWS\system32\txicesoj.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {7B939B30-B843-4490-807B-FCF4F5055BF3} - C:\WINDOWS\system32\wvUljKBU.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {A0F4C3E4-2BD6-47BB-B7EC-D8A7046C389F} - C:\WINDOWS\system32\ljJbaASL.dll
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {A81B8537-3623-436D-98F4-8943DB7AB180} - C:\WINDOWS\system32\yayyXqNh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ddcAstrP.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe "
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe "
O4 - HKLM\..\Run: [5d775487] rundll32.exe "C:\WINDOWS\system32\dmfejnqq.dll ",b
O4 - HKLM\..\Run: [BM5e44671b] Rundll32.exe "C:\WINDOWS\system32\ribnhilm.dll ",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe "
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Mimi\Application Data\Microsoft\dtsc\10423.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200361642125
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: ddcAstrP - C:\WINDOWS\SYSTEM32\ddcAstrP.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 13810 bytes

 

Hi moonpie

Ok, she has a number of infections, this is what she needs to do.
It will take a number of scans and posts here.

Make sure she runs Malwarebytes' Anti-Malware program.

Then she needs to do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the MBAM log and the Combofix log.

Thanks
Geri

 

Geri,

I emailed the link to the Malware program. She was able to open the email, but could not go to the link. I then emailed her the actual program. She installed it and it will not run. I'm guessing that the Anti Spyware Master may be causing the problem I told her I would let you know and wait on your instructions.

 

Geri,

Sher finally got it to work. We will try to follow the rest of your previous instructions and get back with you. Thanks so much.

 

Malwarebytes' Anti-Malware 1.12
Database version: 770

Scan type: Full Scan (C:\|)
Objects scanned: 81994
Time elapsed: 17 minute(s), 29 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 12
Registry Keys Infected: 40
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 11
Files Infected: 67

Memory Processes Infected:
c:\WINDOWS\b2new.exe (Trojan.Downloader) -> Unloaded process successfully.
c:\WINDOWS\mrofinu72.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe (Rogue.DriveCleaner) -> Unloaded process successfully.
C:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Unloaded process successfully.
C:\WINDOWS\system32\xwusuhzh.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\webhancer\Programs\webhdll.dll (Adware.WebHancer) -> Unloaded module successfully.
c:\program files\webhancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Unloaded module successfully.
C:\WINDOWS\system32\geBuSKbY.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ljJbaASL.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\pmnmjJyy.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tcdocagt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tuvTnNDt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUljKBU.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayyWmmK.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayyXqNh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ddcAstrP.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\fccbYsrq.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{133fafd6-4216-49b0-b36c-f22122d1297c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{133fafd6-4216-49b0-b36c-f22122d1297c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202555bf-0f92-41f8-927d-19c62f28cb7c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{202555bf-0f92-41f8-927d-19c62f28cb7c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b939b30-b843-4490-807b-fcf4f5055bf3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7b939b30-b843-4490-807b-fcf4f5055bf3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86cd88e4-834e-4314-8668-f1dcb043272d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86cd88e4-834e-4314-8668-f1dcb043272d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a0f4c3e4-2bd6-47bb-b7ec-d8a7046c389f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a0f4c3e4-2bd6-47bb-b7ec-d8a7046c389f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a81b8537-3623-436d-98f4-8943db7ab180} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a81b8537-3623-436d-98f4-8943db7ab180} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed3a0e9f-4676-4ea5-9c13-733017616cd8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ed3a0e9f-4676-4ea5-9c13-733017616cd8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcastrp (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{4567ab12-a884-4ca6-b739-cedb12fef096} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4567ab12-ae24-4fd6-b479-e2b464f32da6} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{_clsid_washellexecutecheck} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d775487 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Salestart (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QdrModule16 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM5e44671b (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnmjjyy -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\xwusuhzh.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnmjjyy -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\Common Files\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Application Data\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Application Data\DriveCleaner Freeware\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\webhancer\Programs\webhdll.dll (Adware.WebHancer) -> Delete on reboot.
c:\WINDOWS\b2new.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\mrofinu72.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
c:\program files\webhancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Delete on reboot.
C:\WINDOWS\system32\awtrqpQh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hQpqrtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hQpqrtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBuSKbY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\YbKSuBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YbKSuBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJbaASL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LSAabJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LSAabJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmjJyy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yyJjmnmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yyJjmnmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tcdocagt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tgacodct.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvTnNDt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tDNnTvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tDNnTvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUljKBU.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\UBKjlUvw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UBKjlUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyWmmK.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\KmmWyyay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KmmWyyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyXqNh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hNqXyyay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hNqXyyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcAstrP.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Mimi\Local Settings\Temp\b2new.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Local Settings\Temp\installdrivecleanerstart.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Local Settings\Temp\msiexec.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Local Settings\Temp\UDC6_0001_D22M0802\installer.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whinstaller.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF5182F3-21D6-43D5-968F-116F6DF977E7}\RP42\A0006848.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF5182F3-21D6-43D5-968F-116F6DF977E7}\RP42\A0006849.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF5182F3-21D6-43D5-968F-116F6DF977E7}\RP42\A0006850.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF5182F3-21D6-43D5-968F-116F6DF977E7}\RP42\A0006851.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF5182F3-21D6-43D5-968F-116F6DF977E7}\RP42\A0006852.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\license.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\readme.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\sporder.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Application Data\DriveCleaner Freeware\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwusuhzh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mimi\Application Data\Microsoft\dtsc\10423.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\bpxvpmam.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vbopctcb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkHBsq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccbYsrq.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.

 

ComboFix 08-05-20.1 - Mimi 2008-05-20 21:42:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.88 [GMT -4:00]
Running from: C:\Documents and Settings\Mimi\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 18:15 . 2008-05-20 18:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 18:15 . 2008-05-20 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 17:20 . 2008-05-20 17:43 82,976 --------- C:\WINDOWS\system32\bpxvpmam.dll
2008-05-20 17:18 . 2008-05-20 17:18 2,560 --a------ C:\WINDOWS\system32\qigofult.exe
2008-05-20 17:05 . 2008-05-20 17:05 <DIR> d-------- C:\Documents and Settings\Mimi\Application Data\Malwarebytes
2008-05-20 17:04 . 2008-05-20 17:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 17:04 . 2008-05-20 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 17:04 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-20 17:04 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-20 15:46 . 2008-05-20 17:43 82,976 --------- C:\WINDOWS\system32\tcdocagt.dll
2008-05-20 15:44 . 2008-05-20 15:44 2,560 --a------ C:\WINDOWS\system32\iogejcpk.exe
2008-05-19 21:48 . 2008-05-19 21:48 2,560 --a------ C:\WINDOWS\system32\dbjoenwx.exe
2008-05-19 21:23 . 2008-05-19 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 15:21 . 2008-05-19 15:21 2,560 --a------ C:\WINDOWS\system32\mrbaalfe.exe
2008-05-18 18:06 . 2008-05-18 18:06 <DIR> d-------- C:\Program Files\USS
2008-05-18 18:06 . 2006-11-09 15:48 11,776 --a------ C:\WINDOWS\system32\drivers\wasfsd.sys
2008-05-18 17:56 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-18 08:46 . 2008-05-20 17:03 109,848 --a------ C:\WINDOWS\BM5e44671b.xml
2008-05-18 08:42 . 2008-05-18 08:42 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 08:41 . 2004-08-04 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 08:40 . 2008-05-18 08:40 <DIR> d-------- C:\WINDOWS\system32\logXv06
2008-05-18 08:40 . 2008-05-18 08:40 <DIR> d-------- C:\Temp\dmpxp32
2008-05-18 08:40 . 2008-05-18 08:40 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-15 19:06 . 2008-05-15 19:06 <DIR> d-------- C:\Documents and Settings\Mimi\Application Data\WildTangent
2008-05-11 10:13 . 2008-05-18 08:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 10:13 . 2008-05-11 10:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-06 20:11 . 2008-05-06 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-05-01 01:42 . 2008-05-01 01:42 <DIR> d-------- C:\WINDOWS\Sun
2008-04-29 22:44 . 2008-05-15 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-04-29 17:16 . 2008-04-29 17:16 67 --a------ C:\WINDOWS\swupdate.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 14:13 --------- d-----w C:\Documents and Settings\Mimi\Application Data\AdobeUM
2008-04-30 02:44 --------- d-----w C:\Program Files\Toshiba Games
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-16 02:01 0 ----a-w C:\Documents and Settings\Mimi\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_18.01.39.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 21:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 01:40:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-06 05:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 19:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20 122940]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 00:05 344064]
"Apoint "= "C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"RTHDCPL "= "RTHDCPL.EXE" [2006-01-11 20:23 15961088 C:\WINDOWS\RTHDCPL.exe]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2006-03-03 23:30 184320]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-03-03 23:29 88204 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe "= "NDSTray.exe" []
"HWSetup "= "C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45 28672]
"SVPWUTIL "= "C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45 65536]
"CeEKEY "= "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2006-02-17 16:18 634880]
"TPSMain "= "TPSMain.exe" [2005-05-31 20:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 01:06 1077322]
"ZoomingHook "= "ZoomingHook.exe" [2005-06-06 12:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"Tvs "= "C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 15:11 73728]
"TPNF "= "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28 53248]
"VSOCheckTask "= "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 21:18 151552]
"OASClnt "= "C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 01:02 53248]
"MCAgentExe "= "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 21:29 303104]
"MCUpdateExe "= "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 15:05 212992]
"MSKAGENTEXE "= "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 13:26 110592]
"MSKDetectorExe "= "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 18:49 1121280]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37 151552]
"TCtryIOHook "= "TCtrlIOHook.exe" [2006-01-03 19:11 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy "= "TFncKy.exe" []
"VirusScan Online "= "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 15:49 163840]
"MPFExe "= "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 20:00 1005096]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-04-14 17:47 98304]
"USS "= "C:\Program Files\USS\USS.exe" [2008-02-08 14:37 143360]

C:\Documents and Settings\Mimi\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 00:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-04-14 17:37:02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe "=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe "= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R0 wasfsd;wasfsd;C:\WINDOWS\system32\drivers\wasfsd.sys [2006-11-09 15:48]
S3 GameConsoleService;GameConsoleService; "C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe" [2008-05-05 18:25]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 21:44:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 21:46:21
ComboFix-quarantined-files.txt 2008-05-21 01:46:17
ComboFix2.txt 2008-05-20 22:02:35

Pre-Run: 72,893,759,488 bytes free
Post-Run: 72,887,865,344 bytes free

135 --- E O F --- 2008-05-20 22:06:20

 

Hi moonpie

Here is what needs done next.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\bpxvpmam.dll
C:\WINDOWS\system32\qigofult.exe
C:\WINDOWS\system32\tcdocagt.dll
C:\WINDOWS\system32\iogejcpk.exe
C:\WINDOWS\system32\dbjoenwx.exe
C:\WINDOWS\system32\mrbaalfe.exe
C:\WINDOWS\system32\drivers\wasfsd.sys
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\logXv06
C:\Temp\dmpxp32
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for 

Please post the combofix log.

Thanks
Geri

 

ComboFix 08-05-20.1 - Mimi 2008-05-21 12:50:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.114 [GMT -4:00]
Running from: C:\Documents and Settings\Mimi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mimi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Temp\dmpxp32
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\bpxvpmam.dll
C:\WINDOWS\system32\dbjoenwx.exe
C:\WINDOWS\system32\drivers\wasfsd.sys
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\iogejcpk.exe
C:\WINDOWS\system32\logXv06
C:\WINDOWS\system32\mrbaalfe.exe
C:\WINDOWS\system32\qigofult.exe
C:\WINDOWS\system32\tcdocagt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\bpxvpmam.dll
C:\WINDOWS\system32\dbjoenwx.exe
C:\WINDOWS\system32\drivers\wasfsd.sys
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\iogejcpk.exe
C:\WINDOWS\system32\mrbaalfe.exe
C:\WINDOWS\system32\qigofult.exe
C:\WINDOWS\system32\tcdocagt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_wasfsd
-------\Service_wasfsd


((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 18:15 . 2008-05-20 18:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 18:15 . 2008-05-20 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 17:05 . 2008-05-20 17:05 <DIR> d-------- C:\Documents and Settings\Mimi\Application Data\Malwarebytes
2008-05-20 17:04 . 2008-05-20 17:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 17:04 . 2008-05-20 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 17:04 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-20 17:04 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-19 21:23 . 2008-05-19 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 18:06 . 2008-05-18 18:06 <DIR> d-------- C:\Program Files\USS
2008-05-18 17:56 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-18 08:46 . 2008-05-20 17:03 109,848 --a------ C:\WINDOWS\BM5e44671b.xml
2008-05-18 08:42 . 2008-05-18 08:42 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 08:40 . 2008-05-18 08:40 <DIR> d-------- C:\WINDOWS\system32\logXv06
2008-05-18 08:40 . 2008-05-18 08:40 <DIR> d-------- C:\Temp\dmpxp32
2008-05-15 19:06 . 2008-05-15 19:06 <DIR> d-------- C:\Documents and Settings\Mimi\Application Data\WildTangent
2008-05-06 20:11 . 2008-05-06 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-05-01 01:42 . 2008-05-01 01:42 <DIR> d-------- C:\WINDOWS\Sun
2008-04-29 22:44 . 2008-05-15 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-04-29 17:16 . 2008-04-29 17:16 67 --a------ C:\WINDOWS\swupdate.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 14:13 --------- d-----w C:\Documents and Settings\Mimi\Application Data\AdobeUM
2008-04-30 02:44 --------- d-----w C:\Program Files\Toshiba Games
2008-01-16 02:01 0 ----a-w C:\Documents and Settings\Mimi\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_18.01.39.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 21:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 16:53:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-06 05:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 19:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20 122940]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 00:05 344064]
"Apoint "= "C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"RTHDCPL "= "RTHDCPL.EXE" [2006-01-11 20:23 15961088 C:\WINDOWS\RTHDCPL.exe]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2006-03-03 23:30 184320]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-03-03 23:29 88204 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe "= "NDSTray.exe" []
"HWSetup "= "C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45 28672]
"SVPWUTIL "= "C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45 65536]
"CeEKEY "= "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2006-02-17 16:18 634880]
"TPSMain "= "TPSMain.exe" [2005-05-31 20:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 01:06 1077322]
"ZoomingHook "= "ZoomingHook.exe" [2005-06-06 12:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"Tvs "= "C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 15:11 73728]
"TPNF "= "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28 53248]
"VSOCheckTask "= "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 21:18 151552]
"OASClnt "= "C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 01:02 53248]
"MCAgentExe "= "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 21:29 303104]
"MCUpdateExe "= "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 15:05 212992]
"MSKAGENTEXE "= "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 13:26 110592]
"MSKDetectorExe "= "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 18:49 1121280]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37 151552]
"TCtryIOHook "= "TCtrlIOHook.exe" [2006-01-03 19:11 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy "= "TFncKy.exe" []
"VirusScan Online "= "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 15:49 163840]
"MPFExe "= "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 20:00 1005096]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-04-14 17:47 98304]
"USS "= "C:\Program Files\USS\USS.exe" [2008-02-08 14:37 143360]

C:\Documents and Settings\Mimi\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 00:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-04-14 17:37:02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe "=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe "= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

S3 GameConsoleService;GameConsoleService; "C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe" [2008-05-05 18:25]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 13:13:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2008-05-21 13:16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 17:16:44
ComboFix2.txt 2008-05-21 01:46:22
ComboFix3.txt 2008-05-20 22:02:35

Pre-Run: 72,873,615,360 bytes free
Post-Run: 72,865,660,928 bytes free

175 --- E O F --- 2008-05-20 22:06:20

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:06 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USS\USS.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe "
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200361642125
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 9660 bytes

 

Hi
OK This needs to be done one more time.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Folder::
C:\WINDOWS\system32\logXv06
C:\Temp\dmpxp32 

Please inform her of this.

I see you have P2P software ([color= "Red"] Limewire, BitTorrent uTorrent etc… [/color]) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.

Now have her do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.


Now Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK


Now run another Kaspersky scan and post the results.

Thanks
Geri

 

Geri,

She is trying to do what you posted last. She said Limewire wasn't on there, but checked anyway. She couldn't find it on add/remove programs.

When she tries to remove Combofix, she is told it's not there. She will continue to try, but is there another way to remove it? It doesn't show in add/remove progams either. Does Combofix HAVE to be removed before she can run the other programs?

Thanks again.

 

Hi
Ok she has uTorrent not limewire.

Make sure there is a space between combofix (space) /u

No, but it will have to be removed sooner or later.

Geri

 

Geri,

She didn't find uTorrent in add/remove programs or under all programs. I had her check in Windows Explorer and she found it, but the folder was empty.

She ran ATF and Kapersky. The results from Kapersky was:

Total# of scanned objects 45692
# of viruses found 7
# of infected objects 12
# of suspicios objects 0
Duration of scan 00:38:55

 

Hi
Ok I need to see the log.

Thanks
Geri

 

Geri,

When she ran the scan she saw no log file or any option for it. That's why I posted what I did. After I got your post I called her and she said she had run the scan on her desktop computer and a log file popped up after it finished. That did not happen on the laptop. She is going to check to see if it possibly was saved on the hard drive.

She has had a really hard time because that AntiSpywareMaster is always on top of the screen and she has to try to work around it. I don't know if that could have caused a problem getting the log file. She has managed to work through everything so far and will try to get this log.

Thanks.

 

Hi moonpie

Is that still comming up?

MBAM log says it was deleted?

HKEY_CLASSES_ROOT\Interface\{4567ab12-a884-4ca6-b739-cedb12fef096} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4567ab12-ae24-4fd6-b479-e2b464f32da6} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{_clsid_washellexecutecheck} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Please let me know if this is still a probelm.

Thanks
Geri

 

Geri,

I misunderstood. I thought it was still the AntiSpywareMaster. She says that sometimes a box will pop up saying Spyware Threat and asking her to block it or not block it. She doesn't know what it is and doesn't do anything but try to move it out of the way. It will not close when she clicks the X.

 

Hi moonpie
Ask her if there is any other writing on it?

Could it be one of the McAfee warnings?

I went over the HJT Log again and this is really the only thing that may be questionable.
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe "

It could be a couple of different programs.
Can you ask if she has any of these installed.
Underwater Screensaver
USA Shield 2.15

I may need a couple more scan logs after I see the Kaspersky scan results.
I'll let you know.

Geri