Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Virtumonde.FP virus and possibly others Virtumonde.FP virus and possibly others
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Closed Thread
 
Thread Tools
Old 04-22-2008, 10:45 PM   #1 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 11
OS: Vista


Virtumonde.FP virus and possibly others
I appreciate any advice offered. I am pretty useless at tech stuff.

Despite having ESET NOD32, Windows Defender, Spyware Terminator and Spybot search and destroy, I have managed to get this virus.
Don't know if it is connected, but my laptop went haywire when I downloaded the latest firefox update. (Pop-up hell, with lots of messages telling me to download antivirus doftware)
I have run CC Cleaner.
I used Vundo Fix and Virtumondo Begone. (Both of which tell me that there is nothing there)
ESET happily tells me I have the threat, then gives the following:
Information
cleaned by deleting (after the next restart)-quarantined
And every now and again, I get a mesage telling me that I have a threat, but ESET cannot delete/clean as access is denied.
I tried restarting, still the same.
(Incidently, Windows Defender and Spyware Terminator tell me that the computer is clean)
I am running Windows Vista.
I tried Spyware doctor. No joy, it thinks my computer is clean.
Then I did a scan(With ESET NOD32) in safe mode, but it finished without prompting for any repairs. (It opened up in a black box with command type prompts (I think) and then automatically closed without doing anything.
I re-booted, and scanned, its still there
I came here and got as far as running Panda (the freeware). It thinks I have 19 infections, but wants money to clean it.
I downloaded Ad-Aware, (which I used to have) and my 19 infections (Tracking cookies) are now deleted.
I then added Superantispyware, which found numerous threats/cookies and a trojan, (quarantined and removed from system)
Finally I re-scanned and got system clear from Superantispyware and Eset flaggged up 2 Win32/PrcView application (which means nothing to me) which it cleaned and quarantined.

I then checked for updates and did the :Deckard System Scan


Deckard's System Scanner v20071014.68
Run by Diana on 2008-04-23 06:23:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
9: 2008-04-23 05:19:43 UTC - RP311 - Windows Update
8: 2008-04-23 05:17:29 UTC - RP310 - Windows Update
7: 2008-04-22 22:49:48 UTC - RP309 - Windows Update
6: 2008-04-22 22:26:47 UTC - RP308 - Installed SUPERAntiSpyware Free Edition
5: 2008-04-22 21:32:10 UTC - RP307 - Installed Ad-Aware 2007


-- First Restore Point --
1: 2008-04-19 16:04:15 UTC - RP302 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Diana.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:25:57, on 23/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Thomson\ST330\service\st330service.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Users\Diana\Program Files\DNA\btdna.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Say the Time\stttsm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\Users\Diana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N2PZF8FU\dss[1].exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Diana.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispat...=%s&tbid=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60327
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4302872A-747C-4675-95D2-60E525474AA5} - C:\Windows\system32\cbxUonKe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Desktop SMS] C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe /auto
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.techsupportforum.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Unknown owner - C:\Program Files\DU Meter\DUMeterSvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - Unknown owner - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13770 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - \??\c:\windows\system32\drivers\sp_rsdrv2.sys
R3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>
R2 st330service (SpeedTouch 330 Manager) - c:\program files/thomson/st330/service/st330service.exe -service <Not Verified; THOMSON Telecom Belgium; Host Service>
R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

S2 DUMeterSvc (DU Meter Service) - c:\program files\du meter\dumetersvc.exe /startedbyscm:e1f6d4be-40e33354-dumeterservice (file missing)
S2 TOSHIBA Bluetooth Service - c:\program files\toshiba\bluetooth toshiba stack\tosbtsrv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 06:25:36 0 d-------- C:\Program Files\Trend Micro
2008-04-23 00:18:37 0 d-------- C:\Program Files\Say the Time
2008-04-22 23:27:49 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-22 23:27:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 22:32:56 0 d-------- C:\Users\All Users\Lavasoft
2008-04-22 22:32:56 0 d-------- C:\Program Files\Lavasoft
2008-04-22 22:31:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 18:26:40 0 d-a------ C:\Users\All Users\TEMP
2008-04-22 18:26:15 0 d-------- C:\Program Files\Spyware Doctor
2008-04-22 07:05:59 0 d-------- C:\Program Files\Panda Security
2008-04-21 19:38:57 0 d-------- C:\VundoFix Backups
2008-04-19 17:03:16 14997 --ahs---- C:\Windows\system32\eKnoUxbc.ini2
2008-04-07 13:49:31 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-05 15:31:05 0 d-------- C:\Program Files\QuickTime
2008-04-05 15:31:04 0 d-------- C:\Users\All Users\Apple Computer
2008-04-03 18:55:20 0 d-------- C:\Program Files\Windows Resource Kits


-- Find3M Report ---------------------------------------------------------------

2008-04-23 06:21:27 0 d-------- C:\Users\Diana\AppData\Roaming\DNA
2008-04-22 23:27:12 0 d-------- C:\Users\Diana\AppData\Roaming\SUPERAntiSpyware.com
2008-04-22 22:31:26 0 d-------- C:\Program Files\Common Files
2008-04-22 19:57:06 0 d-------- C:\Program Files\Spyware Terminator
2008-04-22 19:55:25 0 d-------- C:\Users\Diana\AppData\Roaming\Spyware Terminator
2008-04-22 18:26:15 0 d-------- C:\Users\Diana\AppData\Roaming\PC Tools
2008-04-21 22:25:04 0 d-------- C:\Users\Diana\AppData\Roaming\BitTorrent
2008-04-18 07:50:06 0 d-------- C:\Users\Diana\AppData\Roaming\DVD Flick
2008-04-10 03:14:45 0 d-------- C:\Program Files\Windows Mail
2008-04-07 13:56:27 0 d-------- C:\Program Files\MSBuild
2008-04-01 17:46:41 0 d-------- C:\Users\Diana\AppData\Roaming\Real
2008-04-01 17:41:59 0 d-------- C:\Program Files\Kontiki
2008-03-31 0033 0 d-------- C:\Users\Diana\AppData\Roaming\dvdcss
2008-03-21 15:40:34 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-21 15:39:20 0 d-------- C:\Program Files\Common Files\Real
2008-03-21 15:30:21 0 d-------- C:\Program Files\Real
2008-03-13 02:54:19 0 d-------- C:\Program Files\Microsoft Works
2008-03-12 21:16:14 0 d-------- C:\Users\Diana\AppData\Roaming\WinRAR
2008-03-09 12:26:32 0 d-------- C:\Program Files\PFConfig
2008-03-08 16:32:48 0 d-------- C:\Program Files\DVD Shrink
2008-03-07 20:46:20 0 d-------- C:\Users\Diana\AppData\Roaming\Vso
2008-03-07 20:46:20 33 --a------ C:\Users\Diana\AppData\Roaming\pcouffin.log
2008-03-07 20:46:19 7887 --a------ C:\Users\Diana\AppData\Roaming\pcouffin.cat
2008-03-07 19:51:12 0 d-------- C:\Program Files\DVD Flick
2008-03-07 19:46:06 668 --a------ C:\Users\Diana\AppData\Roaming\vso_ts_preview.xml
2008-03-02 10:38:17 0 d-------- C:\Users\Diana\AppData\Roaming\vlc
2008-03-02 10:36:34 0 d-------- C:\Program Files\VideoLAN
2008-03-01 19:26:19 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-01 18:14:38 0 d-------- C:\Program Files\IrfanView
2008-03-01 14:42:04 0 d-------- C:\Program Files\BitTorrent
2008-03-01 14:41:49 0 d-------- C:\Program Files\DNA
2008-02-24 23:32:30 0 d-------- C:\Program Files\Belarc
2008-02-24 19:00:47 0 d-------- C:\Users\Diana\AppData\Roaming\SecondLife
2008-02-24 18:57:57 0 d-------- C:\Users\Diana\AppData\Roaming\Mozilla
2008-01-30 19:21:07 0 --a------ C:\Windows\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4302872A-747C-4675-95D2-60E525474AA5}]
C:\Windows\system32\cbxUonKe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10/07/2007 14:58]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [03/04/2007 08:37]
"Persistence"="C:\Windows\system32\igfxpers.exe" [03/04/2007 08:37]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [06/11/2006 17:14]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [22/03/2006 21:42]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [02/04/2007 12:48]
"RtHDVCpl"="RtHDVCpl.exe" [13/06/2007 06:11 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [29/03/2007 10:39]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07/12/2006 16:49]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [23/05/2007 15:57]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [22/05/2007 16:32]
"Desktop SMS"="C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe" [18/06/2007 10:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 13:35]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [10/04/2007 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/06/2007 03:53]
"Toshiba Registration"="C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe" [19/02/2007 15:00]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [12/02/2007 13:37]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [21/12/2007 09:21]
"diagnostics"="C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" [16/01/2008 21:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [21/03/2008 15:29]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [01/02/2008 11:55]
"1A:Stardock TrayMonitor"="" []
"Say the Time"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [15/01/2008 12:54]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [27/11/2007 12:58]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 13:36]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 08:36]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 16:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"1A:Stardock TrayMonitor"=

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [18/05/2007 05:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\cbxUonKe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-23 06:27:48 ------------
Attached Files
File Type: txt extra.txt (19.7 KB, 0 views)
Last edited by dini : 04-22-2008 at 10:52 PM.
dini is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2008, 10:47 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 11
OS: Vista


Re: Virtumonde.FP virus and possibly others
Hi, I have done one or two things, mainly removed Bit torrent and got a new version of Java. Couldn't do much else as I wouldn't know where to start. Done a few more spyware/virus scans and removed anything quarantined. The scans are now coming up clear.
I ran another Dekards SS.
Am I safe?
Thank you.

Deckard's System Scanner v20071014.68
Run by Diana on 2008-04-25 18:37:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Diana.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:52, on 25/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Thomson\ST330\service\st330service.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Diana\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Diana.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispat...=%s&tbid=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60327
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4302872A-747C-4675-95D2-60E525474AA5} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Desktop SMS] C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe /auto
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.techsupportforum.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Unknown owner - C:\Program Files\DU Meter\DUMeterSvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - Unknown owner - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13784 bytes

-- Files created between 2008-03-25 and 2008-04-25 -----------------------------

2008-04-25 08:12:04 116580 --a------ C:\cc_20080425_0811.reg
2008-04-24 21:24:44 0 d-------- C:\Program Files\Common Files\Java
2008-04-23 06:25:36 0 d-------- C:\Program Files\Trend Micro
2008-04-23 00:18:37 0 d-------- C:\Program Files\Say the Time
2008-04-22 23:27:49 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-22 23:27:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 22:32:56 0 d-------- C:\Users\All Users\Lavasoft
2008-04-22 22:32:56 0 d-------- C:\Program Files\Lavasoft
2008-04-22 22:31:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 18:26:40 0 d-a------ C:\Users\All Users\TEMP
2008-04-22 18:26:15 0 d-------- C:\Program Files\Spyware Doctor
2008-04-22 07:05:59 0 d-------- C:\Program Files\Panda Security
2008-04-21 19:38:57 0 d-------- C:\VundoFix Backups
2008-04-19 17:03:16 14997 --ahs---- C:\Windows\system32\eKnoUxbc.ini2
2008-04-07 13:49:31 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-05 15:31:05 0 d-------- C:\Program Files\QuickTime
2008-04-05 15:31:04 0 d-------- C:\Users\All Users\Apple Computer
2008-04-03 18:55:20 0 d-------- C:\Program Files\Windows Resource Kits


-- Find3M Report ---------------------------------------------------------------

2008-04-25 00:00:21 0 d-------- C:\Users\Diana\AppData\Roaming\Spyware Terminator
2008-04-24 21:25:32 0 d-------- C:\Program Files\Java
2008-04-24 21:24:44 0 d-------- C:\Program Files\Common Files
2008-04-24 21:16:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-24 19:12:40 0 d-------- C:\Program Files\Spyware Terminator
2008-04-23 23:00:00 0 d-------- C:\Users\Diana\AppData\Roaming\BitTorrent
2008-04-22 23:27:12 0 d-------- C:\Users\Diana\AppData\Roaming\SUPERAntiSpyware.com
2008-04-22 18:26:15 0 d-------- C:\Users\Diana\AppData\Roaming\PC Tools
2008-04-18 07:50:06 0 d-------- C:\Users\Diana\AppData\Roaming\DVD Flick
2008-04-10 03:14:45 0 d-------- C:\Program Files\Windows Mail
2008-04-07 13:56:27 0 d-------- C:\Program Files\MSBuild
2008-04-01 17:46:41 0 d-------- C:\Users\Diana\AppData\Roaming\Real
2008-04-01 17:41:59 0 d-------- C:\Program Files\Kontiki
2008-03-31 0033 0 d-------- C:\Users\Diana\AppData\Roaming\dvdcss
2008-03-21 15:40:34 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-21 15:39:20 0 d-------- C:\Program Files\Common Files\Real
2008-03-21 15:30:21 0 d-------- C:\Program Files\Real
2008-03-13 02:54:19 0 d-------- C:\Program Files\Microsoft Works
2008-03-12 21:16:14 0 d-------- C:\Users\Diana\AppData\Roaming\WinRAR
2008-03-08 16:32:48 0 d-------- C:\Program Files\DVD Shrink
2008-03-07 20:46:20 0 d-------- C:\Users\Diana\AppData\Roaming\Vso
2008-03-07 20:46:20 33 --a------ C:\Users\Diana\AppData\Roaming\pcouffin.log
2008-03-07 20:46:19 7887 --a------ C:\Users\Diana\AppData\Roaming\pcouffin.cat
2008-03-07 19:51:12 0 d-------- C:\Program Files\DVD Flick
2008-03-07 19:46:06 668 --a------ C:\Users\Diana\AppData\Roaming\vso_ts_preview.xml
2008-03-02 10:38:17 0 d-------- C:\Users\Diana\AppData\Roaming\vlc
2008-03-02 10:36:34 0 d-------- C:\Program Files\VideoLAN
2008-03-01 19:26:19 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-01 18:14:38 0 d-------- C:\Program Files\IrfanView
2008-03-01 14:41:49 0 d-------- C:\Program Files\DNA
2008-01-30 19:21:07 0 --a------ C:\Windows\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4302872A-747C-4675-95D2-60E525474AA5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10/07/2007 14:58]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [03/04/2007 08:37]
"Persistence"="C:\Windows\system32\igfxpers.exe" [03/04/2007 08:37]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [06/11/2006 17:14]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [22/03/2006 21:42]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [02/04/2007 12:48]
"RtHDVCpl"="RtHDVCpl.exe" [13/06/2007 06:11 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [29/03/2007 10:39]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07/12/2006 16:49]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [23/05/2007 15:57]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [22/05/2007 16:32]
"Desktop SMS"="C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe" [18/06/2007 10:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 13:35]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [10/04/2007 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/06/2007 03:53]
"Toshiba Registration"="C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe" [19/02/2007 15:00]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [12/02/2007 13:37]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [21/12/2007 09:21]
"diagnostics"="C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" [16/01/2008 21:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [21/03/2008 15:29]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [01/02/2008 11:55]
"1A:Stardock TrayMonitor"="" []
"Say the Time"="" []
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [21/04/2008 22:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [15/01/2008 12:54]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [27/11/2007 12:58]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 13:36]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 16:03]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [17/01/2008 10:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"1A:Stardock TrayMonitor"=

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [18/05/2007 05:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\cbxUonKe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-25 18:38:34 ------------
dini is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-27-2008, 12:33 AM   #3 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Virtumonde.FP virus and possibly others
Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.

Please visit this webpage for download links, and instructions for running ComboFix


When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
__________________
An Australian Member of



Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-27-2008, 08:45 AM   #4 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 11
OS: Vista


Re: Virtumonde.FP virus and possibly others
Thank you.
I have downloaded Combofix, but my computer came with Vista Pre installed and I dont have a disc. (Toshiba Satellite P200-17C) so I am not able to do a recovery console.

Should I do something else?
dini is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-27-2008, 03:35 PM   #5 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Virtumonde.FP virus and possibly others
I forgot you were running Vista.Microsoft has not yet made a Recovery Console yet so dont worry about it.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/newreply.php?do=newreply&noquote=1&p=1455007
Collect::
C:\Windows\system32\eKnoUxbc.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4302872A-747C-4675-95D2-60E525474AA5}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
__________________
An Australian Member of



Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-27-2008, 10:58 PM   #6 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 11
OS: Vista


Re: Virtumonde.FP virus and possibly others
OK, Combofix log:


ComboFix 08-04-26.5 - Diana 2008-04-28 6:42:15.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.972 [GMT 1:00]
Running from: C:\Users\Diana\Desktop\ComboFix.exe
Command switches used :: C:\Users\Diana\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Diana\AppData\Roaming\inst.exe
C:\Windows\System32\eKnoUxbc.ini
C:\Windows\system32\eKnoUxbc.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 05:50 --------- d-----w C:\ProgramData\Kontiki
2008-04-28 05:49 --------- d---a-w C:\ProgramData\TEMP
2008-04-26 17:09 --------- d-----w C:\Program Files\7digital Locker
2008-04-26 17:02 --------- d-----w C:\Users\Diana\AppData\Roaming\Creative
2008-04-26 16:55 --------- d-----w C:\ProgramData\Creative
2008-04-26 14:27 --------- d-----w C:\Program Files\WMA-MP3.com
2008-04-26 14:25 --------- d-----w C:\Program Files\Apple Software Update
2008-04-26 14:19 --------- d-----w C:\Program Files\Creative
2008-04-26 13:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 11:17 --------- d-----w C:\Users\Diana\AppData\Roaming\Malwarebytes
2008-04-26 11:16 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 11:16 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:52 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-25 07:19 --------- d-----w C:\ProgramData\Spyware Terminator
2008-04-25 07:12 116,580 ----a-w C:\cc_20080425_0811.reg
2008-04-24 23:00 --------- d-----w C:\Users\Diana\AppData\Roaming\Spyware Terminator
2008-04-24 20:25 --------- d-----w C:\Program Files\Java
2008-04-24 20:24 --------- d-----w C:\Program Files\Common Files\Java
2008-04-24 18:12 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-24 08:44 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-23 22:00 --------- d-----w C:\Users\Diana\AppData\Roaming\BitTorrent
2008-04-23 06:55 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-23 05:25 --------- d-----w C:\Program Files\Trend Micro
2008-04-22 23:18 --------- d-----w C:\Program Files\Say the Time
2008-04-22 22:27 --------- d-----w C:\Users\Diana\AppData\Roaming\SUPERAntiSpyware.com
2008-04-22 22:27 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-22 22:27 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-22 22:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 21:34 --------- d-----w C:\ProgramData\Lavasoft
2008-04-22 21:32 --------- d-----w C:\Program Files\Lavasoft
2008-04-22 17:26 --------- d-----w C:\Users\Diana\AppData\Roaming\PC Tools
2008-04-22 06:06 --------- d-----w C:\Program Files\Panda Security
2008-04-21 21:56 141,312 ----a-w C:\Windows\system32\drivers\sp_rsdrv2.sys
2008-04-18 06:50 --------- d-----w C:\Users\Diana\AppData\Roaming\DVD Flick
2008-04-18 04:46 --------- d-----w C:\ProgramData\DVD Shrink
2008-04-16 22:33 17,920 ----a-w C:\Windows\system32\drivers\lmvac.sys
2008-04-10 02:14 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 12:56 --------- d-----w C:\Program Files\MSBuild
2008-04-07 12:49 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-05 14:33 --------- d-----w C:\Program Files\QuickTime
2008-04-05 14:31 --------- d-----w C:\ProgramData\Apple Computer
2008-04-03 17:55 --------- d-----w C:\Program Files\Windows Resource Kits
2008-04-01 16:41 --------- d-----w C:\Program Files\Kontiki
2008-03-30 23:06 --------- d-----w C:\Users\Diana\AppData\Roaming\dvdcss
2008-03-21 14:40 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-21 14:39 --------- d-----w C:\Program Files\Common Files\Real
2008-03-21 14:30 --------- d-----w C:\Program Files\Real
2008-03-13 01:54 --------- d-----w C:\Program Files\Microsoft Works
2008-03-08 15:32 --------- d-----w C:\Program Files\DVD Shrink
2008-03-08 02:14 148,992 ----a-w C:\Windows\system32\drivers\ks.sys
2008-03-07 19:46 47,360 ----a-w C:\Users\Diana\AppData\Roaming\pcouffin.sys
2008-03-07 19:46 --------- d-----w C:\Users\Diana\AppData\Roaming\Vso
2008-03-07 18:51 --------- d-----w C:\Program Files\DVD Flick
2008-03-07 18:28 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-03-02 09:38 --------- d-----w C:\Users\Diana\AppData\Roaming\vlc
2008-03-02 09:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-01 18:26 737,280 ----a-w C:\Windows\iun6002.exe
2008-03-01 17:14 --------- d-----w C:\Program Files\IrfanView
2008-03-01 13:41 --------- d-----w C:\Program Files\DNA
2008-02-29 23:08 --------- d-----w C:\ProgramData\Hagel Technologies
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-13 03:08 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 03:04 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 03:04 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 03:04 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 03:04 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 03:04 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 03:03 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 03:03 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 03:03 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 03:03 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 03:03 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 03:03 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 03:03 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-01-15 12:16 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-15 12:54 1232896]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-11-27 12:58 1032376]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-01-17 10:40 816368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 14:58 1006264]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-04-03 08:37 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-04-03 08:37 133912]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"topi"="C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 12:48 577536]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 06:11 4489216 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-05-23 15:57 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Desktop SMS"="C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe" [2007-06-18 10:51 1507328]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 17:40 413696]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 03:53 894512]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 13:37 174872]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 09:21 1443072]
"diagnostics"="C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" [2008-01-16 21:23 557149]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]
"1A:Stardock TrayMonitor"="" []
"Say the Time"="" []
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-21 22:56 1809408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4794B3FF-EB04-4E2C-B837-2986EEF4DA25}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{84C16516-F1C0-48F2-A3F0-A5E80BFD948D}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{50BBAB99-0B2B-47F0-A6D7-29C6F7088C1B}"= UDP:F:\STHIWv\stInstall.exe:SpeedTouch Home Install Wizard
"{68AB7341-28B8-4E17-9804-3E99DFAEB47A}"= TCP:F:\STHIWv\stInstall.exe:SpeedTouch Home Install Wizard
"{60817583-092B-4045-8873-071B70279E58}"= UDP:C:\Program Files\Thomson\ST330\service\st330service.exe:ST330 service
"{2259269E-73BF-4147-B151-649F95F4AD91}"= TCP:C:\Program Files\Thomson\ST330\service\st330service.exe:ST330 service
"{18B3E851-232F-4480-94C3-8F7E02CAA427}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{83687A1A-3EF2-4013-A094-4F37AD8841B1}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{2ECA5B43-2626-4DF3-BF0E-413477752A0E}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{C9A410F8-EC3F-46A4-8C08-103C13D86752}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{D98E48FF-A1B1-4EBD-8F1E-2ADFB1116018}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{187C1BB2-2E1B-4699-8304-E64379C0CA20}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{839E9BB6-8EBC-4C79-9089-EA9775B5B25A}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{81960DAB-BD27-4556-9383-B5E08E98EDA7}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{08522ACE-59D3-4F72-B5CF-34E5E565486B}C:\\users\\diana\\program files\\dna\\btdna.exe"= UDP:C:\users\diana\program files\dna\btdna.exe:btdna.exe
"UDP Query User{AA22E0E1-1D25-4E93-A823-2DBE6B2DA179}C:\\users\\diana\\program files\\dna\\btdna.exe"= TCP:C:\users\diana\program files\dna\btdna.exe:btdna.exe
"{BFCBF242-99E9-4E08-823E-69B325EEC1DF}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{0DE72326-39C0-408A-9B7F-034399E46CCB}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{E8BD29DA-9B38-47D1-9B40-8696A286F124}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{C17EAA6F-96DB-41CF-9E1D-C30AF1550580}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{31BD454F-E64A-4E31-BDFD-D9033FD10432}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B77913C5-FE44-4C51-A0FE-DACADD3427FC}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{963A96F8-FCDA-4526-BAA4-648248260E25}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C6BEBF02-C40D-46E3-8458-07966B90A2D3}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{89757332-4019-4F13-821D-CB52F9911102}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 CplIR;Embedded IR Driver;C:\Windows\system32\DRIVERS\CplIR.SYS [2007-03-06 15:01]
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 16:25]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-04-27 21:13]
R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 09:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Windows\system32\drivers\sp_rsdrv2.sys [2008-04-21 22:56]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-05-17 21:12]
R3 a