Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Virus Controlloing all Anti Spyware Applications
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-01-2009, 09:17 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Virus Controlloing all Anti Spyware Applications
My OS : Windows XP Media Center Professional. SP3.
My Problem and what I did so far: First Antivirus System Pro got installed. Task Manager and regedit got disabled. I installed Malware Bytes and ran update. The scan ran for few minutes and UI disappeard. When I clicked on desktop shortcut , it said Unable to find mbam.exe.
I did research over the internet and found DOS command "taskkill" and killed a process called "sugpsysgaurd.exe". Then regedit worked and I deleted two registry keys as instructed in the artilce I found over internet. The two keys I deleted were - HLEY_LOCAL_MACHINE/SOFTWARE/Avg
HKEY_CURRENT_USER/Software/Microsoft/windonw/currentversion/run "system tool"
I tried to install Malware after that (from USB, renaming etc) but didnt work. I ran ESET online scanner and it found 38 adware that I removed. After that, the popups got controlled to an extent and I was able to enable Taskmanager by going to group policies. However, everytime I clicked on task manager or clicked on run and typed cmd or regedit, first I would get a pop up saying there is an antivirus attacking important files in my computer and I need to run a antivirus. If I leave hte popup untouched, I was able to use these applications but if I closed hte popoup hte application would close as well.
After more searching, I downloaded spydoctor which scanned and worked well but it didnt remove any of the viruses because removal was not available with free edition On top of it, I got another new virus called "MaCatte" After MaCatte came in surprisingly Antivirus System Pro dissapeared. The red 'x' on my taskbar dissapeared but now a red color 'M' appeared. This program doesnot appear in Add/Remove Programs (control panel) or in C:/Programs. But there is a shortcut on desktop and a folder in Start/Programs caled MaCatte. I found out that by killing a process called mac.exe, I was able to control MaCatte to an extent but it was still effecting my browser. Browser became instable and all searches I did on anti spyware would go to some bad websites or automatically redirected to unrelated websites. Google image would not appear on the search results page. Also on some webpages, a message on the top in light yellow colured bar appears that says your system might be at risk. Click here to protect with MaCatte.
Then I tried Spybot but it was the same as Malware bytes. The software ran for 3 minutes before closing At this point I honestly dont know whatelse to do or how to proceed
I read the instructions to post in this website and here is what I did so far. I ran DDS and here is the first file. Attached is the zip from DDS and gmer. However, with gmer - it was scanning fine the first time. I saw lot of red lines of code and I walked away for few hours because the scan was taking long. When I came back the program closed itself and no logs :( I restarted the scan and I attached the log I got from the second run. The two processes I disabled before I ran DDS and gmer are mac.exe and McSheild.exe. I had to end McSheild.exe because it was taking lot of system memory and making the system to crawl. I am unable to attach the logs to this message because when I click on attachments, the virus is redirecting to a different page. Is there any other way I can send the zip file witht he toher two logs?
Please Please HELP !

Log from DDS:
DDS (Ver_09-10-26.01) - NTFSx86
Run by Deeps at 6:14:27.17 on Sun 11/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.433 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.exe
C:\Oracle10\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Documents and Settings\Deeps\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
mWinlogon: Shell=Explorer.exe rundll32.exe dckp.suo printer
mWinlogon: userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: WPtectP Class: {60f9f4af-e03d-4784-8d3a-95f5aff5e9ea} - c:\documents and settings\all users\application data\microsoft\media\WPtect.dll
TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PopRock] c:\docume~1\deeps\locals~1\temp\a.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [TFncKy] TFncKy.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [DIGServices] c:\program files\espnruntime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [wsc] c:\documents and settings\all users\application data\msca\mstdl.exe
mRun: [msc] c:\documents and settings\all users\application data\msca\msc.exe
mRun: [gisazakev] Rundll32.exe "c:\windows\system32\bulilufu.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.3\CameraMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\siebel~1.lnk - c:\program files\siebel\7.8\web client\bin\autosync.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.andhrajyothy.com/wfplayer/tdserver.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/41.22/uploader2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} - hxxps://www-den.mytelevox.com/labcalls/cabs/TeleVoxAudioPlayer2.CAB
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {19CF227B-563A-47E5-8CBA-4DDDB34B292E} = 77.74.48.113
TCP: {26F9E0F6-E516-43A4-875C-93D5A5A29260} = 77.74.48.113
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\bulilufu.dll,gezafuje.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: pemaripol - {53deafa8-2544-44bd-81ba-e86a74cc7599} - c:\windows\system32\bulilufu.dll
STS: mujuzedij: {53deafa8-2544-44bd-81ba-e86a74cc7599} - c:\windows\system32\bulilufu.dll
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Notification Packages = scecli c:\windows\system32\dotewawa.dll konazuki.dll

============= SERVICES / DRIVERS ===============

R1 SD;SHUNRA\Cloud WAN Emulator Miniport;c:\windows\system32\drivers\simdrv.sys [2007-12-8 80884]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2006-7-18 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-10 47616]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2007-6-4 10951]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-24 24652]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\csvirta.sys --> c:\windows\system32\drivers\CSVirtA.sys [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 isapeep;isapeep;\??\c:\windows\system32\isapeep.sys --> c:\windows\system32\isapeep.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]

=============== Created Last 30 ================

2009-11-01 05:00:58 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 05:00:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-01 04:01:24 440 --sha-r- c:\documents and settings\deeps\ntuser.pol
2009-11-01 04:00:30 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-01 01:35:52 0 d-----w- C:\42943b1d19112b9d322eb7
2009-11-01 00:11:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 00:11:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 00:11:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 05:32:43 0 ----a-w- c:\windows\system32\5705.exe
2009-10-31 05:26:55 0 d-----w- c:\docume~1\alluse~1\applic~1\msca
2009-10-31 02:52:41 0 ----a-w- c:\windows\system32\6334.exe
2009-10-30 15:09:10 0 ----a-w- c:\windows\win32k.sys
2009-10-30 13:14:19 2713 --sh--w- c:\windows\system32\gehotimi.exe
2009-10-30 13:14:15 91648 --sh--w- c:\windows\system32\bulilufu.dll
2009-10-30 02:38:20 0 ----a-w- c:\windows\system32\24464.exe
2009-10-30 02:18:20 0 ----a-w- c:\windows\system32\26962.exe
2009-10-30 01:58:20 0 ----a-w- c:\windows\system32\29358.exe
2009-10-30 01:38:19 0 ----a-w- c:\windows\system32\11478.exe
2009-10-30 01:18:19 0 ----a-w- c:\windows\system32\15724.exe
2009-10-30 01:11:54 53760 ----a-w- c:\windows\system32\dubipoja.dll
2009-10-30 00:58:18 0 ----a-w- c:\windows\system32\19169.exe
2009-10-30 00:38:17 0 ----a-w- c:\windows\system32\26500.exe
2009-10-29 02:41:09 0 ----a-w- c:\windows\system32\18467.exe
2009-10-29 02:01:08 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-29 01:53:46 0 ----a-w- c:\windows\system32\41.exe
2009-10-29 01:53:43 0 ----a-w- c:\windows\system32\AVR09.exe
2009-10-29 01:53:12 0 ----a-w- c:\windows\system32\winhelper.dll
2009-10-29 01:51:47 0 d-----w- c:\program files\cblffb
2009-10-29 01:51:16 27136 ----a-w- c:\windows\system32\dckp.suo
2009-10-16 20:03:01 0 d-----w- c:\program files\Aniosoft iPod Music Smart Backup
2009-10-16 20:02:34 0 d-----w- c:\docume~1\deeps\applic~1\GetRightToGo
2009-10-16 19:55:23 0 d-----w- c:\program files\iDump (Freeware)
2009-10-16 16:22:17 0 d-----w- c:\program files\iPod
2009-10-16 16:22:08 0 d-----w- c:\program files\iTunes
2009-10-16 16:22:08 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 04:32:23 157483 ----a-w- c:\windows\hpoins27.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 01:54:04 39424 --sha-w- c:\windows\system32\gadataji.dll
2009-07-30 01:23:06 53760 --sha-w- c:\windows\system32\gezafuje.dll
2009-07-30 01:13:18 83968 --sha-w- c:\windows\system32\hazikubu.exe
2009-07-30 13:13:31 39424 --sha-w- c:\windows\system32\jepafuzi.dll
2009-07-30 01:23:06 53760 --sha-w- c:\windows\system32\konazuki.dll
2009-07-30 13:13:31 86016 --sha-w- c:\windows\system32\ligijowe.exe
2009-07-30 01:13:18 39424 --sha-w- c:\windows\system32\mosowisi.dll
2009-07-30 01:13:18 45056 --sha-w- c:\windows\system32\nodoveki.dll
2009-07-30 01:13:19 9216 --sha-w- c:\windows\system32\rojideze.dll
2009-07-29 01:54:04 45056 --sha-w- c:\windows\system32\tinuhagu.dll
2009-07-30 13:13:31 45056 --sha-w- c:\windows\system32\tuzatazo.dll
2009-07-30 01:13:19 9216 --sha-w- c:\windows\system32\volizita.dll
2009-07-30 13:13:32 52224 --sha-w- c:\windows\system32\yavipeje.dll
2009-07-30 01:23:06 53760 --sha-w- c:\windows\system32\zenatosi.dll

============= FINISH: 6:16:55.96 ===============
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-04-2009, 07:21 PM   #2 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Confused BUMP PLEASE. Antispyware software not working.
Please help. I tried several antispywares and several tricks posted on internet to make mbam work. Nothing works. Laptop wont boot in safe mode.
Thank you in advance.
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-04-2009, 09:04 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,945
OS: WinXP and Vista


Re: Virus Controlloing all Anti Spyware Applications
Hello Skanury,

You have quite a few nasties on board. It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

To properly disable McAfee, open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)
  • Next, select never for "When to re-enable real time scanning"
  • and click OK.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-04-2009, 10:36 PM   #4 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Re: Virus Controlloing all Anti Spyware Applications
Hello Ried,
I have been fighting this virus(es) for past one week and I almost reformatted my hard drive. This forum was my last attempt before doing so. So a heart full thank you for your time, help and this website :)
I have pasted the combofix log at the end of this message. Few things I noticed after combofix ran:
1. I saw an error message that CFSServ.exe has encoutered a problem and needs to be closed. I hit Don't Send when it asked me tor eprot the problem to Microsoft. Is this something I need to be concerned about?
2. The webpages still show the yellow warning bar with the MaCatte text and it allowed to login and access this site after a few tries. So I guess I am not completely rid of all my virus issues yet.
3. The McCatte popups that I usually see before killing the process 'mac.exe' (I used to do this before running combofix to get rid of them) flashed on the screen and went away in 2 seconds. I dont know if this info is important but just thought I'd let you know just in case.
Thank you once again :)


ComboFix 09-11-04.02 - Deeps 11/04/2009 23:46.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.588 [GMT -5:00]
Running from: c:\documents and settings\Deeps\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Deeps\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\cblffb
c:\program files\cblffb\sugpsysguard.exe
c:\recycler\S-1-5-21-4028359202-722901303-932418291-500
c:\windows\Install.txt
c:\windows\kb913800.exe
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\bulilufu.dll
c:\windows\system32\dubipoja.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\gadataji.dll
c:\windows\system32\gehotimi.exe
c:\windows\system32\gezafuje.dll
c:\windows\system32\Install.txt
c:\windows\system32\jepafuzi.dll
c:\windows\system32\konazuki.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mosowisi.dll
c:\windows\system32\nodoveki.dll
c:\windows\system32\rojideze.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\tinuhagu.dll
c:\windows\system32\tuzatazo.dll
c:\windows\system32\volizita.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\yavipeje.dll
c:\windows\system32\zenatosi.dll
c:\windows\TEMP\mta13187.dll
c:\windows\wiaserviv.log
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://81.222.236.97
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TDSSSERV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-01 05:00 . 2009-11-04 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-01 05:00 . 2009-11-04 00:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 04:00 . 2009-11-04 00:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-01 01:35 . 2009-11-04 00:43 -------- d-----w- C:\42943b1d19112b9d322eb7
2009-11-01 00:11 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 00:11 . 2009-11-04 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 00:11 . 2009-09-10 19:53 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 05:26 . 2009-10-31 05:27 234520 ----a-w- c:\documents and settings\All Users\Application Data\msca\macinstall.exe
2009-10-31 05:26 . 2009-11-05 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\msca
2009-10-31 05:20 . 2009-10-31 19:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-30 21:10 . 2009-10-30 21:10 111616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Media\WPtect.dll
2009-10-30 20:07 . 2009-10-30 20:07 924082 ----a-w- c:\documents and settings\All Users\Application Data\msca\msc.exe
2009-10-30 15:09 . 2009-11-05 04:11 0 ----a-r- c:\windows\win32k.sys
2009-10-30 02:20 . 2009-10-30 02:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-10-30 02:13 . 2009-10-30 02:13 415612 ----a-w- c:\documents and settings\All Users\Application Data\msca\mcull.exe
2009-10-29 02:01 . 2009-10-29 02:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-16 20:03 . 2009-10-16 20:03 -------- d-----w- c:\program files\Aniosoft iPod Music Smart Backup
2009-10-16 20:02 . 2009-10-16 20:02 -------- d-----w- c:\documents and settings\Deeps\Application Data\GetRightToGo
2009-10-16 19:55 . 2009-10-16 20:00 -------- d-----w- c:\program files\iDump (Freeware)
2009-10-16 19:18 . 2009-10-16 19:18 -------- d-----w- c:\documents and settings\Deeps\Local Settings\Application Data\Cranium_Consulting_and_Cu
2009-10-16 16:22 . 2009-10-16 16:22 -------- d-----w- c:\program files\iPod
2009-10-16 16:22 . 2009-10-16 16:23 -------- d-----w- c:\program files\iTunes
2009-10-16 16:22 . 2009-10-16 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 16:17 . 2009-10-16 16:18 -------- d-----w- c:\program files\QuickTime
2009-10-16 16:03 . 2009-10-16 16:03 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 05:07 . 2006-11-05 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-11-05 04:14 . 2007-05-19 19:00 -------- d-----w- c:\documents and settings\Deeps\Application Data\ComcastToolbar
2009-10-23 13:30 . 2006-07-20 01:54 -------- d-----w- c:\program files\McAfee
2009-10-16 16:25 . 2006-10-26 02:04 -------- d-----w- c:\documents and settings\Deeps\Application Data\Apple Computer
2009-10-16 16:22 . 2008-05-10 05:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 17:03 . 2009-09-25 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-25 20:02 . 2009-09-25 20:02 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-09-23 12:15 . 2006-07-20 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-16 14:22 . 2008-12-29 02:15 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2008-12-29 02:15 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2008-12-29 02:15 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2008-12-29 02:15 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2008-12-29 02:15 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2006-07-19 00:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 04:32 . 2009-09-11 02:58 157483 ----a-w- c:\windows\hpoins27.dat
2009-09-11 03:11 . 2009-09-11 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-09-11 03:11 . 2009-09-11 03:11 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-09 03:21 . 2006-07-19 22:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-09 02:22 . 2009-09-09 02:22 -------- d-----w- c:\program files\Cheetah Burner
2009-09-04 21:03 . 2006-07-19 00:47 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-07-19 00:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-07-19 00:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-07-19 00:46 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 23:42 . 2009-08-08 16:47 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-08 16:47 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 03:13 . 2006-07-19 22:18 60136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:00 . 2006-07-19 00:48 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 21:04 . 2009-08-14 21:04 239088 ----a-w- c:\documents and settings\Deeps\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-07-30 01:13 . 2009-07-30 01:13 83968 --sha-w- c:\windows\system32\hazikubu.exe
2009-07-30 13:13 . 2009-07-30 13:13 86016 --sha-w- c:\windows\system32\ligijowe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60F9F4AF-E03D-4784-8D3A-95F5AFF5E9EA}]
2009-10-30 21:10 111616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Media\WPtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-03 700416]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2006-02-10 278528]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2006-07-14 106496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-23 185896]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"msc"="c:\documents and settings\All Users\Application Data\msca\msc.exe" [2009-10-30 924082]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-23 16050688]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
ImageMixer 3 SE Camera Monitor Ver.3.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe [2009-2-19 253952]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-19 155648]
Siebel TrickleSync.lnk - c:\program files\Siebel\7.8\web client\BIN\autosync.exe [2007-1-23 35328]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Siebel\\7.8\\web client\\BIN\\siebel.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Deeps\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Deeps\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\FastNetSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SD;SHUNRA\Cloud WAN Emulator Miniport;c:\windows\system32\drivers\simdrv.sys [12/8/2007 6:35 PM 80884]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [7/18/2006 7:47 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/10/2004 7:00 AM 46592]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [6/4/2007 3:38 PM 10951]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/24/2008 6:02 PM 24652]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 isapeep;isapeep;\??\c:\windows\system32\isapeep.sys --> c:\windows\system32\isapeep.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3480214452-740716301-2280870780-1006Core.job
- c:\documents and settings\Deeps\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-28 23:26]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3480214452-740716301-2280870780-1006UA.job
- c:\documents and settings\Deeps\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-28 23:26]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-29 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-29 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {19CF227B-563A-47E5-8CBA-4DDDB34B292E} = 77.74.48.113
TCP: {26F9E0F6-E516-43A4-875C-93D5A5A29260} = 77.74.48.113
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{97943856-e5b2-47c0-89f9-cc21310ecb74} - zenatosi.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-wsc - c:\documents and settings\All Users\Application Data\msca\mstdl.exe
HKLM-Run-gisazakev - c:\windows\system32\bulilufu.dll
HKLM-Run-liyimajibu - konazuki.dll
SharedTaskScheduler-{53deafa8-2544-44bd-81ba-e86a74cc7599} - c:\windows\system32\bulilufu.dll
ShellExecuteHooks-{A5949E07-8536-4625-A3D0-2DD83F559990} - c:\windows\system32\ShellHook.dll
SSODL-pemaripol-{53deafa8-2544-44bd-81ba-e86a74cc7599} - c:\windows\system32\bulilufu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 00:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\BtwSrv.dllx 45568 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\oracle10\bin\omtsreco.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\dwwin.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-11-05 0:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 05:20

Pre-Run: 42,932,441,088 bytes free
Post-Run: 47,499,350,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-04-2009, 10:52 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,945
OS: WinXP and Vista


Re: Virus Controlloing all Anti Spyware Applications
You're welcome, Skanury. This round shall take care of that. ;)

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/427830-virus-controlloing-all-anti-spyware-applications.html#post2426853

Collect::
c:\windows\system32\hazikubu.exe
c:\windows\system32\ligijowe.exe
c:\documents and settings\All Users\Application Data\Microsoft\Media\WPtect.dll
c:\windows\system32\BtwSrv.dllx
c:\windows\system32\lsm32.sys

Folder::
c:\documents and settings\All Users\Application Data\Microsoft\Media
c:\documents and settings\All Users\Application Data\msca
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
===============================

Try again to run a scan with Malwarebytes. Post the results of the scan if it ran for you. If it still will not run, please describe what happens when you try to run it.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-05-2009, 08:53 AM   #6 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Re: Virus Controlloing all Anti Spyware Applications
Ried, I followed all the steps and got tot he point where ComboFix rebooted my laptop. After rebooting, the MaCatte process (mac.exe) became live again and this time the popups sticked around. Combofix kept preparing the log and in the meanwhile there was a fake blue screen showing the physical dump followed by fake windows restarting screen. After a minute, I was able to see my desktop with combofix window and all other icons but shortly after that laptop stopped responding. Everything froze including the mouse. So, I shut it down.
I will try this again this evening when I get home but should I kill the mac.exe while combofix is trying to generate the log? It says not to run any programs , so I refrained from doing that the last time. Please advise.
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-05-2009, 07:44 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Re: Virus Controlloing all Anti Spyware Applications
Ried, I took a chance and ran it again. This time it worked without any hiccups. I have attached both Combofix and Malware logs. I dont see MaCatte icon on desktop and the yellowbar on IE anymore. PHEW!

COMBOFIX
ComboFix 09-11-04.02 - Deeps 11/05/2009 19:08.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.531 [GMT -5:00]
Running from: c:\documents and settings\Deeps\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deeps\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\documents and settings\All Users\Application Data\Microsoft\Media\WPtect.dll
file zipped: c:\windows\system32\hazikubu.exe
file zipped: c:\windows\system32\ligijowe.exe
file zipped: c:\windows\system32\lsm32.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Media
c:\documents and settings\All Users\Application Data\Microsoft\Media\WPtect.dll
c:\documents and settings\All Users\Application Data\msca
c:\documents and settings\All Users\Application Data\msca\MaCatte.ico
c:\documents and settings\All Users\Application Data\msca\macinstall.exe
c:\documents and settings\All Users\Application Data\msca\mcull.exe
c:\documents and settings\All Users\Application Data\msca\msc.exe
c:\documents and settings\All Users\Application Data\msca\Viruses.dat
c:\windows\Install.txt
c:\windows\system32\hazikubu.exe
c:\windows\system32\Install.txt
c:\windows\system32\ligijowe.exe
c:\windows\system32\lsm32.sys
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\tmp0_633264260702.bk.old
c:\windows\TEMP\x1c96723.dll
.
---- Previous Run -------
.
c:\windows\system32\Install.txt
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\tmp0_659907490632.bk.old
c:\windows\TEMP\x1c73042.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-01 05:00 . 2009-11-04 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-01 05:00 . 2009-11-04 00:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 04:00 . 2009-11-04 00:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-01 01:35 . 2009-11-04 00:43 -------- d-----w- C:\42943b1d19112b9d322eb7
2009-11-01 00:11 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 00:11 . 2009-11-04 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 00:11 . 2009-09-10 19:53 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 05:20 . 2009-10-31 19:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-30 15:09 . 2009-11-05 04:11 0 ----a-r- c:\windows\win32k.sys
2009-10-30 02:20 . 2009-10-30 02:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-10-29 02:01 . 2009-10-29 02:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-16 20:03 . 2009-10-16 20:03 -------- d-----w- c:\program files\Aniosoft iPod Music Smart Backup
2009-10-16 20:02 . 2009-10-16 20:02 -------- d-----w- c:\documents and settings\Deeps\Application Data\GetRightToGo
2009-10-16 19:55 . 2009-10-16 20:00 -------- d-----w- c:\program files\iDump (Freeware)
2009-10-16 19:18 . 2009-10-16 19:18 -------- d-----w- c:\documents and settings\Deeps\Local Settings\Application Data\Cranium_Consulting_and_Cu
2009-10-16 16:22 . 2009-10-16 16:22 -------- d-----w- c:\program files\iPod
2009-10-16 16:22 . 2009-10-16 16:23 -------- d-----w- c:\program files\iTunes
2009-10-16 16:22 . 2009-10-16 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 16:17 . 2009-10-16 16:18 -------- d-----w- c:\program files\QuickTime
2009-10-16 16:03 . 2009-10-16 16:03 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 00:04 . 2006-11-05 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-11-05 04:14 . 2007-05-19 19:00 -------- d-----w- c:\documents and settings\Deeps\Application Data\ComcastToolbar
2009-10-23 13:30 . 2006-07-20 01:54 -------- d-----w- c:\program files\McAfee
2009-10-16 16:25 . 2006-10-26 02:04 -------- d-----w- c:\documents and settings\Deeps\Application Data\Apple Computer
2009-10-16 16:22 . 2008-05-10 05:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 17:03 . 2009-09-25 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-25 20:02 . 2009-09-25 20:02 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-09-23 12:15 . 2006-07-20 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-16 14:22 . 2008-12-29 02:15 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2008-12-29 02:15 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2008-12-29 02:15 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2008-12-29 02:15 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2008-12-29 02:15 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2006-07-19 00:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 04:32 . 2009-09-11 02:58 157483 ----a-w- c:\windows\hpoins27.dat
2009-09-11 03:11 . 2009-09-11 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-09-11 03:11 . 2009-09-11 03:11 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-09 03:21 . 2006-07-19 22:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-09 02:22 . 2009-09-09 02:22 -------- d-----w- c:\program files\Cheetah Burner
2009-09-04 21:03 . 2006-07-19 00:47 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-07-19 00:48 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-07-19 00:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-07-19 00:46 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 23:42 . 2009-08-08 16:47 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-08 16:47 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 03:13 . 2006-07-19 22:18 60136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:00 . 2006-07-19 00:48 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 21:04 . 2009-08-14 21:04 239088 ----a-w- c:\documents and settings\Deeps\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-05_05.06.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 00:23 . 2009-11-06 00:23 16384 c:\windows\Temp\Perflib_Perfdata_26c.dat
+ 2004-08-10 12:00 . 2004-08-10 12:00 88064 c:\windows\system32\wmdtc.exe
+ 2004-08-10 12:00 . 2004-08-10 12:00 88064 c:\windows\system32\opeia.exe
+ 2004-08-10 12:00 . 2004-08-10 12:00 47616 c:\windows\system32\FastNetSrv.exe
+ 2006-07-19 02:40 . 2009-11-06 00:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-19 02:40 . 2009-11-05 04:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-05 14:29 . 2009-11-06 00:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-05 14:29 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB976749-IE7\spuninst\updspapi.dll
+ 2009-11-05 14:29 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB976749-IE7\spuninst\spuninst.exe
- 2006-07-19 00:47 . 2009-08-29 07:36 3598336 c:\windows\system32\mshtml.dll
+ 2006-07-19 00:47 . 2009-10-21 04:08 3598336 c:\windows\system32\mshtml.dll
+ 2008-04-21 06:44 . 2009-10-21 04:08 3598336 c:\windows\system32\dllcache\mshtml.dll
- 2008-04-21 06:44 . 2009-08-29 07:36 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-05 14:29 . 2009-08-29 07:36 3598336 c:\windows\ie7updates\KB976749-IE7\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Deeps\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-03 700416]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2006-02-10 278528]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2006-07-14 106496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-23 185896]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-23 16050688]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
ImageMixer 3 SE Camera Monitor Ver.3.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe [2009-2-19 253952]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-19 155648]
Siebel TrickleSync.lnk - c:\program files\Siebel\7.8\web client\BIN\autosync.exe [2007-1-23 35328]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Siebel\\7.8\\web client\\BIN\\siebel.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Deeps\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Deeps\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\FastNetSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SD;SHUNRA\Cloud WAN Emulator Miniport;c:\windows\system32\drivers\simdrv.sys [12/8/2007 6:35 PM 80884]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [7/18/2006 7:47 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/10/2004 7:00 AM 47616]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [6/4/2007 3:38 PM 10951]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/24/2008 6:02 PM 24652]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 isapeep;isapeep;\??\c:\windows\system32\isapeep.sys --> c:\windows\system32\isapeep.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3480214452-740716301-2280870780-1006Core.job
- c:\documents and settings\Deeps\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-28 23:26]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3480214452-740716301-2280870780-1006UA.job
- c:\documents and settings\Deeps\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-28 23:26]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-29 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-29 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {19CF227B-563A-47E5-8CBA-4DDDB34B292E} = 77.74.48.113
TCP: {26F9E0F6-E516-43A4-875C-93D5A5A29260} = 77.74.48.113
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{60F9F4AF-E03D-4784-8D3A-95F5AFF5E9EA} - c:\documents and settings\All Users\Application Data\Microsoft\Media\WPtect.dll
HKLM-Run-msc - c:\documents and settings\All Users\Application Data\msca\msc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\oracle10\bin\omtsreco.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-11-06 19:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 00:37
ComboFix2.txt 2009-11-05 05:20

Pre-Run: 47,557,382,144 bytes free
Post-Run: 47,518,830,592 bytes free

MALWARE
Malwarebytes' Anti-Malware 1.41
Database version: 3109
Windows 5.1.2600 Service Pack 3

11/5/2009 8:40:57 PM
mbam-log-2009-11-05 (20-40-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 228414
Time elapsed: 48 minute(s), 30 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 9
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 64

Memory Processes Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\isapeep (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19cf227b-563a-47e5-8cba-4dddb34b292e}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26f9e0f6-e516-43a4-875c-93d5a5a29260}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19cf227b-563a-47e5-8cba-4dddb34b292e}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{26f9e0f6-e516-43a4-875c-93d5a5a29260}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{19cf227b-563a-47e5-8cba-4dddb34b292e}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{26f9e0f6-e516-43a4-875c-93d5a5a29260}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\msca\macinstall.exe.vir (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gezafuje.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bulilufu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dubipoja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gadataji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jepafuzi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\konazuki.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mosowisi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nodoveki.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rojideze.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tinuhagu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuzatazo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\volizita.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yavipeje.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zenatosi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Temp\tmp0_633264260702.bk.old.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Temp\tmp0_659907490632.bk.old.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060830.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060855.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060856.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060888.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060889.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060891.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060893.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060894.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060895.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060897.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060898.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060899.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060900.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060901.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060903.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060904.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060905.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060906.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060907.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060908.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060923.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060924.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060925.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060926.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060928.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP437\A0060896.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061066.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061067.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061068.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061069.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061071.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061189.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061190.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061191.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061192.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061193.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061290.exe (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061448.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP438\A0061449.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dckp.suo (Backdoor.Bredavi) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk (Rogue.MaCatte) -> Quarantined and deleted successfully.
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-05-2009, 08:44 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,576
OS: 2000 Pro; XP Pro; XP Home


Re: Virus Controlloing all Anti Spyware Applications
Hello, Skanury -

Ried will be away from the PC for a time, and has asked me to look in.


Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------


Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

Also let us know how the machine is behaving now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 05:33 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Re: Virus Controlloing all Anti Spyware Applications
Hi tetonbob,
Thank you for following up. I appreciate the help! Please find the requested logs attached. My laptop is behaving normal. Its back to the pre-virus status. I didnt notice any popups, slugishness or anythinng else other than usual.
It used to run a bit slow and gets overheated very quickly before the virus and it does the same now as well. I had a couple of questions
1. My iphone was and is on the same wireless network as my laptop was. I feel its been acting sluggish lately. Is it just my imagination or can my phone have virus ? :(
2. Can I turn on McAfee back on again?

Thank you again for your time and help :)

Kaspersky Report
KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:
scan report
Friday, November 6, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 06, 2009 12:05:43
Records in database: 3156015


Scan settings
scan using the following databaseextended
Scan archivesyes
Scan e-mail databasesno

Scan areaMy Computer
C:\
D:\

Scan statistics
Objects scanned206200
Threats found3
Infected objects found3
Suspicious objects found0
Scan duration04:51:07

File nameThreatThreats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.virInfected:
Rootkit.Win32.TDSS.u1

C:\Qoobox\Quarantine\[4]-Submit_2009-11-05_19.08.17.zipInfected:
Trojan.Win32.FraudPack.yll1

C:\Qoobox\Quarantine\[4]-Submit_2009-11-05_19.08.17.zipInfected:
Trojan.Win32.VB.xzn1

Selected area has been scanned.


Add Programs.txt


32 Bit HP CIO Components Installer
Adobe Acrobat 6.0 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bluetooth Stack for Windows by Toshiba
Bonjour
BufferChm
BUM
Canon Camera Access Library
Canon Camera Support Core Library
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCScore
CD/DVD Drive Acoustic Silencer
Citrix Presentation Server Client - Web Only
CloudServices
Comcast High-Speed Internet Install Wizard
Comcast Toolbar
Copy
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Desktop Dialer
Destination Component
DeviceDiscovery
DivX Content Uploader
DivX Web Player
DJ_AIO_03_F2200_ProductContext
DJ_AIO_03_F2200_Software
DJ_AIO_03_F2200_Software_Min
DVD-RAM Driver
ESPN Java Check
ESPN RunTime
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
F2200
F2200_Help
Google Talk (remove only)
Google Talk Plugin
Google Toolbar for Internet Explorer
GPBaseService
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 10.0
HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPProductAssistant
HPSSupply
ImageMixer 3 SE Ver.3
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iPod Music Smart Backup 2.1.8
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
KODAK EASYSHARE Gallery Easy Upload, v2.1
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare software
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft XML Parser
mIWA
mLogView
mMHouse
MobileMe Control Panel
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
netbrdg
Netflix Movie Viewer
Office 2003 Trial Assistant
OfotoXMI
Oracle Data Provider for .NET Help
Otto
PSSWCORE
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Remote Control USB Driver
Rhapsody Player Engine
Scan
SD Secure Module
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SFR
SHASTA
Shop for HP Supplies
Siebel Systems Uninstallation Manager
skin0001
SKINXSDK
SmartWebPrintingOC
SolutionCenter
Sonic Encoders
SopCast 3.0.3
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
staticcr
Status
Synaptics Pointing Device Driver
Toolbox
tooltips
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Game Console
TOSHIBA Hotkey Utility
Toshiba Media Center Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TrayApp
TVAnts 1.0
TVUPlayer 2.4.5.3
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Veoh Video Compass
Veoh Web Player
VeohTV BETA
VideoLAN VLC media player 0.8.6d
VideoToolkit01
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
Yahoo! Messenger
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 05:45 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,576
OS: 2000 Pro; XP Pro; XP Home


Re: Virus Controlloing all Anti Spyware Applications
Hi Skanury -

Just to quickly reply to this question

Quote:
2. Can I turn on McAfee back on again?
Yes, please.

Ried or I will review the other questions and logs, and post new instructions as soon as we can.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 10:32 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,945
OS: WinXP and Vista


Re: Virus Controlloing all Anti Spyware Applications
Hello Skanury, and thank you, tetonbob.

As far as iPhones getting infected, it would be difficult since they are based on MAC OS, not Windows, so the odds are pretty slim. See this link. I did find a reference to a specific infection here -->http://news.softpedia.com/news/iPhon...oo-75534.shtml but as is mentioned in that link, it's through a specific download, not interaction with an infected computer. As a side note, if it were to become infected, there isn't much we could do for you in this venue.

=======================


Outdated Java:

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

--------------------------------------------------------------------

Kaspersky's findings are backups created during the course of this fix which we shall be clearing now.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.



- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 04:24 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 7
OS: Windows xp home edition.SP3


Re: Virus Controlloing all Anti Spyware Applications
Ried and Tetonbob, Thank you guys so much for all your assistance. My laptop is back to normal. Please consider this thread resolved. You guys are awesome!
Ried - I have downloaded and deleted outdated programs as per your suggestions. Thank you again
Skanury is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 09:06 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,945
OS: WinXP and Vista


Re: Virus Controlloing all Anti Spyware Applications
You're welcome, Skanury.

Take care.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:33 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85