-
ComboFix 07-12-21.4 - **** 2007-12-26 10:50:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.
2007-12-26 11:14 . 2007-12-26 11:14 388,608 --a------ C:\WINDOWS\system32\cmd .exe
2007-12-24 20:56 . 2007-12-26 11:13 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
2007-12-24 20:34 . 2007-12-26 11:06 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-19 19:43 . 2007-12-24 20:45 94,208 --a------ C:\WINDOWS\MXOALDR .EXE
2007-12-19 19:42 . 2007-12-24 20:44 94,208 --a------ C:\WINDOWS\SM1BG .EXE
2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe
2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-26 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-26 16:13 --------- d-----w C:\Program Files\QuickTime
2007-12-26 16:12 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-26 16:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-26 16:12 --------- d-----w C:\Program Files\ltmoh
2007-12-26 16:12 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
2007-12-26 11:06 331776 --------- C:\WINDOWS\system32\rqrpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
"SpriteService"="" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]
C:\Documents and Settings\..............................................................................................................................................................................................................................................\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 11:17:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\pprqr.ini 493 bytes
C:\WINDOWS\system32\pprqr.ini2 493 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
Completion time: 2007-12-26 11:33:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 20:42
C:\ComboFix3.txt ... 2007-12-24 01:34
.
2007-12-21 14:19:06 --- E O F ---
-
Hi
You seem to have file infecting vundo.
I have to ask first that you have CDs/DVDs for these programs?
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]
They are all infected and need to be replaced with fresh copies.
-
I'm not even sure what some of those things are. A bunch of them look like programs that came pre-installed with my computer and some of them are programs that I installed myself.
The Scansoft entries are for my scanner so I definitely have the discs.
Retrosoft is for my external USB drive that I use to back up my computer so I definitely have that.
I'm not sure what PCGUIDE is but it appears to be related to my Trend Micro PC-Cillin so I can definitely reinstall that.
What can I do if I don't have discs for some of these or if I have no clue what they are?
-
Hi
Well if you don't have, then you may not be able to use those programs anymore, unfortunately.
We need to do some scans next:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\WINDOWS\system32\ndaTqsVqrX.dll
Repeat step for this:
C:\WINDOWS\system32\ctfmon .exe (note space before .exe)
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
-
Does my Trend Micro anti-virus software need to be disabled before I run either of those programs?
-
-
I couldn't even find C:\WINDOWS\system32\ndaTqsVqrX.dll (I'm 100% sure I'm showing all hidden files including protected operating system files). I even went in through Explorer to look for it and it's definitely not there.
For C:\WINDOWS\system32\ctfmon .exe, all of the results on Jotti said "Found nothing". At the top of the window though it says Bit9 reports: High Threat Detected.
On VirusTotal, FileAdvisor reported "High threat detected". The rest on there just have a "-" under result and the total result says 1/32 (3.13%).
-
Hi
Thanks for info.
This is the next step:
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tuto...nstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
-
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
ArcSoft Software Suite
BT8010 Control Center version 1.3
CD/DVD Drive Acoustic Silencer
CodeWallet Pro 2006 for Windows Mobile
Cypress USB Mass Storage Driver Installation
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD-RAM Driver
eMule
English skin
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB926239)
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
iGuidance
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Maxtor OneTouch
mCore
MediaJoin
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
mXML
mZConfig
Notebook Maximizer
OfotoNow
OneTouch 4.0
PdaNet for Windows Mobile 1.80
PeerGuardian 2.0
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picsel File Viewer
Quicken 2005
QuickTime
RealPlayer Basic
Retrospect Express HD 1.1
Roxio Burn Engine
Roxio Easy Media Creator 7
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SD Secure Module
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB944653)
SlingPlayer
Sonic DLA
Sonic RecordNow!
SoundMAX
Sprite Backup
Spybot - Search & Destroy
Synaptics Pointing Device Driver
SyncBack
TCPMP
Texas Instruments PCIxx21/x515 drivers.
Time Zone Data Update Tool for Microsoft Office Outlook
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
USB Storage Adapter FX (MXO)
USB Storage Adapter FX (SM1)
Videora iPod Converter 0.91
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
XviD 1.1 final uninstall
-
Hi
Uninstall these:
Intel(R) PROSet/Wireless Software
Maxtor OneTouch
Microsoft ActiveSync
Notebook Maximizer
QuickTime
Retrospect Express HD 1.1
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SoundMAX
Trend Micro PC-cillin Internet Security 2007
Viewpoint Media Player
After that, enable Windows own firewall.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
Rootkit::
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
File::
C:\WINDOWS\system32\cmd .exe
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\hphmon04 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe
Folder::
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\system32\njprckha
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=-
"H/PC Connection Agent"=-
"BitTorrent DNA"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="-
"SynTPEnh"="-
"THotkey"=-
"LtMoh"=-
"SmoothView"=-
"Tvs"=-
"SoundMAXPnP"=-
"SoundMAX"=-
"Pinger"="-
"Notebook Maximizer"=-
"pccguide.exe"=-
"IntelZeroConfig"=-
"IntelWireless"=-
"SSBkgdUpdate"=-
"PaperPort PTD"=-
"IndexSearch"=-
"MXOBG"=-
"RetroExpress"=-
"QuickTime Task"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v6...s/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.