Please Help! Virtumonde, MalwareAlarm (SecCenter), etc.

P

psywzrd

New member
My computer is infected with Virtumonde, MalwareAlarm (SecCenter) and some other stuff as well (my computer has slowed down to an absolute crawl). I can't run a Kaspersky scan because IE keeps shutting down on me. I started to run the scan last night hoping that it would be done when I woke up in the morning but there was an IE error. I ran several S&D scans in safe mode and I got rid of everthing except Virtumonde, which I can't seem to get rid of no matter how many times I scan with S&D (it always says it was fixed but it continues to show up in my scans). Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:58 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\WINDOWS\system32\hkcmd .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\hphmon04 .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide .exe
C:\WINDOWS\SM1BG .EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tsc.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PccUpdUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pcclient.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\BitTorrent_DNA\dna .exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [zotcridi] rundll32.exe "C:\Program Files\fubszkho\vczmferq.dll",Init
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F8E.tmp .exe
O4 - HKLM\..\Run: [lotqzorg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lotqzorg.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [xwpcpefy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll"
O4 - HKLM\..\Run: [vilsrcfe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll"
O4 - HKLM\..\Run: [xorevota] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xorevota.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11755 bytes
 
Hi psywzrd and welcome to Safer Networking Forums :)

Rename HijackThis.exe to psywzrd.exe and post back a fresh HijackThis log, please.
 
I know I wasn't supposed to do this but I posted a thread on another site as well (I really need to get this computer cleaned up and I had no idea when someone was going to reply to my message here). Anyway, I ran Vundofix.exe, Combofix.exe and produced another HijackThis log. Should I post it here or should I just continue on the other site?
 
Hi

If you are getting help from another forum, this thread will be closed.

Posting to multiple forums is wasting of helpers time.
 
Would it be ok if I continue with getting help here? The other site I posted to doesn't seem to be quite as active as this one and I would really like to get my computer fixed. If that's ok, please let me know and I will post my most recent HJT log from last night. Thank you.
 
Hi

You will have to choose; if you decide to continue here then you should let the other site know that topic there can be closed and vice versa.

So let me know your decision :)
 
Thank you. I'll continue here if that's ok. Here is my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:04 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress .exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\BitTorrent_DNA\dna .exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"
O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 10939 bytes
 
Hi

Rename HijackThis.exe to psywzrd.exe and post back a fresh HijackThis log, Vundofix log and combofix report (C:\ComboFix.txt), please.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:17 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\SM1BG .EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\BitTorrent_DNA\dna.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7596D03A-A6D5-4788-AC7A-063D66D7A28B} - C:\WINDOWS\system32\rqrpp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"
O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11315 bytes


VundoFix V6.7.7

Checking Java version...

Scan started at 9:01:08 PM 12/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\winsfg32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\hphmon04.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\winsfg32.dll
C:\WINDOWS\system32\winsfg32.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 10:24:56 PM 12/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 11:35:18 AM 12/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
ComboFix 07-12-21.4 - **** 2007-12-26 10:50:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 11:14 . 2007-12-26 11:14 388,608 --a------ C:\WINDOWS\system32\cmd .exe
2007-12-24 20:56 . 2007-12-26 11:13 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
2007-12-24 20:34 . 2007-12-26 11:06 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-19 19:43 . 2007-12-24 20:45 94,208 --a------ C:\WINDOWS\MXOALDR .EXE
2007-12-19 19:42 . 2007-12-24 20:44 94,208 --a------ C:\WINDOWS\SM1BG .EXE
2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe
2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-26 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-26 16:13 --------- d-----w C:\Program Files\QuickTime
2007-12-26 16:12 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-26 16:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-26 16:12 --------- d-----w C:\Program Files\ltmoh
2007-12-26 16:12 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
2007-12-26 11:06 331776 --------- C:\WINDOWS\system32\rqrpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
"SpriteService"="" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]

C:\Documents and Settings\..............................................................................................................................................................................................................................................\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 11:17:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\pprqr.ini 493 bytes
C:\WINDOWS\system32\pprqr.ini2 493 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-12-26 11:33:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 20:42
C:\ComboFix3.txt ... 2007-12-24 01:34
.
2007-12-21 14:19:06 --- E O F ---
 
Last edited by a moderator:
Hi

You seem to have file infecting vundo.

I have to ask first that you have CDs/DVDs for these programs?

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]

They are all infected and need to be replaced with fresh copies.
 
I'm not even sure what some of those things are. A bunch of them look like programs that came pre-installed with my computer and some of them are programs that I installed myself.

The Scansoft entries are for my scanner so I definitely have the discs.

Retrosoft is for my external USB drive that I use to back up my computer so I definitely have that.

I'm not sure what PCGUIDE is but it appears to be related to my Trend Micro PC-Cillin so I can definitely reinstall that.

What can I do if I don't have discs for some of these or if I have no clue what they are?
 
Hi

Well if you don't have, then you may not be able to use those programs anymore, unfortunately.

We need to do some scans next:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\ndaTqsVqrX.dll

Repeat step for this:

C:\WINDOWS\system32\ctfmon .exe (note space before .exe)

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
I couldn't even find C:\WINDOWS\system32\ndaTqsVqrX.dll (I'm 100% sure I'm showing all hidden files including protected operating system files). I even went in through Explorer to look for it and it's definitely not there.

For C:\WINDOWS\system32\ctfmon .exe, all of the results on Jotti said "Found nothing". At the top of the window though it says Bit9 reports: High Threat Detected.

On VirusTotal, FileAdvisor reported "High threat detected". The rest on there just have a "-" under result and the total result says 1/32 (3.13%).
 
Hi

Thanks for info.

This is the next step:

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

uninstall-man.jpg


5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
 
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
ArcSoft Software Suite
BT8010 Control Center version 1.3
CD/DVD Drive Acoustic Silencer
CodeWallet Pro 2006 for Windows Mobile
Cypress USB Mass Storage Driver Installation
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD-RAM Driver
eMule
English skin
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB926239)
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
iGuidance
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Maxtor OneTouch
mCore
MediaJoin
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
mXML
mZConfig
Notebook Maximizer
OfotoNow
OneTouch 4.0
PdaNet for Windows Mobile 1.80
PeerGuardian 2.0
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picsel File Viewer
Quicken 2005
QuickTime
RealPlayer Basic
Retrospect Express HD 1.1
Roxio Burn Engine
Roxio Easy Media Creator 7
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SD Secure Module
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB944653)
SlingPlayer
Sonic DLA
Sonic RecordNow!
SoundMAX
Sprite Backup
Spybot - Search & Destroy
Synaptics Pointing Device Driver
SyncBack
TCPMP
Texas Instruments PCIxx21/x515 drivers.
Time Zone Data Update Tool for Microsoft Office Outlook
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
USB Storage Adapter FX (MXO)
USB Storage Adapter FX (SM1)
Videora iPod Converter 0.91
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
XviD 1.1 final uninstall
 
Hi

Uninstall these:

Intel(R) PROSet/Wireless Software
Maxtor OneTouch
Microsoft ActiveSync
Notebook Maximizer
QuickTime
Retrospect Express HD 1.1
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SoundMAX
Trend Micro PC-cillin Internet Security 2007
Viewpoint Media Player

After that, enable Windows own firewall.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Rootkit::
C:\WINDOWS\system32\pprqr.ini 
C:\WINDOWS\system32\pprqr.ini2 

File::
C:\WINDOWS\system32\cmd .exe
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\hphmon04 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe

Folder::
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\system32\njprckha

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=-
"H/PC Connection Agent"=-
"BitTorrent DNA"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="-
"SynTPEnh"="-
"THotkey"=-
"LtMoh"=-
"SmoothView"=-
"Tvs"=-
"SoundMAXPnP"=-
"SoundMAX"=-
"Pinger"="-
"Notebook Maximizer"=-
"pccguide.exe"=-
"IntelZeroConfig"=-
"IntelWireless"=-
"SSBkgdUpdate"=-
"PaperPort PTD"=-
"IndexSearch"=-
"MXOBG"=-
"RetroExpress"=-
"QuickTime Task"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
You must log in or register to reply here.
Back
Top