Page 2 of 11 FirstFirst 123456 ... LastLast
Results 11 to 20 of 102

Thread: Please Help! Virtumonde, MalwareAlarm (SecCenter), etc.

  1. #11
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    ComboFix 07-12-21.4 - **** 2007-12-26 10:50:24.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\pprqr.ini2
    C:\WINDOWS\system32\rqrpp.dll

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
    .

    2007-12-26 11:14 . 2007-12-26 11:14 388,608 --a------ C:\WINDOWS\system32\cmd .exe
    2007-12-24 20:56 . 2007-12-26 11:13 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
    2007-12-24 20:34 . 2007-12-26 11:06 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
    2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr
    2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
    2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
    2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
    2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
    2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
    2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha
    2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
    2007-12-19 19:43 . 2007-12-24 20:45 94,208 --a------ C:\WINDOWS\MXOALDR .EXE
    2007-12-19 19:42 . 2007-12-24 20:44 94,208 --a------ C:\WINDOWS\SM1BG .EXE
    2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe
    2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
    2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe
    2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
    2007-12-06 17:28 . 2007-12-26 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
    2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
    2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
    2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
    2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
    2007-12-26 16:13 --------- d-----w C:\Program Files\QuickTime
    2007-12-26 16:12 --------- d-----w C:\Program Files\Notebook Maximizer
    2007-12-26 16:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2007-12-26 16:12 --------- d-----w C:\Program Files\ltmoh
    2007-12-26 16:12 --------- d-----w C:\Program Files\BitTorrent_DNA
    2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
    2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
    2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
    2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
    2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
    2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
    2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
    2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
    2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
    2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
    2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
    2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
    2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
    2007-12-26 11:06 331776 --------- C:\WINDOWS\system32\rqrpp.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
    "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
    "SpriteService"="" []
    "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
    "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
    "NDSTray.exe"="NDSTray.exe" []
    "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
    "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
    "TFncKy"="TFncKy.exe" []
    "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
    "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
    "Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
    "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
    "pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
    "SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
    "MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []
    "MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
    "RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]

    C:\Documents and Settings\..............................................................................................................................................................................................................................................\Start Menu\Programs\Startup\
    Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
    PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=C:\WINDOWS\system32\rqrpp.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
    2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
    2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
    2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
    2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
    \Shell\AutoRun\command - setupSNK.exe

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-26 11:17:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\pprqr.ini 493 bytes
    C:\WINDOWS\system32\pprqr.ini2 493 bytes

    scan completed successfully
    hidden files: 2

    **************************************************************************
    .
    Completion time: 2007-12-26 11:33:33 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-24 20:42
    C:\ComboFix3.txt ... 2007-12-24 01:34
    .
    2007-12-21 14:19:06 --- E O F ---
    Last edited by Shaba; 2008-04-23 at 20:01.

  2. #12
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    You seem to have file infecting vundo.

    I have to ask first that you have CDs/DVDs for these programs?

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
    "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
    "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
    "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
    "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
    "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
    "Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
    "pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
    "SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
    "MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
    "RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]

    They are all infected and need to be replaced with fresh copies.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #13
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    I'm not even sure what some of those things are. A bunch of them look like programs that came pre-installed with my computer and some of them are programs that I installed myself.

    The Scansoft entries are for my scanner so I definitely have the discs.

    Retrosoft is for my external USB drive that I use to back up my computer so I definitely have that.

    I'm not sure what PCGUIDE is but it appears to be related to my Trend Micro PC-Cillin so I can definitely reinstall that.

    What can I do if I don't have discs for some of these or if I have no clue what they are?

  4. #14
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Well if you don't have, then you may not be able to use those programs anymore, unfortunately.

    We need to do some scans next:

    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\WINDOWS\system32\ndaTqsVqrX.dll

    Repeat step for this:

    C:\WINDOWS\system32\ctfmon .exe (note space before .exe)

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #15
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    Does my Trend Micro anti-virus software need to be disabled before I run either of those programs?

  6. #16
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    No
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #17
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    I couldn't even find C:\WINDOWS\system32\ndaTqsVqrX.dll (I'm 100% sure I'm showing all hidden files including protected operating system files). I even went in through Explorer to look for it and it's definitely not there.

    For C:\WINDOWS\system32\ctfmon .exe, all of the results on Jotti said "Found nothing". At the top of the window though it says Bit9 reports: High Threat Detected.

    On VirusTotal, FileAdvisor reported "High threat detected". The rest on there just have a "-" under result and the total result says 1/32 (3.13%).

  8. #18
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Thanks for info.

    This is the next step:

    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:



    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #19
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    Ad-Aware SE Personal
    Adobe Acrobat 5.0
    Adobe Flash Player ActiveX
    Anapod CopyGear (remove only)
    Anapod Explorer (remove only)
    ArcSoft Software Suite
    BT8010 Control Center version 1.3
    CD/DVD Drive Acoustic Silencer
    CodeWallet Pro 2006 for Windows Mobile
    Cypress USB Mass Storage Driver Installation
    DivX Codec
    DivX Content Uploader
    DivX Converter
    DivX Player
    DivX Web Player
    DVD-RAM Driver
    eMule
    English skin
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB926239)
    HP Photo and Imaging 1.0 - HP Photosmart Printer Series
    iGuidance
    Intel(R) Graphics Media Accelerator Driver for Mobile
    Intel(R) PROSet/Wireless Software
    InterVideo WinDVD Creator 2
    InterVideo WinDVD for TOSHIBA
    iPod for Windows 2006-06-28
    iTunes
    J2SE Runtime Environment 5.0
    Kaspersky Online Scanner
    Learn2 Player (Uninstall Only)
    Maxtor OneTouch
    mCore
    MediaJoin
    mHelp
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0
    Microsoft ActiveSync
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office OneNote 2003
    Microsoft Office Standard Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    mIWA
    mIWCA
    mLogView
    mMHouse
    mPfMgr
    mPfWiz
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    Musicmatch® Jukebox
    mXML
    mZConfig
    Notebook Maximizer
    OfotoNow
    OneTouch 4.0
    PdaNet for Windows Mobile 1.80
    PeerGuardian 2.0
    Photosmart 130,230,7150,7345,7350,7550 (Remove only)
    Picsel File Viewer
    Quicken 2005
    QuickTime
    RealPlayer Basic
    Retrospect Express HD 1.1
    Roxio Burn Engine
    Roxio Easy Media Creator 7
    ScanSoft OmniPage Pro 14.0
    ScanSoft PaperPort 11
    SD Secure Module
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB944653)
    SlingPlayer
    Sonic DLA
    Sonic RecordNow!
    SoundMAX
    Sprite Backup
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    SyncBack
    TCPMP
    Texas Instruments PCIxx21/x515 drivers.
    Time Zone Data Update Tool for Microsoft Office Outlook
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Controls
    TOSHIBA Hotkey Utility
    TOSHIBA PC Diagnostic Tool
    TOSHIBA Power Saver
    Toshiba Registration
    TOSHIBA SD Memory Card Format
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Software Upgrades
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    Toshiba Tbiosdrv Driver
    TOSHIBA TouchPad ON/Off Utility
    TOSHIBA Utilities
    TOSHIBA Virtual Sound
    TOSHIBA Zooming Utility
    Touch and Launch
    Trend Micro PC-cillin Internet Security 2007
    Trend Micro PC-cillin Internet Security 2007
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    USB Storage Adapter FX (MXO)
    USB Storage Adapter FX (SM1)
    Videora iPod Converter 0.91
    Viewpoint Media Player
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Installer 3.1 (KB893803)
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix - KB894476
    Windows Media Player 11
    Windows Media Player 11
    Windows Mobile Daylight Saving Time 2007 Updates
    Windows XP Hotfix - KB834707
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB884018
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    WinRAR archiver
    XviD 1.1 final uninstall

  10. #20
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Uninstall these:

    Intel(R) PROSet/Wireless Software
    Maxtor OneTouch
    Microsoft ActiveSync
    Notebook Maximizer
    QuickTime
    Retrospect Express HD 1.1
    ScanSoft OmniPage Pro 14.0
    ScanSoft PaperPort 11
    SoundMAX
    Trend Micro PC-cillin Internet Security 2007
    Viewpoint Media Player

    After that, enable Windows own firewall.

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Rootkit::
    C:\WINDOWS\system32\pprqr.ini 
    C:\WINDOWS\system32\pprqr.ini2 
    
    File::
    C:\WINDOWS\system32\cmd .exe
    C:\WINDOWS\system32\rqrpp.exe
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\MXOALDR .EXE
    C:\WINDOWS\SM1BG .EXE
    C:\WINDOWS\system32\hphmon04 .exe
    C:\WINDOWS\system32\igfxtray .exe
    C:\WINDOWS\system32\hkcmd .exe
    
    Folder::
    C:\WINDOWS\ppqvmpqr
    C:\WINDOWS\system32\njprckha
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"=-
    "H/PC Connection Agent"=-
    "BitTorrent DNA"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="-
    "SynTPEnh"="-
    "THotkey"=-
    "LtMoh"=-
    "SmoothView"=-
    "Tvs"=-
    "SoundMAXPnP"=-
    "SoundMAX"=-
    "Pinger"="-
    "Notebook Maximizer"=-
    "pccguide.exe"=-
    "IntelZeroConfig"=-
    "IntelWireless"=-
    "SSBkgdUpdate"=-
    "PaperPort PTD"=-
    "IndexSearch"=-
    "MXOBG"=-
    "RetroExpress"=-
    "QuickTime Task"=-
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
    
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=-
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •