Page 5 of 11 FirstFirst 123456789 ... LastLast
Results 41 to 50 of 102

Thread: Please Help! Virtumonde, MalwareAlarm (SecCenter), etc.

  1. #41
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    ComboFix 07-12-21.4 - **** 2007-12-28 13:29:57.8 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.207 [GMT -5:00]
    Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\pprqr.ini2
    C:\WINDOWS\system32\rqrpp.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\Microsoft ActiveSync\wcescomm .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\pprqr.ini2
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\rqrpp.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
    .

    2007-12-28 13:43 . 2007-12-28 13:43 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
    2007-12-28 13:43 . 2007-12-28 13:45 391 --ahs---- C:\WINDOWS\system32\pprqr.ini
    2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2007-12-27 22:42 . 2007-12-28 13:45 516,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-12-27 22:42 . 2007-12-28 13:45 17,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-12-27 22:42 . 2007-12-28 13:40 7,916 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-12-27 22:42 . 2007-12-28 13:40 2,660 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
    2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
    2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-12-21 23:45 . 2007-12-28 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
    2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
    2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
    2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
    2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
    2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
    2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
    2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
    2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
    2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
    Last edited by Shaba; 2008-01-26 at 12:22.

  2. #42
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    continued from above
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-28 18:37 --------- d-----w C:\Program Files\QuickTime
    2007-12-28 18:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
    2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
    2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
    2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
    2007-12-27 21:06 --------- d-----w C:\Program Files\Java
    2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
    2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
    2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
    2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
    2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
    2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
    2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
    2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
    2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
    2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
    2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
    2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
    2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
    2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
    2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
    2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
    2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-12-22 18:59:54 122,939 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
    + 2007-12-28 18:43:26 122,939 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
    + 2007-12-28 18:30:29 484,864 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
    + 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
    + 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
    + 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
    + 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
    - 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    - 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
    + 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
    - 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
    + 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
    - 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
    - 2007-12-22 19:00:29 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    + 2007-12-28 18:43:31 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    + 2007-12-28 18:44:09 525,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE4F29A-F6DD-43A8-B7CC-B67F71896333}]
    2007-12-28 13:43 331776 --------- C:\WINDOWS\system32\rqrpp.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
    "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
    "SpriteService"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
    "NDSTray.exe"="NDSTray.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-12-28 13:30]
    "TFncKy"="TFncKy.exe" []
    "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2007-12-28 13:43]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2007-12-28 13:44]
    "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-28 13:44]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

    C:\Documents and Settings\****\Start Menu\Programs\Startup\
    Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
    PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=C:\WINDOWS\system32\rqrpp.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
    2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
    2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

    R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
    R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
    R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
    R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
    R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
    S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
    \Shell\AutoRun\command - setupSNK.exe

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-28 13:45:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\pprqr.ini2 391 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
    -> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
    -> C:\WINDOWS\system32\rqrpp.dll
    .
    Completion time: 2007-12-28 13:48:39 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-28 12:59
    C:\ComboFix3.txt ... 2007-12-28 11:00
    .
    2007-12-21 14:19:06 --- E O F ---
    Last edited by Shaba; 2008-01-26 at 12:25.

  3. #43
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    Code:
    Ran on Fri 12/28/2007 - 13:49:21.17
    
    ----a-w         1,077,301 2007-12-28 18:43:33  C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
    ----a-w           122,939 2007-12-28 18:43:26  C:\WINDOWS\system32\dla\tfswctrl .exe
    ----a-w           188,416 2007-12-28 18:43:31  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    
     Entries:                3  (3)
     Directories:            0  Files:             3
     Bytes:          1,388,656  Blocks:        2,714



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:51:37 PM, on 12/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
    C:\WINDOWS\system32\svchost.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    C:\WINDOWS\system32\dla\tfswctrl .exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Trend Micro\HijackThis\psywzrd.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {ABE4F29A-F6DD-43A8-B7CC-B67F71896333} - C:\WINDOWS\system32\rqrpp.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
    O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

    --
    End of file - 6793 bytes

  4. #44
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Rootkit::
    C:\WINDOWS\system32\pprqr.ini2
    
    File::
    C:\WINDOWS\system32\dla\tfswctrl .exe
    C:\WINDOWS\system32\dla\tfswctrl .exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\pprqr.ini
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dla"=-
    "PadTouch"=-
    "HPDJ Taskbar Utility"=-
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE4F29A-F6DD-43A8-B7CC-B67F71896333}]
    
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=-
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    Re-run RenV.

    Post:

    - a fresh HijackThis log
    - RenV log
    - combofix report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #45
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    Does it matter what order I run these in? I was planning on running ComboFix first, then RenV, then HJT. Is that ok?

  6. #46
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    That order is just fine and right one
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #47
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    ComboFix 07-12-21.4 - **** 2007-12-28 14:18:47.9 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -5:00]
    Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
    C:\WINDOWS\system32\dla\tfswctrl .exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
    C:\WINDOWS\system32\dla\tfswctrl .exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\pprqr.ini2
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
    .

    2007-12-28 14:19 . 2007-12-28 14:19 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
    2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2007-12-27 22:42 . 2007-12-28 14:29 546,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-12-27 22:42 . 2007-12-28 14:27 20,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-12-27 22:42 . 2007-12-28 14:27 8,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-12-27 22:42 . 2007-12-28 14:27 2,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
    2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
    2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-12-21 23:45 . 2007-12-28 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
    2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
    2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
    2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
    2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
    2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
    2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
    2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
    2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
    2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-28 18:37 --------- d-----w C:\Program Files\QuickTime
    2007-12-28 18:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
    2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
    2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
    2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
    2007-12-27 21:06 --------- d-----w C:\Program Files\Java
    2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
    2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
    2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
    2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
    2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
    2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
    2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
    2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
    2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
    2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
    2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
    2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
    2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
    2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
    2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
    2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
    2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
    + 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
    + 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
    + 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
    - 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    - 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
    + 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
    - 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
    + 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
    - 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD28BF7F-017F-4885-ABBC-406C3096AEEA}]
    2007-12-28 14:30 331776 --a------ C:\WINDOWS\system32\rqrpp.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
    "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
    "SpriteService"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
    "NDSTray.exe"="NDSTray.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
    "TFncKy"="TFncKy.exe" []
    "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
    "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-28 14:31]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

    C:\Documents and Settings\****\Start Menu\Programs\Startup\
    Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
    PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=C:\WINDOWS\system32\rqrpp.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
    2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
    2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

    R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
    R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
    R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
    R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
    R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
    S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
    \Shell\AutoRun\command - setupSNK.exe

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-28 14:30:09
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\pprqr.ini2 319 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    Completion time: 2007-12-28 14:34:42 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-28 13:48
    C:\ComboFix3.txt ... 2007-12-28 12:59
    .
    2007-12-21 14:19:06 --- E O F ---
    Last edited by Shaba; 2008-01-26 at 12:24.

  8. #48
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    Code:
    Ran on Fri 12/28/2007 - 14:35:35.43
    
    ----a-w           132,496 2007-12-28 19:30:23  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    
     Entries:                1  (1)
     Directories:            0  Files:             1
     Bytes:            132,496  Blocks:          259



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:37:39 PM, on 12/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
    C:\WINDOWS\system32\svchost.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\psywzrd.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {BD28BF7F-017F-4885-ABBC-406C3096AEEA} - C:\WINDOWS\system32\rqrpp.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
    O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

    --
    End of file - 6519 bytes

  9. #49
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Almost there.

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Rootkit::
    C:\WINDOWS\system32\pprqr.ini2
    
    File::
    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\WINDOWS\system32\rqrpp.exe
    C:\WINDOWS\system32\rqrpp.dll
    
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=-
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD28BF7F-017F-4885-ABBC-406C3096AEEA}]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"=-
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #50
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    ComboFix 07-12-21.4 - **** 2007-12-28 14:52:50.10 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -5:00]
    Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\rqrpp.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\pprqr.ini2
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\rqrpp.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
    .

    2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2007-12-27 22:42 . 2007-12-28 15:02 571,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-12-27 22:42 . 2007-12-28 15:00 22,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-12-27 22:42 . 2007-12-28 15:00 8,684 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-12-27 22:42 . 2007-12-28 15:00 3,140 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
    2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
    2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-12-21 23:45 . 2007-12-28 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
    2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
    2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
    2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
    2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
    2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
    2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
    2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
    2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
    2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-28 18:37 --------- d-----w C:\Program Files\QuickTime
    2007-12-28 18:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
    2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
    2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
    2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
    2007-12-27 21:06 --------- d-----w C:\Program Files\Java
    2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
    2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
    2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
    2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
    2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-12-23 04:50 --------- d-----w C:\Documents and Settings****\Application Data\BitTorrent DNA
    2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
    2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
    2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
    2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
    2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
    2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
    2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
    2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
    2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
    2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
    2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
    2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
    + 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
    + 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
    + 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
    - 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    - 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
    + 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
    - 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
    + 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
    - 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
    "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
    "SpriteService"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
    "NDSTray.exe"="NDSTray.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
    "TFncKy"="TFncKy.exe" []
    "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
    "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

    C:\Documents and Settings\Start Menu\Programs\Startup\
    Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
    PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
    2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
    2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

    R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
    R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
    R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
    R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
    R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
    S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
    \Shell\AutoRun\command - setupSNK.exe

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-28 15:03:22
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-28 15:06:18 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-28 14:34
    C:\ComboFix3.txt ... 2007-12-28 13:48
    .
    2007-12-21 14:19:06 --- E O F ---
    Last edited by Shaba; 2009-11-01 at 18:34.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •