"System Integrity Scan Wizard" Malware Problem (Smitfraudfix) output - Part 1

[dsheuman]

"System Integrity Scan Wizard" Malware Problem (Smitfraudfix) output - Part 1

Hi All,

I, too, have the System Integrity Scan Wizard problem going on.

Any ideas of how to proceed would be welcome.

Thanks,
Danny

I've run SmitfraudFix.exe and here is the log file:

-------------------
SmitFraudFix v2.309

Scan done at 13:55:45.03, Mon 03/31/2008
Run from C:\temp\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ipmdsxen.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Danny Heuman

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Danny Heuman\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DANNYH~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 172.23.200.6
DNS Server Search Order: 172.23.200.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{659DFB9C-8072-47FF-A7B6-B983CDF0AFED}: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{659DFB9C-8072-47FF-A7B6-B983CDF0AFED}: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS3\Services\Tcpip\..\{659DFB9C-8072-47FF-A7B6-B983CDF0AFED}: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=172.23.200.5 192.168.162.19
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=172.23.200.5 192.168.162.19
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.23.200.6 172.23.200.4
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=172.23.200.5 192.168.162.19


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[dsheuman]

"System Integrity Scan Wizard" Malware Problem (ComboFix) output - Part 2

Here's the ComboFix output:

ComboFix 08-03-30.3 - Danny Heuman 2008-03-31 12:35:03.1 - NTFSx86
Running from: C:\temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Danny Heuman\Desktopblackbird.jpg
C:\Documents and Settings\Danny Heuman\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Danny Heuman\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Danny Heuman\Desktopfilemanagerclient.exe
C:\Documents and Settings\Danny Heuman\Desktopfkwp1.5.exe
C:\Documents and Settings\Danny Heuman\Desktopfkwp2.0.exe
C:\Documents and Settings\Danny Heuman\Desktopfwebd.exe
C:\Documents and Settings\Danny Heuman\DesktopFWebdEditor.exe
C:\Documents and Settings\Danny Heuman\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Danny Heuman\Desktopvirii
C:\Documents and Settings\Danny Heuman\err.log
C:\Documents and Settings\Danny Heuman\g2mdlhlpx.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\Installer\{4b35219e-7d58-4d32-b74e-928a811d32fc}\ChkWin.dll
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\norlatmx.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 12:31 . 2008-03-31 12:31 1,603,483 --a------ C:\temp\ComboFix.exe
2008-03-31 11:33 . 2008-03-31 11:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-31 11:33 . 2008-03-31 11:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-31 11:33 . 2008-03-31 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-31 10:42 . 2008-03-31 10:42 <DIR> d-------- C:\RBC
2008-03-31 10:19 . 2008-03-31 11:16 <DIR> d-------- C:\temp\backups
2008-03-31 10:16 . 2008-03-31 10:16 1,308,216 --a------ C:\temp\HiJackThis_v2.exe
2008-03-31 09:38 . 2008-03-31 09:38 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-29 23:50 . 2008-03-29 23:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 09:35 . 2008-03-28 09:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 09:35 . 2008-03-28 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 09:35 . 2008-03-28 09:35 <DIR> d-------- C:\Documents and Settings\Danny Heuman\Application Data\SUPERAntiSpyware.com
2008-03-28 09:35 . 2008-03-28 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-28 09:07 . 2008-03-28 09:07 98,304 --a------ C:\WINDOWS\system32\ipmdsxen.exe
2008-03-27 16:51 . 2008-03-28 09:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rwbghiba
2008-03-27 16:51 . 2008-03-27 16:51 90,112 --a------ C:\WINDOWS\system32\rorcdwvc.exe
2008-03-27 16:50 . 2008-03-27 16:50 52 --a------ C:\xmp.bat
2008-03-26 12:21 . 2008-03-26 12:21 97,766 --a------ C:\PCCF2008-01-Unique_Enhanced_Sample.zip
2008-03-26 12:18 . 2008-03-26 12:19 25,600 --a------ C:\Concordance Tables 2008 - Variables.xls
2008-03-26 12:17 . 2008-03-26 12:18 78,848 --a------ C:\PCCF2008-01-Unique_Enhanced_Sample.xls
2008-03-24 14:48 . 2008-03-24 14:48 <DIR> d-------- C:\temp\attachments_2008_03_24
2008-03-24 14:32 . 2008-03-24 14:32 <DIR> d-------- C:\Documents and Settings\Danny Heuman\Downloads
2008-03-24 14:24 . 2008-03-24 14:24 28 --a------ C:\WINDOWS\DustKleen.INI
2008-03-24 14:21 . 2008-03-24 14:21 82 --a------ C:\WINDOWS\SuperUtil.ini
2008-03-20 13:41 . 2008-03-24 08:52 13,922,816 --a------ C:\Cara Update March 24 2008.ppt
2008-03-19 09:08 . 2008-03-31 10:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-19 09:08 . 2008-03-19 09:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-18 16:49 . 2008-03-18 16:51 <DIR> d-------- C:\temp\Life Insurance
2008-03-18 11:03 . 2008-03-18 11:03 1,356,800 --a------ C:\DA_DEP2008_Avginc.IND
2008-03-18 11:02 . 2008-03-18 11:03 188 --a------ C:\DA_DEP2008_Avginc.TAB
2008-03-18 11:01 . 2008-03-18 11:02 3,291,648 --a------ C:\DA_DEP2008_Avginc.xls
2008-03-14 16:11 . 2008-03-14 16:11 2,892,962 --a------ C:\temp\Census_CanPost_HH_APT-Comp_With_AllDAs_Including_TotalHHs.zip
2008-03-13 16:53 . 2008-03-13 16:53 <DIR> d-------- C:\Program Files\Spiderweb Software
2008-03-13 16:52 . 2008-03-13 16:52 <DIR> d-------- C:\Documents and Settings\Danny Heuman\Application Data\Downloaded Installations
2008-03-13 15:14 . 2008-03-13 15:14 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-03-12 16:58 . 2008-03-12 16:58 10,581 --a------ C:\WINDOWS\SETUP.LST
2008-03-12 12:40 . 2008-03-07 15:03 71,184 --a------ C:\Enhanced PCCF 200801 White Paper.pdf
2008-03-11 15:11 . 2008-03-13 16:29 <DIR> d-------- C:\Downtown Postal Code Boundary
2008-03-07 17:17 . 2008-03-07 17:17 1,143 --a------ C:\Downtown Postal Code Boundary.zip
2008-03-06 16:29 . 2008-03-06 16:29 4,566,755 --a------ C:\GPL Reference Guide.pdf
2008-03-06 16:26 . 2008-03-06 16:26 35,484 --a------ C:\R_PlugIn_Install_Instructions_win.pdf
2008-03-04 12:26 . 2008-03-04 12:19 691,545 --a------ C:\WINDOWS\unins002.exe
2008-03-04 12:26 . 2008-03-04 12:26 2,549 --a------ C:\WINDOWS\unins002.dat
2008-03-03 12:54 . 2008-03-03 12:57 92,569 --a------ C:\SV2004_2007_Prizmne.sav
2008-03-03 12:51 . 2008-03-03 12:51 56,915 --a------ C:\SV2004_Prizmne.sav
2008-03-03 12:48 . 2008-03-03 12:52 52,929 --a------ C:\SV2007_Prizmne.sav
2008-02-20 13:18 . 2008-02-20 13:18 36,352 --a------ C:\NCL-Alaska.doc
2008-02-19 13:33 . 2008-02-19 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{E1B5311E-0EB0-46BB-9EBF-25CBF3A20B8A}
2008-02-19 13:30 . 2008-02-19 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{FCC22282-EEF1-4A8B-BCD3-AB8861F775DD}
2008-02-15 12:39 . 2008-02-15 12:39 <DIR> d-------- C:\temp\MapInfo_Professional_9.0_Portable
2008-02-15 11:06 . 2008-02-15 11:06 3,701,333 --a------ C:\temp\Portable_eMule_048a.exe
2008-02-12 10:37 . 2008-02-12 10:37 545,241 --a------ C:\temp\Autoruns.zip
2008-02-07 13:01 . 2008-02-07 13:01 <DIR> d-------- C:\WINDOWS\NU_DATA
2008-02-06 17:26 . 2008-02-06 17:26 <DIR> d-------- C:\Program Files\WebEx
2008-02-06 16:31 . 2006-11-13 02:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-02-06 16:31 . 2006-11-13 02:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-02-06 16:31 . 2006-11-13 02:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-02-01 11:08 . 2008-02-01 10:33 20,660 --a------ C:\Coding_Variables.sps
2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 14:59 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\AdobeUM
2008-03-31 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-28 18:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-28 17:38 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\GrabIt
2008-03-26 15:00 --------- d-----w C:\Program Files\SPSS16
2008-03-24 18:30 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\Thinstall
2008-03-14 13:00 --------- d-----w C:\Program Files\UltraEdit
2008-03-13 16:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-13 15:58 0 ----a-w C:\Program Files\temp01
2008-03-04 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 19:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 21:01 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-29 21:01 --------- d-----w C:\Program Files\Creative
2008-02-26 18:55 --------- d-----w C:\Program Files\IrfanView
2008-02-12 14:11 --------- d-----w C:\Program Files\QuickTime
2008-02-12 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-08 17:01 183,361 ----a-w C:\WINDOWS\system32\atasnt40.dll
2008-02-05 17:38 --------- d-----w C:\Program Files\Agent
2008-01-31 20:50 --------- d-----w C:\Program Files\Apple Software Update
2008-01-31 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-30 20:43 --------- d-----w C:\Program Files\CardPlayer Poker
2008-01-30 19:41 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-01-30 19:41 --------- d-----w C:\Documents and Settings\Danny Heuman\Application Data\SystemRequirementsLab
2008-01-30 17:05 --------- d-----w C:\Program Files\Java
2008-01-30 16:57 --------- d-----w C:\Program Files\Common Files\Java
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2008-02-08 17:00 34,384 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-02-08 17:00 94,872 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 09:13 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 18:12 851968]
"lnkvkhdr"="C:\WINDOWS\system32\rorcdwvc.exe" [2008-03-27 16:51 90112]
"epggcojz"="C:\WINDOWS\system32\ipmdsxen.exe" [2008-03-28 09:07 98304]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-28 09:37 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2005-03-01 03:43 245760]
"000StTHK"="000StTHK.exe" [2001-06-23 07:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-26 07:41 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="rundll32.exe" [2004-08-04 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40 196608]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-28 23:11 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-07-01 18:58 88201 C:\WINDOWS\agrsmmsg.exe]
"ThpSrv"="c:\WINDOWS\system32\thpsrv /logon" [ ]
"Kraidman"="C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe" [2005-07-29 19:26 1126483]
"TFNF5"="TFNF5.exe" [2005-06-29 02:35 507904 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"TPSMain"="TPSMain.exe" [2005-08-09 22:22 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2005-07-29 14:12 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2005-01-18 17:18 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2005-03-18 00:08 81920]
"TOSDCR"="TOSDCR.EXE" [2005-08-04 18:36 57344 C:\WINDOWS\system32\TOSDCR.exe]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"TAudEffect"="C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" [2005-07-08 17:59 344144]
"TFncKy"="TFncKy.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 08:33 122941]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2005-08-02 22:52 1863680]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-05-18 18:57 188416]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-05-31 23:46 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 02:31 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-05-31 23:50 356352]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 08:00 143360]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 11:50 29744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]

C:\Documents and Settings\DANNYS3\ASPNET\Start Menu\Programs\Startup\
IEHOME.LNK - C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat [2005-12-21 04:00:34 298]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-03-29 10:52:01 1445904]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-16 09:36:51 124912]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-05 17:16:26 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"hbgLUuK7uc"= C:\Documents and Settings\All Users\Application Data\rwbghiba\tqdsdsdm.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"hbgLUuK7uc"= C:\Documents and Settings\All Users\Application Data\rwbghiba\tqdsdsdm.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-05-31 23:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2005-08-02 22:36 49152 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Shiva\\Shiva VPN Client\\ICDESK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SPSS16\\spss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009

R0 KR10I;KR10I;C:\WINDOWS\system32\drivers\KR10I.sys [2005-06-28 10:35]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 02:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 15:24]
R1 ICsrvr;VPN Client Protocol;C:\WINDOWS\system32\DRIVERS\ICsrvr.sys [2003-06-06 18:15]
R1 ICtdi;VPN Client TDI Driver;C:\WINDOWS\system32\DRIVERS\ictdi.sys [2003-06-06 18:14]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 14:08]
R2 ICService;Shiva VPN Client;C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe [2003-06-06 18:31]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 08:00]
R3 ICvnic;VPN Client Virtual Adapter;C:\WINDOWS\system32\DRIVERS\ICvnic.sys [2003-06-06 18:14]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 00:26]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2005-07-15 00:15]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 11:50]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 18:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-18 13:09:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-20 01:03:12 C:\WINDOWS\Tasks\dannys differential backup.job"
- C:\WINDOWS\system32\ntbackup.exeRbackup
"2008-03-06 23:25:15 C:\WINDOWS\Tasks\dannys full backup.job"
- C:\WINDOWS\system32\ntbackup.exekbackup
"2008-03-31 16:30:03 C:\WINDOWS\Tasks\NOTEPAD.job"
- C:\WINDOWS\NOTEPAD.EXE
"2005-12-21 07:58:23 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-12-21 07:58:24 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 12:38:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-03-31 12:39:05
ComboFix-quarantined-files.txt 2008-03-31 16:38:48
Pre-Run: 8,637,935,616 bytes free
Post-Run: 8,624,447,488 bytes free
.
2008-03-20 13:02:49 --- E O F ---

 

[tashi]

Hello,

I merged your two topics, but I think you missed the stickies.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)


Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans

You might want to start a new topic with a link back to this one, as helpers look for threads with a zero response.

Best regards.