PowerKord 's vundo

Viruses and worms
1

Hi

Do you have a desktop image that you don’t want, or do you have one you placed there?

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {19ED8902-29FA-4C2E-944D-945198BA0EEA} - C:\Program Files\Common Files\nipyC:\WINDOWS\System32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\rqrpmmn.dll
O20 - Winlogon Notify: rqrpmmn - C:\WINDOWS\SYSTEM32\rqrpmmn.dll

Close all other browsers/windows, click fix, close HJT.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

2

Hi, oldman,

Thanks so much for your help! If you’d be so kind, please respond to each point, below, as necessary:

  1. Below is my newest HJT scan.

  2. Below in two separate posts are the results of my newest ComboFix scan.

  3. I’m not sure why or what you’re asking regarding a desktop image. Are you asking this based on having examined my HJT log? Please be more specific, though I can tell you that presently I have no desktop image set–assuming you mean a standard image like a .jpg or wallpaper. Is this what you refer to?

  4. Why do you suggest I run Cleanup? Just to protect my personal privacy, in view of the fact that I’m posting potentially intimate computing information online here?

  5. The only one of your instructions I have not followed is your recommendation that I run CleanUp.

  6. Why did Avast! Home Edition allow these viruses to enter my system? Does it reveal a weakness in Avast!? Is there a different or competing program that would have detected them, AND prevented them from infecting my system?

  7. BTW, while I’m writing you, would you kindly answer a related question? Why does this line appear in my log:

O4 - HKLM..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe

Is Ardamax running silently on my system?

Thanks so much, and I await your further instruction. Bear in mind, as well, that as I wrote in my initial posting, my system is apparently also infected with SmitFraud-C.CoreService. I have included that posting for your convenience at the end of this posting; it contains add’l detail regarding my initial efforts to rid myself of both these viruses.

Regards,

vince

ORIGINAL POSTING IN THIS FORUM

View Profile Email

Re: Win32:TratBHO Wont go away!..help
« Reply #15 on: Yesterday at 10:27:59 PM »
Reply with quoteQuote Modify messageModify
Hello, oldman,

I also have a problem with WIN32:TratBHO (as well as SmitFraud-C.CoreService).

Upon detection by Avast!, I tried to delete the .dll file from within Avast!; the file name was awvvu.dll. I next got a series of Windows error messages indicating cannot find file, so apparently the file was deleted, though that did not solve the problem.

I ran SpyBot S & D, which did not seem to pick up the virus, but did flag SmitFraud-C.CoreService. Are the two related? I authorized SSD to scan upon boot to remove SmitFraud, but the boot scan took a long time and eventually stopped responding, so I killed it. I still have the SmitFraud.

I then looked for the .dll file itself in System32 but it was not there. What was there, however, was awvvu.exe, which I manually deleted. However, the virus appears to have created a new .dll, because Avast! is now detecting the virus in a different .dll file: iiigd.dll.

(About an hour later Avast! has just flagged another infected file in System32: geefd.dll, and after removing it to the Avast! virus chest, yet another file was flagged: khhgh.dll. These last two files had not yet been flagged, and perhaps did not yet exist, at the time I created my HJT log, below.)

3

admin - pls delete this post

4

admin - pls delete this post

5

admin - pls delete this post

6

admin - pls delete this post

7

NEWEST HJT LOG

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {19ED8902-29FA-4C2E-944D-945198BA0EEA} - C:\Program Files\Common Files\nipyC:\WINDOWS\System32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\rqrpmmn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 205.208.227.13 205.208.227.14
O17 - HKLM\System\CCS\Services\Tcpip..{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: rqrpmmn - C:\WINDOWS\SYSTEM32\rqrpmmn.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


End of file - 5736 bytes

8

NEWEST COMBOFIX LOG - PART I

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-10 22:14:23.2 - NTFSx86
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-10 22:22 . 2008-01-10 22:22 d-------- C:\TEMP\tn3
2008-01-10 22:21 . 2008-01-10 22:21 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00 189 --a------ C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10 86,016 --a------ C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\mp2
2008-01-09 22:09 . 2008-01-09 22:09 493,170 --a------ C:\TEMP\liHco0109.exe
2008-01-09 22:01 . 2008-01-09 22:01 d-------- C:\WINDOWS\system32\edcA01
2008-01-09 22:01 . 2008-01-09 22:01 d-------- C:\TEMP\Ryuan1
2007-12-13 15:07 . 2007-12-13 15:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41 --------- d-----w C:\Program Files\NoteTab Pro
2007-12-27 06:48 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 16:17 --------- d-----w C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-25 08:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21 --------- d-----w C:\Program Files\Viewpoint
2007-11-18 05:52 --------- d-----w C:\Program Files\AOD
2007-11-18 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47 58,728 ----a-w C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06 0 ----a-w C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17 1,971,010 ----a-w C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_20.41.36.84 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-11 03:21:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
9

NEWEST COMBOFIX LOG - PART II

Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [2002-08-29 05:41 13312]
“ACDSee”=“C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2008-01-10 07:26 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2008-01-10 07:26 114688]
“LTSMMSG”=“LTSMMSG.exe” [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
“TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”
“UC_SMB”=“”
“TPKMAPMN”=“C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe” [2008-01-10 07:26 32835]
“TrackPointSrv”=“tp4serv.exe” [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe” [2008-01-10 07:27 32873]
“Ardamax Keylogger”=“C:\Program Files\Ardamax Keylogger Lite\akl.exe”
“BMMGAG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll” [2003-11-26 01:35 94208]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}”= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job”

  • C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 22:22:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
→ C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-10 22:27:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 03:27:24
ComboFix2.txt 2008-01-11 01:42:07

10
  1. Below is my newest HJT scan.

Did you fix the lines as requested? The log looks the same. Did you run it after you ran combofix?

  1. Below in two separate posts are the results of my newest ComboFix scan.

I need the results from the first run also. You can find it at C:\combofix under ComboFix-quarantined-files.txt It will be Combofix1.txt

  1. I’m not sure why or what you’re asking regarding a desktop image. Are you asking this based on having examined my HJT log? Please be more specific, though I can tell you that presently I have no desktop image set–assuming you mean a standard image like a .jpg or wallpaper. Is this what you refer to?

It’s the 024 line in your HJT. Some people have images as a desktop component that they put there themselves, so I ask before removing it.

  1. Why do you suggest I run Cleanup? Just to protect my personal privacy, in view of the fact that I’m posting potentially intimate computing information online here?

To clean out the temp folder, places this crude likes to hide.

  1. The only one of your instructions I have not followed is your recommendation that I run CleanUp.

  2. Why did Avast! Home Edition allow these viruses to enter my system? Does it reveal a weakness in Avast!? Is there a different or competing program that would have detected them, AND prevented them from infecting my system?

No av will catch it all. Some have better detection than others. Right now I’m looking at threads with norton, mcafee some with the same problem.

Thanks so much, and I await your further instruction. Bear in mind, as well, that as I wrote in my initial posting, my system is apparently also infected with SmitFraud-C.CoreService. I have included that posting for your convenience at the end of this posting; it contains add’l detail regarding my initial efforts to rid myself of both these viruses.

Yes I saw that and want to be certain we need smitfraudfix.

Please submit the following files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\System32\DRIVERS\MADFU804.sys
C:\WINDOWS\System32\drivers\mrxsmbb.sys
C:\Documents and Settings\Vincent Christopher\us145info.exe
C:\WINDOWS\crmtemp1.dat

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Rerun HJT and post the log. The files referenced in HJT are not in the combofix log.

Thanks

11

hello old man,
can u help me resolve my wind32 bhd kd prob?.. my forum topic is:
http://forum.avast.com/index.php?topic=32589.0

i would really appreciate uyour help thx…

12

Hi,

  1. My Avast! icon no longer appears in my system tray! I can’t really tell if the program is running or not. What happened, and what should I do? The program is still listed in Add/Remove Programs.

  2. I don’t seem to be getting the symptom of the infection I was getting before: my browser/Windows kept trying to log on, but that’s not happening anymore with SeaMonkey or FireFox, though I haven’t brought IE up in about 24 hours. Still, the logon attempts were occurring before, even when IE was not open.

Should I launch IE to see what happens?

  1. Re a desktop image, I have none set now, though I have in the past. I don’t know what that clip image refers to.

  2. Re the files to scan with virustotal:

C:\WINDOWS\System32\DRIVERS\MADFU804.sys - this file is apparently no longer present on my system.

mrxsmbb.sys - virustotal reports 0 bytes rec’d. Did not scan.

C:\Documents and Settings\Vincent Christopher\us145info.exe - also reports 0 bytes rec’d. Did not scan.

C:\WINDOWS\crmtemp1.dat - Scanned. No problems reported by any scanner.

  1. I did another ComboFix scan, then another HJT scan, in that order. Results below.

You indicated you needed to see my first CF scan. However, there is no path on my system C:\combofix. There is C:\QooBox, and contained there is a .txt file called ComboFix-quarantined-files.txt, printed below. There is no folder with that name, nor is there any document combofix1.txt, only combofix2.txt.

ComboFix-quarantined-files.txt:

2004-08-15 03:12 1074 --a------ C:\Qoobox\Quarantine\C\WINDOWS\inf\ultra.inf.vir
2004-08-15 03:12 143 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Vincent Christopher\Application Data\ultra\uninstall.bat.vir
2007-04-16 09:39 1100654 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Vincent Christopher\Application Data\Install.dat.vir
2007-09-23 20:05 279600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2008-01-09 00:44 28747 --a------ C:\Qoobox\Quarantine\C\TEMP\1cb\syscheck.log.vir
2008-01-09 22:01 41472 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrpmmn.dll.vir
2008-01-09 22:06 41472 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkkjif.dll.vir
2008-01-10 01:33 340480 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\RCX18.tmp.vir
2008-01-10 05:34 410112 --a------ C:\Qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe.vir
2008-01-10 05:34 456192 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd.exe.vir
2008-01-10 05:34 497152 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray.exe.vir
2008-01-10 05:35 13312 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon .exe.vir
2008-01-10 05:35 340480 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\RCX19.tmp.vir
2008-01-10 05:35 373248 --a------ C:\Qoobox\Quarantine\C\Program Files\Java\j2re1.4.2_01\bin\jusched.exe.vir
2008-01-10 05:35 373248 --a------ C:\Qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\TpKmapMn.exe.vir
2008-01-10 05:35 446464 --a------ C:\Qoobox\Quarantine\C\Program Files\Alwil Software\Avast4\ashDisp.exe.vir
2008-01-10 07:17 7323 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uvvwa.ini.vir
2008-01-10 07:17 7323 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uvvwa.ini2.vir
2008-01-10 07:26 69632 --a------ C:\Qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe.vir
2008-01-10 07:27 79224 --a------ C:\Qoobox\Quarantine\C\Program Files\Alwil Software\Avast4\ashDisp .exe.vir
2008-01-10 20:33 197182 --a------ C:\Qoobox\Quarantine\catchme2008-01-10_203650.86.zip
2008-01-10 20:35 932 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2008-01-10 22:19 188 --a------ C:\Qoobox\Quarantine\catchme2008-01-10_222211.94.zip
2008-01-10 22:19 2012 --a------ C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir
2008-01-10 22:19 656 --a------ C:\Qoobox\Quarantine\catchme.log

  1. Before doing any of the above, I performed a CleanUp scan.

Thanks, again. I await your further instruction. We also have yet to address my SmitFraud issue.

Best,

vince

13

LATEST CF SCAN – 01-11-08

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-11 18:34:59.3 - NTFSx86
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 18:44 . 2008-01-11 18:44 d-------- C:\TEMP\tn3
2008-01-11 18:42 . 2008-01-11 18:42 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00 189 --a------ C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10 86,016 --a------ C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01 d-------- C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41 --------- d-----w C:\Program Files\NoteTab Pro
2007-12-27 06:48 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 16:17 --------- d-----w C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21 --------- d-----w C:\Program Files\Viewpoint
2007-11-18 05:52 --------- d-----w C:\Program Files\AOD
2007-11-18 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47 58,728 ----a-w C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06 0 ----a-w C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17 1,971,010 ----a-w C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_20.41.36.84 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-11 23:43:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [2002-08-29 05:41 13312]
“ACDSee”=“C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2008-01-10 07:26 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2008-01-10 07:26 114688]
“LTSMMSG”=“LTSMMSG.exe” [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
“TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”
“UC_SMB”=“”
“TPKMAPMN”=“C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe” [2008-01-10 07:26 32835]
“TrackPointSrv”=“tp4serv.exe” [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe” [2008-01-10 07:27 32873]
“Ardamax Keylogger”=“C:\Program Files\Ardamax Keylogger Lite\akl.exe”
“BMMGAG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll” [2003-11-26 01:35 94208]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}”= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job”

  • C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 18:44:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
→ C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-11 18:49:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 23:49:27
ComboFix2.txt 2008-01-11 03:27:31
ComboFix3.txt 2008-01-11 01:42:07

14

LATEST HJT SCAN – 01-11-08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:19 PM, on 1/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\nakido.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 205.208.227.13 205.208.227.14
O17 - HKLM\System\CCS\Services\Tcpip..{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


End of file - 4969 bytes

15

Ok, that’s what I was looking for. BYTW, you can attach logs by using the extra options button on the reply page.

According to the logs avast is running. For now make a short cut to your desktop, In windows explorer go to this folder

c:\program files\alwil software\avast4

in the right panel right click on ashdisp.exe, select send to, desktop(create shortcut). you will now have a icon on your desktop, double click it and the “a” icon should appear.

We’ll do this first, then we will look closer at service I don’t like.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Killall::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\TEMP\liHco0109.exe

Folder::
C:\TEMP\tn3
C:\TEMP\Ryuan1

Look::
C:\WINDOWS\system32\vt8

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

16

Hello, oldman,

Ok, I performed the requested drag and drop. The result is below, in this post.

BTW, I’m wondering why Ardamax Keylogger is running. I installed it a long time ago but recall a problem; could it still be hanging around from my own installation. I’d like to uninstall or remove it.

Here is the CF result:

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-11 22:16:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.180 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vincent Christopher\Desktop\CFscript.txt

  • Created a new restore point

FILE
C:\TEMP\liHco0109.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-11 22:25 . 2008-01-11 22:25 d-------- C:\TEMP\tn3
2008-01-11 22:24 . 2008-01-11 22:24 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00 189 --a------ C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10 86,016 --a------ C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01 d-------- C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41 --------- d-----w C:\Program Files\NoteTab Pro
2007-12-27 06:48 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 16:17 --------- d-----w C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21 --------- d-----w C:\Program Files\Viewpoint
2007-11-18 05:52 --------- d-----w C:\Program Files\AOD
2007-11-18 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47 58,728 ----a-w C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06 0 ----a-w C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17 1,971,010 ----a-w C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_20.41.36.84 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-11 01:26:42 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-12 03:15:57 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-11 01:26:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-12 03:15:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-11 01:26:42 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT
  • 2008-01-12 03:15:59 6,291,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\ntuser.dat
  • 2008-01-11 01:26:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-12 03:15:59 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-11 01:26:44 6,291,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\ntuser.dat
  • 2008-01-12 03:15:59 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT
  • 2008-01-11 01:26:44 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-12 03:16:00 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-11 01:26:58 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2008-01-12 03:16:16 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2008-01-12 03:25:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [2002-08-29 05:41 13312]
“ACDSee”=“C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2008-01-10 07:26 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2008-01-10 07:26 114688]
“LTSMMSG”=“LTSMMSG.exe” [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
“TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”
“UC_SMB”=“”
“TPKMAPMN”=“C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe” [2008-01-10 07:26 32835]
“TrackPointSrv”=“tp4serv.exe” [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe” [2008-01-10 07:27 32873]
“Ardamax Keylogger”=“C:\Program Files\Ardamax Keylogger Lite\akl.exe”
“BMMGAG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll” [2003-11-26 01:35 94208]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}”= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job”

  • C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 22:26:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
→ C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-11 22:31:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-12 03:31:30
ComboFix2.txt 2008-01-11 23:49:35
ComboFix3.txt 2008-01-11 03:27:31
ComboFix4.txt 2008-01-11 01:42:07

17

Hi PowerKord

How’s it going? I was just replying to you regarding the avast icon and saw your post.

I don’t know why the keylogger is running, go ahead and uninstall it if you wish.

I can not find the missing file C:\WINDOWS\System32\DRIVERS\MADFU804.sys in the removed files. However ashdisp was there as infected. I fear you may have also been hit with a nasty vundo variant, which attacks exe. Generally, combofic can repair them. If not, a section will appear in the logs and they can be repaired on the next run with the proper command.

Since you ran combofix twice before I saw the log, that option may be gone. But we can try before we search for smitfraud.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

RENV:: C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C\WINDOWS\system32\ctfmon .exe C\Program Files\Alwil Software\Avast4\ashDisp.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.

A little info on the files, remember only the exe was removed not the entire folder, so if you can, you could restore just the exe to he path shown and the program should work

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

related to thinkpad, you might be able to recover it from a disk,
C\WINDOWS\system32\ctfmon .exe

MS office xp language bar, only important if you use it, again get the exe from the disk.

C\Program Files\Alwil Software\Avast4\ashDisp.exe

avast icon, a repair of avast should replace it,add/remove programs, uninstall, scroll down to repair

Your choice of doing the comboscript and hoping the info is still there or just replacing the files. Let me know what you are going to do.

18

Hey, I should have added the other exe where repaired, so don’t worry about them. ;D

19

I waited for you to reply in regards to your choice in trying to restore the 3 exe files. As I mentioned, they are easily restore by other means.

The vundo for the most part is gone. The one service may or may not be vundo. We may as well do a search for smitfraud, the service could be related. We’ll see when you post your results.

Please do the following before proceding. You can post all 3 at the same time.

@echo off
dir “C:\WINDOWS\system32\vt8” >> look.txt
start look.txt

save it to your desktop, name it look.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

@echo off
dir “C:\WINDOWS\system32\edcA01” >> look1.txt
start look1.txt

save it to your desktop, name it look1.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment. The report can be found at the root of the system drive, usually at C:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”;
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user

20

Here’s the CF log after plugging in your latest changes:

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-12 1:10:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vincent Christopher\Desktop\CFscript.txt

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 01:19 . 2008-01-12 01:19 d-------- C:\TEMP\tn3
2008-01-11 22:24 . 2008-01-12 01:18 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00 189 --a------ C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10 86,016 --a------ C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10 d-------- C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01 d-------- C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 05:48 --------- d-----w C:\Program Files\Yahoo!
2008-01-02 07:41 --------- d-----w C:\Program Files\NoteTab Pro
2007-12-26 16:17 --------- d-----w C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21 --------- d-----w C:\Program Files\Viewpoint
2007-11-18 05:52 --------- d-----w C:\Program Files\AOD
2007-11-18 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47 58,728 ----a-w C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06 0 ----a-w C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17 1,971,010 ----a-w C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_20.41.36.84 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-11 01:26:42 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-12 06:10:41 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-11 01:26:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-12 06:10:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-11 01:26:42 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT
  • 2008-01-12 06:10:43 6,291,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\ntuser.dat
  • 2008-01-11 01:26:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-12 06:10:43 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-11 01:26:44 6,291,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\ntuser.dat
  • 2008-01-12 06:10:43 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT
  • 2008-01-11 01:26:44 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-12 06:10:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-11 01:26:58 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2008-01-12 03:16:16 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2008-01-11 01:36:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
  • 2008-01-12 06:19:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [2002-08-29 05:41 13312]
“ACDSee”=“C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2008-01-10 07:26 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2008-01-10 07:26 114688]
“LTSMMSG”=“LTSMMSG.exe” [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
“TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”
“UC_SMB”=“”
“TPKMAPMN”=“C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe” [2008-01-10 07:26 32835]
“TrackPointSrv”=“tp4serv.exe” [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe” [2008-01-10 07:27 32873]
“Ardamax Keylogger”=“C:\Program Files\Ardamax Keylogger Lite\akl.exe”
“BMMGAG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll” [2003-11-26 01:35 94208]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}”= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job”

  • C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 01:20:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
→ C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-12 1:25:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-12 06:25:15
ComboFix2.txt 2008-01-12 03:31:37
ComboFix3.txt 2008-01-11 23:49:35
ComboFix4.txt 2008-01-11 03:27:31
ComboFix5.txt 2008-01-11 01:42:07