Google hijacked virus. plz help

moris · Joined: Nov 23, 2008 Posts: 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:04:49 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 6295 bytes

Whenever I do a search in google engine and try to click on the thing i am looking for it sends me to a different site and a brand new tab opens.

It does some thing like this http://go.google.com/?id=03ca5b08c4b758a2b307c85336da096a&aid=81&a...said=v3 and ends up at http://www.genialfinder.com/search44.php?keyword=nexon_cash

I have the following spywareblaster, hijackthis, and smithfraudFix.

I tried to install AVG didn't work gave me errors tried to fix them still didn't work.

please help.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Welcome to Lockergnome.

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

1. Download combofix at http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

moris · Joined: Nov 23, 2008 Posts: 2

ComboFix 08-12-01.01 - moris 2008-12-01 22:54:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1164 [GMT -8:00]
Running from: c:\documents and settings\moris\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\moris\Application Data\.#
c:\documents and settings\moris\Application Data\.#\MBX@458@1483790.###
c:\documents and settings\moris\Application Data\.#\MBX@458@14837A0.###
c:\documents and settings\moris\Application Data\.#\MBX@6A0@1443790.###
c:\documents and settings\moris\Application Data\.#\MBX@6A0@14437A0.###
c:\documents and settings\moris\Application Data\.#\MBX@868@1483790.###
c:\documents and settings\moris\Application Data\.#\MBX@868@14837A0.###
c:\documents and settings\moris\Application Data\.#\MBX@8DC@383790.###
c:\documents and settings\moris\Application Data\.#\MBX@8DC@3837A0.###
c:\documents and settings\moris\Application Data\.#\MBX@B58@383790.###
c:\documents and settings\moris\Application Data\.#\MBX@B58@3837A0.###
c:\windows\system32\av.dat
c:\windows\system32\TDSSosvd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 22:07 . 2008-12-01 22:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 22:07 . 2008-12-01 22:07 <DIR> d-------- c:\documents and settings\moris\Application Data\Malwarebytes
2008-12-01 22:07 . 2008-12-01 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 22:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 22:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 09:53 . 2008-11-30 09:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-23 23:15 . 2008-11-24 17:03 <DIR> d-------- C:\Netgame
2008-11-23 22:08 . 2008-11-23 22:08 <DIR> d-------- c:\documents and settings\moris\Application Data\InstallShield
2008-11-23 22:08 . 2008-11-23 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-11-23 22:08 . 2007-04-27 11:12 78,784 --a------ c:\windows\system32\ISUSPM.cpl
2008-11-23 17:45 . 2008-11-23 17:45 0 --a------ c:\windows\nsreg.dat
2008-11-23 16:49 . 2008-11-23 16:49 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 16:40 . 2008-11-23 16:42 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-23 16:40 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-11-23 12:48 . 2008-11-23 12:48 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-23 12:44 . 2008-11-23 12:44 <DIR> d-------- c:\documents and settings\moris\Application Data\AVGTOOLBAR
2008-11-21 16:09 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\2114c03b.dll
2008-11-21 16:09 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\1e87d1ec.dll
2008-11-21 16:09 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\29cbb61a.dll
2008-11-21 16:09 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\1a99748c.dll
2008-11-21 16:08 . 2008-10-04 05:07 3,851,784 --a------ c:\windows\system32\d3dx9_39.dll
2008-11-21 16:05 . 2008-10-04 05:07 3,851,784 --a------ C:\d3dx9_39.dll
2008-11-21 16:05 . 2007-07-19 04:14 3,727,720 --a------ C:\d3dx9_35.dll
2008-11-21 16:05 . 2008-10-31 04:53 39,936 --a------ C:\ca_dll.flt
2008-11-21 16:05 . 2008-08-15 00:56 34,816 --a------ C:\guid-gen.exe
2008-11-21 16:05 . 2008-10-21 02:15 30,208 --a------ C:\guid-tech.dll
2008-11-21 16:05 . 2008-11-14 22:45 19,456 --a------ C:\tgspub.flt
2008-11-21 16:05 . 2008-11-14 17:22 723 --a------ C:\settings.ini
2008-11-21 16:05 . 2008-10-07 21:37 528 --a------ C:\ca.ini
2008-11-21 15:58 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\40acf22.dll
2008-11-21 15:58 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\14c05934.dll
2008-11-21 15:58 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\fc28ba0.dll
2008-11-21 15:58 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\165335a8.dll
2008-11-20 23:10 . 2008-11-20 23:21 <DIR> d-------- C:\NVIDIA
2008-11-20 23:10 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-20 22:51 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\fe42bad.dll
2008-11-20 22:51 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\1246c4c9.dll
2008-11-20 22:51 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\db2bc0.dll
2008-11-20 22:51 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\d93ac6c.dll
2008-11-20 22:48 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\3672b22c.dll
2008-11-20 22:48 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\111309d2.dll
2008-11-20 22:48 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\c107cbc.dll
2008-11-20 22:48 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\54f512d.dll
2008-11-20 18:37 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\4957ae8.dll
2008-11-20 18:37 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\2e7540d0.dll
2008-11-20 18:37 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\ae8f268.dll
2008-11-20 18:37 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\12bdf07e.dll
2008-11-20 18:18 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\68b7df.dll
2008-11-20 18:18 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\3051e882.dll
2008-11-20 18:18 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\b1bdc7e.dll
2008-11-20 18:18 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\213b9e8.dll
2008-11-20 17:58 . 2008-11-20 22:16 <DIR> d-------- C:\Nexon
2008-11-20 17:58 . 2008-11-20 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\NexonUS
2008-11-13 15:07 . 2008-11-13 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-13 14:58 . 2008-11-13 14:58 <DIR> d-------- c:\program files\Yahoo!
2008-11-12 03:11 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 03:11 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-03 20:33 . 2008-11-22 22:46 <DIR> d-------- c:\program files\Cheat Engine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 01:26 68,096 --s---r c:\windows\system32\drivers\mszshcrwmwc.sys
2008-11-25 04:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-25 03:57 --------- d-----w c:\program files\Folder Lock 6
2008-11-24 06:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 06:08 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-27 18:38 95,056 ----a-w C:\DSETUP.dll
2008-10-27 18:37 1,692,496 ----a-w C:\dsetup32.dll
2008-10-27 18:36 526,160 ----a-w C:\DXSETUP.exe
2008-10-26 22:22 --------- d-----w c:\program files\vestgame
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 07:36 --------- d--h--w c:\documents and settings\moris\Application Data\ijjigame
2008-10-18 04:31 --------- d-----w c:\program files\Common Files\INCA Shared
2008-10-18 04:30 --------- d-----w c:\program files\NHN USA
2008-10-18 01:16 --------- d-----w c:\documents and settings\moris\Application Data\vlc
2008-10-18 01:13 --------- d-----w c:\program files\Softonic_English
2008-10-18 01:12 --------- d-----w c:\program files\VideoLAN
2008-10-17 12:58 --------- d-----w c:\program files\Windows Mobile Device Handbook
2008-10-17 12:58 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-16 03:58 --------- d-----w c:\documents and settings\moris\Application Data\AdobeUM
2008-10-16 02:29 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intel
2008-10-16 02:26 --------- d-----w c:\program files\TOSHIBA
2008-10-16 02:25 --------- d-----w c:\program files\ltmoh
2008-10-16 02:21 --------- d-----w c:\documents and settings\moris\Application Data\Toshiba
2008-10-16 02:15 --------- d-----w c:\program files\Synaptics
2008-10-16 02:11 --------- d-----w c:\program files\Java
2008-10-16 02:10 --------- d-----w c:\program files\Common Files\Java
2008-10-16 01:59 --------- d-----w c:\program files\Sonic
2008-10-16 01:26 --------- d-----w c:\program files\Realtek
2008-10-16 01:23 --------- d-----w c:\program files\InterVideo
2008-10-16 01:22 21,275 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-10-16 01:22 --------- d-----w c:\program files\Intel
2008-10-16 01:22 --------- d-----w c:\documents and settings\moris\Application Data\Intel
2008-10-16 01:22 --------- d-----w c:\documents and settings\All Users\Application Data\Intel
2008-10-16 01:20 --------- d-----w c:\program files\DVD-RAM
2008-10-16 01:18 --------- d-----w c:\program files\EnglishOtto
2008-10-16 01:16 --------- d-----w c:\program files\Atheros
2008-10-16 01:15 --------- d-----w c:\program files\Common Files\Adobe
2008-10-15 13:00 --------- d-----w c:\program files\microsoft frontpage
2008-10-15 12:54 --------- d-----w c:\program files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 c:\windows\RTHDCPL.exe]
"CFSServ.exe"="CFSServ.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2008-10-15 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys []
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys []
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys []
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe []
S2 WinFl32;WinFl32;\??\c:\windows\system32\WinFl32.sys []
S2 WinVd32;WinVd32;\??\c:\windows\system32\WinVd32.sys []
S3 URZbMXtQG;URZbMXtQG;\??\c:\docume~1\moris\LOCALS~1\Temp\Rar$EX00.000\KBHM []
.
.
------- Supplementary Scan -------
.

c:\windows\Downloaded Program Files\mglaunch_USAv1002.exe - c:\windows\Downloaded Program Files\mglaunch_USAv1002.dll
O16 -: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE}
hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
c:\windows\Downloaded Program Files\mglaunch_USAv1002.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 22:57:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\URZbMXtQG]
"ImagePath"="\??\c:\docume~1\moris\LOCALS~1\Temp\Rar$EX00.000\KBHM"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-12-01 22:59:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 06:59:04

Pre-Run: 142,542,417,920 bytes free
Post-Run: 142,604,992,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

237 --- E O F --- 2008-11-13 23:17:37

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/1/2008 10:41:52 PM
mbam-log-2008-12-01 (22-41-52).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 71287
Time elapsed: 23 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{930f1200-f5f1-4870-bac6-e233ec8e7023} (Adware.HumourCanineToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{930f1200-f5f1-4870-bac6-e233ec8e7023} (Adware.HumourCanineToolbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Softonic_English\Softonic_EnglishToolbarHelper.exe (Adware.HumourCanineToolbar) -> Quarantined and deleted successfully.
C:\Program Files\Softonic_English\tbSoft.dll (Adware.HumourCanineToolbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10802.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbqbx.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSbrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhym.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Delete on reboot.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad: