Solved: Help with AntiSpywareMaster removal

pcgeek315 · 14-May-2008, 12:30 AM #1

My PC has been infected with this piece of maleware.

I searched the posts and downloaded HJT and MBAM.

First I installed HJT captured this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:11 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AntiSpywareMaster\asm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\turnbut\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://tv/tv/search/searchbar.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://tv
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Toyota Motor Sales, USA, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=tmsproxy.tms.toyota.com:80;https=tmsproxy.tms.toyota.com:80;gopher=tms proxy.tms.toyota.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;12.31.213.11;63.87.74.*;63.90.86.*;150.45.*.*;161.93.207.*;166.73. 169.40;166.73.206.6;166.73.206.25;199.164.215.*;12.31.213.27;*.tms.toyota.c om;cims.toyota.com;fleet.toyota.com;iqp.toyota.com;eqp.toyota.com;ist.toyot a.com;est.toyota.com;iqp.tmsusa.com;eqp.tmsusa.com;ist.tmsusa.com;est.tmsus a.com;tv.tmsusa.com;ecollaborate.toyota.com;qptv;*.etoyota.com;FleetQA2K.to yota.com;*.tfsb.toyota.com;tfsstonline.toyota.com;tfsqponline.toyota.com;tf x.toyota.com;*.toyota.co.jp;*.Lexussurvey.toyota.com;*.floorplan-solutions.net;*.tmsnet.toyota.com;tis2.toyota.com;techinfo2.toyota.com;inot es.toyota.com;*.tfs.toyota.com;*.tcp.toyota.com;*.dev.toyota.com;*.test.toy ota.com;*.qa.toyota.com;*.uat.toyota.com;*.toyotaworkout.com;uma.toyota.com ;warranty.toyota.com;*.63.136.168.7;*.63.136.168.8;*.beta.toyota.com;cmms1. rjacmms.com;cmms2.rjacmms.com;12.195.4.22;12.195.4.23;ahs.probusiness.com;a hp.probusiness.com;<local>
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Disable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [d8414d34] rundll32.exe "C:\WINDOWS\system32\dfpapdre.dll",b
O4 - HKLM\..\Run: [BMdb727ea8] Rundll32.exe "C:\WINDOWS\system32\wueoxscc.dll",s
O4 - .DEFAULT User Startup: WMP 11 Settings.bat (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://tv
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: http://dealer.toyota.com
O15 - Trusted Zone: http://dealerdaily.tms.toyota.com
O15 - Trusted Zone: http://dealerdaily.toyotaworkout.com
O15 - Trusted Zone: http://tms.toyotaworkout.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: http://www.tvdrivethru.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1185304418703
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://investools.webex.com/client/...ex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://tms.toyotaworkout.com/PortalA...pType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tms.toyota.com
O17 - HKLM\Software\..\Telephony: DomainName = tms.toyota.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tms.toyota.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tms.toyota.com
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: System - Unknown owner - C:\WINDOWS\system32\System.exe (file missing)
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 13060 bytes

Next I scaned with MBAM, and had it remove all items, the log output was:

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 47605
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
c:\program files\antispywaremaster\asm.exe (Rogue.AntiSpyMaster) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\dfpapdre.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqQjIAr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awtqPgeb.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{95c62477-df1d-430f-8874-223166a3c2c9} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{95c62477-df1d-430f-8874-223166a3c2c9} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqpgeb (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpywar eMaster (Rogue.AntiSpyMaster) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8414d34 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMdb727ea8 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqqjiar -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqqjiar -> No action taken.

Folders Infected:
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> No action taken.

Files Infected:
c:\program files\antispywaremaster\asm.exe (Rogue.AntiSpyMaster) -> No action taken.
C:\WINDOWS\system32\dfpapdre.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\erdpapfd.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqQjIAr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rAIjQqss.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rAIjQqss.ini2 (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\turnbut\Local Settings\Temp\winvsnet.exe (Rogue.AntiSpyMaster) -> No action taken.
C:\Documents and Settings\turnbut\Local Settings\Temp\yazzsnet.exe (Adware.PurityScan) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> No action taken.
C:\WINDOWS\system32\wueoxscc.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\opnKeFxx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awtqPgeb.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\turnbut\Desktop\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> No action taken.
C:\Documents and Settings\turnbut\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> No action taken.

More to follow.

pcgeek315 · 14-May-2008, 12:32 AM #2

Next I rebooted the system and ran MBAM again due to messages on start up about files "not being verified windows images". MBAM found two issues which were removed and produced the following log:

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 47163
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ssqQjIAr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqPgeb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Rebooted the machine and ran HJT and produced this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:38 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Documents and Settings\turnbut\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://tv/tv/search/searchbar.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://tv
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Toyota Motor Sales, USA, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=tmsproxy.tms.toyota.com:80;https=tmsproxy.tms.toyota.com:80;gopher=tms proxy.tms.toyota.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;12.31.213.11;63.87.74.*;63.90.86.*;150.45.*.*;161.93.207.*;166.73. 169.40;166.73.206.6;166.73.206.25;199.164.215.*;12.31.213.27;*.tms.toyota.c om;cims.toyota.com;fleet.toyota.com;iqp.toyota.com;eqp.toyota.com;ist.toyot a.com;est.toyota.com;iqp.tmsusa.com;eqp.tmsusa.com;ist.tmsusa.com;est.tmsus a.com;tv.tmsusa.com;ecollaborate.toyota.com;qptv;*.etoyota.com;FleetQA2K.to yota.com;*.tfsb.toyota.com;tfsstonline.toyota.com;tfsqponline.toyota.com;tf x.toyota.com;*.toyota.co.jp;*.Lexussurvey.toyota.com;*.floorplan-solutions.net;*.tmsnet.toyota.com;tis2.toyota.com;techinfo2.toyota.com;inot es.toyota.com;*.tfs.toyota.com;*.tcp.toyota.com;*.dev.toyota.com;*.test.toy ota.com;*.qa.toyota.com;*.uat.toyota.com;*.toyotaworkout.com;uma.toyota.com ;warranty.toyota.com;*.63.136.168.7;*.63.136.168.8;*.beta.toyota.com;cmms1. rjacmms.com;cmms2.rjacmms.com;12.195.4.22;12.195.4.23;ahs.probusiness.com;a hp.probusiness.com;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: {0905430b-4db8-b8f8-3764-3c2e4390e0da} - {ad0e0934-e2c3-4673-8f8b-8bd4b0345090} - C:\WINDOWS\system32\babbhlvw.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Disable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - .DEFAULT User Startup: WMP 11 Settings.bat (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://tv
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: http://dealer.toyota.com
O15 - Trusted Zone: http://dealerdaily.tms.toyota.com
O15 - Trusted Zone: http://dealerdaily.toyotaworkout.com
O15 - Trusted Zone: http://tms.toyotaworkout.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: http://www.tvdrivethru.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1185304418703
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://investools.webex.com/client/...ex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://tms.toyotaworkout.com/PortalA...pType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tms.toyota.com
O17 - HKLM\Software\..\Telephony: DomainName = tms.toyota.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tms.toyota.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tms.toyota.com
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: System - Unknown owner - C:\WINDOWS\system32\System.exe (file missing)
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 12961 bytes

Now the system seems to be clean and operating correctly.
Can someone verify my conclusion?
Thanks for a great forum.

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)