"Windows has detected spyware infection!" Balloon popup msg.

**Cheetah2007** · October 12th, 2008, 02:27 AM

Well I'm not sure why it's been run 4 times, but I have had to exit it a few times because it wasn't running properly, so I rebooted and then it ran fine. I came here for help about one whole year ago on a Virtumonde problem, I used ComboFix in the process of removing it.

Anyways, here are the logs:

ComboFix 08-10-11.02 - CHRISTIAN 2008-10-12 16:59:08.5 - NTFSx86
Running from: C:\Documents and Settings\CHRISTIAN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CHRISTIAN\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\obmrgpab.exe
C:\WINDOWS\system32\wini104552502.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\vutmtmnk
C:\Program Files\guhaqdc
C:\WINDOWS\system32\obmrgpab.exe
C:\WINDOWS\system32\wini104552502.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 )))))))))))))))))))))))))))))))
.

2008-10-11 17:46 . 2008-10-11 17:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-11 17:46 . 2008-10-11 17:46 <DIR> d-------- C:\Documents and Settings\CHRISTIAN\Application Data\Malwarebytes
2008-10-11 17:46 . 2008-10-11 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-11 17:46 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-11 17:46 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-11 17:12 . 2004-08-04 16:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-11 17:12 . 2004-08-04 16:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-09-12 18:54 . 2008-09-12 19:27 22,040 --a------ C:\Documents and Settings\Guest\Application Data\data.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 06:13 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-10-11 00:20 --------- d-----w C:\Program Files\SwiftKit
2008-10-10 08:26 --------- d-----w C:\Program Files\Incomplete
2008-10-10 08:15 --------- d-----w C:\Program Files\LimeWire
2008-10-10 07:41 --------- d-----w C:\Program Files\Steam
2008-10-10 07:20 24 ----a-w C:\Documents and Settings\CHRISTIAN\jagex_runescape_preferences.dat
2008-10-03 13:58 22,040 ----a-w C:\Documents and Settings\CHRISTIAN\Application Data\data.dat
2008-09-22 08:20 --------- d-----w C:\Documents and Settings\CHRISTIAN\Application Data\Vidalia
2008-09-22 08:20 --------- d-----w C:\Documents and Settings\CHRISTIAN\Application Data\tor
2008-09-07 09:34 --------- d-----w C:\Documents and Settings\CHRISTIAN\Application Data\IcoFX
2008-09-07 08:15 --------- d-----w C:\Program Files\IcoFX 1.6
2008-09-07 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-07 01:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-09-07 01:48 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-09-07 01:48 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-09-07 01:48 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-09-07 01:39 --------- d-----w C:\Program Files\Microsoft SDKs
2008-09-07 01:36 --------- d-----w C:\Program Files\Reference Assemblies
2008-09-07 01:36 --------- d-----w C:\Program Files\MSBuild
2008-08-28 12:02 --------- d-----w C:\Program Files\Vidalia Bundle
2008-08-26 14:30 --------- d-----w C:\Program Files\Devious Codeworks
2008-07-30 12:10 94,923 ----a-w C:\WINDOWS\IRC scanner Uninstaller.exe
2008-07-30 11:13 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-07-29 11:10 73,720 ----a-w C:\WINDOWS\system32\dxva2.dll
2008-07-29 11:10 493,048 ----a-w C:\WINDOWS\system32\evr.dll
2008-07-29 11:10 26,112 ----a-w C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-29 10:35 326,160 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2008-07-29 09:59 781,344 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-29 09:59 43,544 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-29 09:59 161,296 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-29 09:59 105,016 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-29 09:24 97,800 ----a-w C:\WINDOWS\system32\infocardapi.dll
2008-07-29 09:24 622,080 ----a-w C:\WINDOWS\system32\icardagt.exe
2008-07-29 09:24 11,264 ----a-w C:\WINDOWS\system32\icardres.dll
2008-07-25 01:16 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2008-07-25 01:16 83,968 ----a-w C:\WINDOWS\system32\mscories.dll
2008-07-25 01:16 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2008-07-25 01:16 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-04-07 10:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-11 14:26 34,665 ----a-w C:\Program Files\rsdeadst7.png
2007-05-20 11:30 652 --sha-w C:\WINDOWS\system32\2 rehctiwS dlroW.dat
2008-02-18 10:02 457 --sh--w C:\WINDOWS\system32\boothide.reg
2008-02-18 10:02 172 --sh--w C:\WINDOWS\system32\bootrun.reg
2007-08-06 07:52 641 --sha-w C:\WINDOWS\system32\vmw2divepacsenur.dat
2007-08-06 08:27 1,499 --sha-w C:\WINDOWS\system32\VMW_setiS_sratS_onroP.dat
2007-08-06 10:45 2,376 --sha-w C:\WINDOWS\system32\VMW_tuO_yaD_giB_seinniV.dat
.

Code:

<pre>
----a-w         7,126,528 2002-05-25 06:17:22  C:\Documents and Settings\CHRISTIAN\My Documents\WHOLE\N64ROM\GBColor (with all pokemon roms) (Works great) .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"winsh"="C:\WINDOWS\system32\obmrgpab.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="launchapp" [X]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-05-25 1773568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-30 180269]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-18 1115728]
"flockbox"="E:\My Lockbox\flockbox.exe" [N/A]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-16 368640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"NDSTray.exe"="NDSTray.exe" [N/A]
"TPSMain"="TPSMain.exe" [2005-06-01 C:\WINDOWS\system32\TPSMain.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 C:\WINDOWS\agrsmmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-21 250368]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-05-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12193:TCP"= 12193:TCP:BitComet 12193 TCP
"12193:UDP"= 12193:UDP:BitComet 12193 UDP

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-04-17 17264]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-11 5504]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-13 31872]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-06 7936]
S2 AKEProtect;AKEProtect;C:\Program Files\Anti Keylogger Elite\AKEProtect.sys [ ]
S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [ ]
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys [ ]
S3 tap0801;Smarthide TAP driver;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2008-02-04 55808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d389a0-36be-11dd-9379-00163654f04d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7140118-ec42-11dc-92e2-00173f162b7e}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3362C6F3-CCC8-B7BD-0400-080303050000}]
C:\WINDOWS\system32\scvhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F61DE146-5ABB-25AE-E095-721261669916}]
C:\Program Files\NetMeeting\cb35.exe s
.
Contents of the 'Scheduled Tasks' folder

2008-10-12 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-12 17:10:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-10-12 17:20:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-12 06:20:45
ComboFix2.txt 2008-10-12 03:05:25

Pre-Run: 14,452,826,112 bytes free
Post-Run: 14,414,499,840 bytes free

205 --- E O F --- 2008-10-10 23:04:45

Thread: "Windows has detected spyware infection!" Balloon popup msg.

Thread Tools

Search Thread

Display

Threaded View

Thread Information

Users Browsing this Thread

Posting Permissions