[snatex]

I have been battling some nasty problems.

Symptoms:

- Popups including winantiviruspro2006

- Spybot repeatedly detecting stuff such as:

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

- loss of internet access

- something repeatedly trying to access the internet

- hijack this closing in error after running

- this one is wierd - everytime I tried to save my hijack logfile onto a jump drive it would come up corrupted on my other computer. I tried copy and pasting it into word and excel. No luck. Finally I just dumped my clipboard onto the jumpdrive and it worked.

- Vundofix found one problem and fixed it(see log below), but I am still infected. I have also run avg anti virus, virtumundobegone, combofix, adaware, spybot and cwshredder.

______________________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 12:50:01 PM, on 10/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe


___________________________________________________________________________

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.5

Scan started at 10:52:00 AM 10/2/2006

Listing files found while scanning....

C:\WINNT\system32\ggfbgojf.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\ggfbgojf.dll
C:\WINNT\system32\ggfbgojf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.5

Scan started at 11:03:57 AM 10/2/2006

Listing files found while scanning....

C:\WINNT\system32\ggfbgojf.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\ggfbgojf.dll
C:\WINNT\system32\ggfbgojf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.5

Scan started at 11:13:23 AM 10/2/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.5

Scan started at 11:20:47 AM 10/2/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.5

Scan started at 11:57:07 AM 10/2/2006

Listing files found while scanning....

No infected files were found.
________________________________________________________


[10/02/2006, 14:35:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[10/02/2006, 14:35:17] - Detected System Information:
[10/02/2006, 14:35:17] - Windows Version: 5.0.2195, Service Pack 4
[10/02/2006, 14:35:17] - Current Username: Administrator (Admin)
[10/02/2006, 14:35:17] - Windows is in NORMAL mode.
[10/02/2006, 14:35:17] - Searching for Browser Helper Objects:
[10/02/2006, 14:35:17] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:17] - BHO 2: {68676EFE-9B30-4EBD-B842-7ED9B3460C53} ()
[10/02/2006, 14:35:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:17] - Checking for HKLM\...\Winlogon\Notify\rqrqpqp
[10/02/2006, 14:35:17] - Found: HKLM\...\Winlogon\Notify\rqrqpqp - This is probably Virtumundo.
[10/02/2006, 14:35:17] - Assigning {68676EFE-9B30-4EBD-B842-7ED9B3460C53} MSEvents Object
[10/02/2006, 14:35:17] - BHO list has been changed! Starting over...
[10/02/2006, 14:35:17] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:17] - BHO 2: {68676EFE-9B30-4EBD-B842-7ED9B3460C53} (MSEvents Object)
[10/02/2006, 14:35:17] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:18] - BHO 3: {9C5C49A1-CDFF-44C4-9778-406598686987} ()
[10/02/2006, 14:35:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:18] - Checking for HKLM\...\Winlogon\Notify\cbxxw
[10/02/2006, 14:35:18] - Found: HKLM\...\Winlogon\Notify\cbxxw - This is probably Virtumundo.
[10/02/2006, 14:35:18] - Assigning {9C5C49A1-CDFF-44C4-9778-406598686987} MSEvents Object
[10/02/2006, 14:35:18] - BHO list has been changed! Starting over...
[10/02/2006, 14:35:18] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:18] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:18] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:18] - BHO 2: {68676EFE-9B30-4EBD-B842-7ED9B3460C53} (MSEvents Object)
[10/02/2006, 14:35:18] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:18] - BHO 3: {9C5C49A1-CDFF-44C4-9778-406598686987} (MSEvents Object)
[10/02/2006, 14:35:18] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:18] - BHO 4: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:35:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:18] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:35:18] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:35:18] - Finished Searching Browser Helper Objects
[10/02/2006, 14:35:18] - *** Detected MSEvents Object
[10/02/2006, 14:35:18] - Trying to remove MSEvents Object...
[10/02/2006, 14:35:19] - Terminating Process: IEXPLORE.EXE
[10/02/2006, 14:35:19] - Terminating Process: RUNDLL32.EXE
[10/02/2006, 14:35:19] - Disabling Automatic Shell Restart
[10/02/2006, 14:35:19] - Terminating Process: EXPLORER.EXE
[10/02/2006, 14:35:20] - Suspending the NT Session Manager System Service
[10/02/2006, 14:35:20] - Terminating Windows NT Logon/Logoff Manager
[10/02/2006, 14:35:20] - Re-enabling Automatic Shell Restart
[10/02/2006, 14:35:20] - File to disable: C:\WINNT\system32\rqrqpqp.dll
[10/02/2006, 14:35:20] - Renaming C:\WINNT\system32\rqrqpqp.dll -> C:\WINNT\system32\rqrqpqp.dll.vir
[10/02/2006, 14:35:20] - ! File rename was unsucessful.
[10/02/2006, 14:35:20] - Attempting to Deny Access to C:\WINNT\system32\rqrqpqp.dll
[10/02/2006, 14:35:20] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/02/2006, 14:35:20] - processed file: C:\WINNT\system32\rqrqpqp.dll

[10/02/2006, 14:35:20] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/02/2006, 14:35:21] - Removing HKLM\...\Browser Helper Objects\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
[10/02/2006, 14:35:21] - Removing HKCR\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
[10/02/2006, 14:35:21] - Adding Kill Bit for ActiveX for GUID: {68676EFE-9B30-4EBD-B842-7ED9B3460C53}
[10/02/2006, 14:35:21] - Deleting ATLEvents/MSEvents Registry entries
[10/02/2006, 14:35:21] - Removing HKLM\...\Winlogon\Notify\rqrqpqp
[10/02/2006, 14:35:21] - Searching for Browser Helper Objects:
[10/02/2006, 14:35:21] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:21] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:21] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:21] - BHO 2: {9C5C49A1-CDFF-44C4-9778-406598686987} (MSEvents Object)
[10/02/2006, 14:35:21] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:21] - BHO 3: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:35:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:21] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:35:21] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:35:21] - Finished Searching Browser Helper Objects
[10/02/2006, 14:35:21] - *** Detected MSEvents Object
[10/02/2006, 14:35:21] - Trying to remove MSEvents Object...
[10/02/2006, 14:35:22] - Terminating Process: IEXPLORE.EXE
[10/02/2006, 14:35:22] - Terminating Process: RUNDLL32.EXE
[10/02/2006, 14:35:22] - Disabling Automatic Shell Restart
[10/02/2006, 14:35:22] - Terminating Process: EXPLORER.EXE
[10/02/2006, 14:35:22] - Suspending the NT Session Manager System Service
[10/02/2006, 14:35:22] - Terminating Windows NT Logon/Logoff Manager
[10/02/2006, 14:35:22] - Re-enabling Automatic Shell Restart
[10/02/2006, 14:35:22] - File to disable: C:\WINNT\system32\cbxxw.dll
[10/02/2006, 14:35:22] - Renaming C:\WINNT\system32\cbxxw.dll -> C:\WINNT\system32\cbxxw.dll.vir
[10/02/2006, 14:35:22] - ! File rename was unsucessful.
[10/02/2006, 14:35:22] - Attempting to Deny Access to C:\WINNT\system32\cbxxw.dll
[10/02/2006, 14:35:22] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/02/2006, 14:35:22] - ERROR: The system cannot find the file specified.

[10/02/2006, 14:35:22] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/02/2006, 14:35:22] - Removing HKLM\...\Browser Helper Objects\{9C5C49A1-CDFF-44C4-9778-406598686987}
[10/02/2006, 14:35:22] - Removing HKCR\CLSID\{9C5C49A1-CDFF-44C4-9778-406598686987}
[10/02/2006, 14:35:23] - Adding Kill Bit for ActiveX for GUID: {9C5C49A1-CDFF-44C4-9778-406598686987}
[10/02/2006, 14:35:23] - Deleting ATLEvents/MSEvents Registry entries
[10/02/2006, 14:35:23] - Removing HKLM\...\Winlogon\Notify\cbxxw
[10/02/2006, 14:35:23] - Searching for Browser Helper Objects:
[10/02/2006, 14:35:23] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:23] - BHO 2: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:35:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:23] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:35:23] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:35:23] - Finished Searching Browser Helper Objects
[10/02/2006, 14:35:23] - Finishing up...
[10/02/2006, 14:35:23] - A restart is needed.
[10/02/2006, 14:35:32] - Attempting to Restart via STOP error (Blue Screen!)

[10/02/2006, 14:40:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[10/02/2006, 14:40:24] - Detected System Information:
[10/02/2006, 14:40:24] - Windows Version: 5.0.2195, Service Pack 4
[10/02/2006, 14:40:24] - Current Username: Administrator (Admin)
[10/02/2006, 14:40:24] - Windows is in NORMAL mode.
[10/02/2006, 14:40:24] - Searching for Browser Helper Objects:
[10/02/2006, 14:40:24] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:40:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:40:24] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:40:24] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:40:24] - BHO 2: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:40:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:40:24] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:40:24] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:40:24] - Finished Searching Browser Helper Objects
[10/02/2006, 14:40:24] - Finishing up...
[10/02/2006, 14:40:24] - Nothing found! Exiting...

______________________________________________________________________________

Administrator - Mon 10/02/2006 16:56:45.33 Service Pack 4
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-10-02 12:55 778,656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-10-02 12:55 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-10-02 12:55 27,904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-10-02 12:55 26,912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-10-02 12:55 23,104 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-10-02 11:09 9,216 --a------ C:\WINNT\system32\VundoFixSVC.exe
2006-10-01 12:53 929,792 --a------ C:\WINNT\system32\AegisE5.dll
2006-10-01 12:53 651,264 --a------ C:\WINNT\system32\libeay32.dll
2006-10-01 12:53 61,440 --a------ C:\WINNT\system32\W32N50.dll
2006-10-01 12:53 379,488 --a------ C:\WINNT\system32\drivers\wg111nd5.sys
2006-10-01 12:53 16,292 --a------ C:\WINNT\system32\PCANDIS5.SYS
2006-10-01 12:53 15,781 --a------ C:\WINNT\system32\drivers\mdc8021x.sys
2006-10-01 12:53 147,456 --a------ C:\WINNT\system32\ssleay32.dll
2006-09-30 07:48 850,379 ---hs---- C:\WINNT\system32\wxxbc.bak2
2006-09-29 22:01 40,973 ---hs---- C:\WINNT\system32\awtsrqn.dll
2006-09-29 21:39 40,973 ---hs---- C:\WINNT\system32\xxyxyvw.dll
2006-09-29 21:20 40,973 ---hs---- C:\WINNT\system32\byxxywt.dll
2006-09-29 21:19 40,973 ---hs---- C:\WINNT\system32\vturrom.dll
2006-09-29 20:57 40,973 ---hs---- C:\WINNT\system32\awtuvvt.dll
2006-09-29 10:51 40,973 ---hs---- C:\WINNT\system32\urqqnon.dll
2006-09-29 09:58 40,973 ---hs---- C:\WINNT\system32\fccbbyy.dll
2006-09-29 08:31 40,973 ---hs---- C:\WINNT\system32\xxyxxxw.dll
2006-09-29 08:25 40,973 ---hs---- C:\WINNT\system32\byxxvsq.dll
2006-09-29 08:22 40,973 ---hs---- C:\WINNT\system32\nnnnono.dll
2006-09-29 08:20 40,973 ---hs---- C:\WINNT\system32\vtutsqr.dll
2006-09-29 08:17 40,973 ---hs---- C:\WINNT\system32\mljigeb.dll
2006-09-29 08:01 40,973 ---hs---- C:\WINNT\system32\jkklkji.dll
2006-09-29 07:58 40,973 ---hs---- C:\WINNT\system32\tuvvwxu.dll
2006-09-29 07:51 40,973 --ahs---- C:\WINNT\system32\rqrqpqp.dll
2006-09-28 23:52 839,801 ---hs---- C:\WINNT\system32\wxxbc.bak1
2006-09-28 23:52 45,525 --a------ C:\WINNT\system32\ecyttwsc.dll
2006-09-28 23:52 143,380 --a------ C:\WINNT\system32\nlsnqxhw.exe
2006-09-28 23:51 577,588 --ahs---- C:\WINNT\system32\cbxxw.dll.vir
2006-09-28 23:45 40,973 ---hs---- C:\WINNT\system32\yayayab.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 16:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-02 16:21 1225 --ahs---- C:\WINNT\system32\mmf.sys
2006-10-02 12:55 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-01 12:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 12:53 -------- d-------- C:\Program Files\NETGEAR
2006-09-29 21:54 -------- d-------- C:\Program Files\ProjectionsDominator
2006-09-29 21:53 -------- d-------- C:\Program Files\DraftDominator
2006-09-29 21:50 -------- d-------- C:\Program Files\pcDrafter
2006-09-29 10:53 -------- d-------- C:\Program Files\Grisoft
2006-09-29 10:43 44288 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2006-09-29 10:11 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-18 20:41 -------- d-------- C:\Program Files\Sling Media
2006-08-22 14:10 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-08-21 19:08 796672 --a------ C:\WINNT\GPInstall.exe
2006-08-07 21:21 -------- d-------- C:\Program Files\Windows Media Player
2006-08-07 21:20 -------- d-------- C:\Program Files\Last.fm


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe"
"Synchronization Manager"="mobsync.exe /logon"
"ATIModeChange"="Ati2mdxx.exe"
"LTWinModem1"="ltmsg.exe 9"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"QCTRAY"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{68676EFE-9B30-4EBD-B842-7ED9B3460C53}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}\InprocServer32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\BMMTask.job

Completion time: Mon 2006-10-02 16:59:22.88
ComboFix.txt

Edited by snatex, 02 October 2006 - 03:59 PM.

[Advertisements]

Hi

Right click Hijackthis.exe and rename it to HJT.exe


Re run combofix and post a new combofix log and a hijack log

Thanks

[loophole]

Hi

Right click Hijackthis.exe and rename it to HJT.exe


Re run combofix and post a new combofix log and a hijack log

Thanks

[snatex]

Here you go - updated logs.

I think in trying to remedy the problem yesterday I messed up whatever reads the battery power. It is just reading error now. Not a huge deal but annoying.
----------------------------------------------------------------------------------------------------------------------------
Administrator - Tue 10/03/2006 20:40:34.24 Service Pack 4
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-02 12:55 778,656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-10-02 12:55 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-10-02 12:55 27,904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-10-02 12:55 26,912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-10-02 12:55 23,104 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-10-02 11:09 9,216 --a------ C:\WINNT\system32\VundoFixSVC.exe
2006-10-01 12:53 929,792 --a------ C:\WINNT\system32\AegisE5.dll
2006-10-01 12:53 651,264 --a------ C:\WINNT\system32\libeay32.dll
2006-10-01 12:53 61,440 --a------ C:\WINNT\system32\W32N50.dll
2006-10-01 12:53 379,488 --a------ C:\WINNT\system32\drivers\wg111nd5.sys
2006-10-01 12:53 16,292 --a------ C:\WINNT\system32\PCANDIS5.SYS
2006-10-01 12:53 15,781 --a------ C:\WINNT\system32\drivers\mdc8021x.sys
2006-10-01 12:53 147,456 --a------ C:\WINNT\system32\ssleay32.dll
2006-09-30 07:48 850,379 ---hs---- C:\WINNT\system32\wxxbc.bak2
2006-09-29 22:01 40,973 ---hs---- C:\WINNT\system32\awtsrqn.dll
2006-09-29 21:39 40,973 ---hs---- C:\WINNT\system32\xxyxyvw.dll
2006-09-29 21:20 40,973 ---hs---- C:\WINNT\system32\byxxywt.dll
2006-09-29 21:19 40,973 ---hs---- C:\WINNT\system32\vturrom.dll
2006-09-29 20:57 40,973 ---hs---- C:\WINNT\system32\awtuvvt.dll
2006-09-29 10:51 40,973 ---hs---- C:\WINNT\system32\urqqnon.dll
2006-09-29 09:58 40,973 ---hs---- C:\WINNT\system32\fccbbyy.dll
2006-09-29 08:31 40,973 ---hs---- C:\WINNT\system32\xxyxxxw.dll
2006-09-29 08:25 40,973 ---hs---- C:\WINNT\system32\byxxvsq.dll
2006-09-29 08:22 40,973 ---hs---- C:\WINNT\system32\nnnnono.dll
2006-09-29 08:20 40,973 ---hs---- C:\WINNT\system32\vtutsqr.dll
2006-09-29 08:17 40,973 ---hs---- C:\WINNT\system32\mljigeb.dll
2006-09-29 08:01 40,973 ---hs---- C:\WINNT\system32\jkklkji.dll
2006-09-29 07:58 40,973 ---hs---- C:\WINNT\system32\tuvvwxu.dll
2006-09-29 07:51 40,973 --ahs---- C:\WINNT\system32\rqrqpqp.dll
2006-09-28 23:52 839,801 ---hs---- C:\WINNT\system32\wxxbc.bak1
2006-09-28 23:52 45,525 --a------ C:\WINNT\system32\ecyttwsc.dll
2006-09-28 23:52 143,380 --a------ C:\WINNT\system32\nlsnqxhw.exe
2006-09-28 23:51 577,588 --ahs---- C:\WINNT\system32\cbxxw.dll.vir
2006-09-28 23:45 40,973 ---hs---- C:\WINNT\system32\yayayab.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 16:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-02 16:21 1225 --ahs---- C:\WINNT\system32\mmf.sys
2006-10-02 12:55 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-01 12:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 12:53 -------- d-------- C:\Program Files\NETGEAR
2006-09-29 21:54 -------- d-------- C:\Program Files\ProjectionsDominator
2006-09-29 21:53 -------- d-------- C:\Program Files\DraftDominator
2006-09-29 21:50 -------- d-------- C:\Program Files\pcDrafter
2006-09-29 10:53 -------- d-------- C:\Program Files\Grisoft
2006-09-29 10:43 44288 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2006-09-29 10:11 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-18 20:41 -------- d-------- C:\Program Files\Sling Media
2006-08-22 14:10 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-08-21 19:08 796672 --a------ C:\WINNT\GPInstall.exe
2006-08-07 21:21 -------- d-------- C:\Program Files\Windows Media Player
2006-08-07 21:20 -------- d-------- C:\Program Files\Last.fm


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe"
"Synchronization Manager"="mobsync.exe /logon"
"ATIModeChange"="Ati2mdxx.exe"
"LTWinModem1"="ltmsg.exe 9"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"QCTRAY"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{68676EFE-9B30-4EBD-B842-7ED9B3460C53}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}\InprocServer32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\BMMTask.job

Completion time: Tue 2006-10-03 20:41:54.87
ComboFix.txt
ComboFix2.txt
_________________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 8:36:23 PM, on 10/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\ggfbgojf.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: CLSID - C:\WINNT\
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINNT\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe

[loophole]

Hi

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINNT\system32\wxxbc.bak2
  C:\WINNT\system32\awtsrqn.dll
  C:\WINNT\system32\xxyxyvw.dll
  C:\WINNT\system32\byxxywt.dll
  C:\WINNT\system32\vturrom.dll
  C:\WINNT\system32\awtuvvt.dll
  C:\WINNT\system32\urqqnon.dll
  C:\WINNT\system32\fccbbyy.dll
  C:\WINNT\system32\xxyxxxw.dll
  C:\WINNT\system32\byxxvsq.dll
  C:\WINNT\system32\nnnnono.dll
  C:\WINNT\system32\vtutsqr.dll
  C:\WINNT\system32\mljigeb.dll
  C:\WINNT\system32\jkklkji.dll
  C:\WINNT\system32\tuvvwxu.dll
  C:\WINNT\system32\rqrqpqp.dll
  C:\WINNT\system32\wxxbc.bak1
  C:\WINNT\system32\ecyttwsc.dll
  C:\WINNT\system32\nlsnqxhw.exe
  C:\WINNT\system32\cbxxw.dll.vir
  C:\WINNT\system32\yayayab.dll
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Please post a new Hijack log when done and let me know how the computer is running

[snatex]

Internet connectivity seems to be restored. I will post a new log later today.

[loophole]

OK, please do

[snatex]

Logfile of HijackThis v1.99.1
Scan saved at 6:27:24 PM, on 10/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\sn326.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\hjt\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\ggfbgojf.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WINDO23] C:\sn326.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: CLSID - C:\WINNT\
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINNT\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe

[loophole]

Hi

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\ggfbgojf.dll (file missing)
O4 - HKLM\..\Run: [WINDO23] C:\sn326.exe
O20 - Winlogon Notify: CLSID - C:\WINNT\


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Killbox

• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\sn326.exe
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After reboot

Clean out your Temporary Internet files. Proceed as follows:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Edited by loophole, 08 October 2006 - 04:34 PM.

[snatex]

Loophole - I think you forgot to list the files to be deleted with Killbox.

[loophole]

Sure did, one of those days give me a minute

[loophole]

Ok above post edited

[snatex]

Logfile of HijackThis v1.99.1
Scan saved at 9:31:27 PM, on 10/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINNT\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe (file missing)


__________________________________________________________________

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\awtsrqn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\awtuvvt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\byxxvsq.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\byxxywt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\fccbbyy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\jkklkji.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\mljigeb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\nnnnono.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\tuvvwxu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\urqqnon.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\vturrom.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\vtutsqr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\xxyxxxw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\xxyxyvw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\yayayab.dll
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.go.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.adtech.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.belnk.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.target.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[server.iad.liveperson.net/hc/43355559]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fmow5blk.Default User\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.target.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[server.iad.liveperson.net/hc/4978972]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udb7jlgs.default\cookies.txt[www.burstbeacon.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\Utilities\VirtumundoBeGone.exe[²ƒÇ]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GDI7SXIB\is[1].exe
Adware:Adware/WebSearch Not disinfected C:\VundoFix Backups\ggfbgojf.dll.bad

[loophole]

Hi

Almost done

Delete these folders:
C:\!KillBox
C:\VundoFix Backups

Delete your firefox cookies

• Click Tools then Options.
• Click Privacy.
• Click Clear across from the Cookies option.
• Click Ok to return to the browser main page.
• Exit and relaunch the browser.

Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Windows NT Logon Application (WINLOGON)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on None of the above, just start the program. Now, click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

WINLOGON

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a final hijackthis log and let me Know how the system is running

[snatex]

I did everything you told me to, but I still see winlogon below. Uh-oh. The system seems to be running ok though.

Logfile of HijackThis v1.99.1
Scan saved at 12:29:47 AM, on 10/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINNT\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[loophole]

The one you see running is fine, its the one at the bottom of your previous hijack log we were removing

let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

• AdAware SE Personal
• Spybot Search & Destroy

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!