Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected need help removing geedc.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
argarza

argarza

    New Member

  • Member
  • Pip
  • 7 posts
I've searched all over the web but can't seem to get rid of this virus. I tried manually deleting the file but I got an error message saying that another program was using the file or that I didn't have access to it. I also tried unregistering it using the command prompt but I got the same error msg. I downloaded countless removal tools/programs but most of them can't detect it and the few that do can't remove it. I had someone try and help me but it didn't go so well... the pop ups went away but as time goes on the pc is slower and slower. The windows freeze quite often and it takes a long time to start up and log in.

Can someone please help?

Here is a fresh log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:02, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\WZB322.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\internet explorer\iexplore.exe
\nap-svr-dc\Users\argarza\Desktop\Andrea\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insideab.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insideab.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insideab.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AE72536-E807-4ACC-8B07-72275B05B5A5} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {969B4F66-7D6E-4D8C-9552-137FBAFDF5CA} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {CC2EE6CC-112D-456D-86D5-AF73FDDCD6E1} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insideab.com
O15 - Trusted Zone: www.choicepoint.com
O15 - Trusted Zone: www.citrix.com
O15 - Trusted Zone: www.greatsecurityjobs.com
O15 - Trusted Zone: mymail.inisideab.com
O15 - Trusted Zone: www.java.com
O15 - Trusted Zone: www.officedepot.com
O15 - Trusted Zone: www.salesforce.com
O15 - Trusted Zone: www.stapleslink.com
O15 - Trusted Zone: http://mypassword.insideab.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.inside...aDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\Software\..\Telephony: DomainName = alliedsecurity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: nnnnkij - nnnnkij.dll (file missing)
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: ACMService - Zemerick Software Inc. - C:\Program Files\Removal Tool\ACMService.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 8797 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
argarza

argarza

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks!

Here is the combofix log:

ComboFix 08-04-04.1 - argarza 2008-04-05 16:34:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.521 [GMT -5:00]
Running from: \\nap-svr-dc\Users\argarza\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\argarza\Start Menu\Programs\MalwareAlarm
C:\Documents and Settings\argarza\Start Menu\Programs\MalwareAlarm\MalwareAlarm.lnk
C:\Documents and Settings\argarza\Start Menu\Programs\MalwareAlarm\Uninstall.lnk
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 09:49 . 2008-04-05 09:49 <DIR> d-------- C:\Program Files\WinUndelete
2008-04-04 23:49 . 2008-04-04 23:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 23:49 . 2008-04-04 23:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-30 14:07 . 2008-03-30 14:35 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\sacache
2008-03-30 14:07 . 2008-03-30 14:07 145 --a------ C:\WINDOWS\spysplash.dat
2008-03-30 14:07 . 2008-03-30 14:07 19 --a------ C:\Documents and Settings\All Users\Application Data\ksaf.dat
2008-03-30 14:01 . 2008-03-30 14:01 <DIR> d-------- C:\WINDOWS\Speeditup Free
2008-03-30 14:01 . 2008-03-30 14:11 <DIR> d-------- C:\Program Files\Speeditup Free
2008-03-30 13:38 . 2008-04-05 09:47 <DIR> d-------- C:\Program Files\Removal Tool
2008-03-28 14:46 . 2008-03-28 15:49 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-03-16 15:13 . 2008-03-16 15:13 15 --a------ C:\WINDOWS\system32\0877c22e
2008-03-09 23:38 . 2008-04-05 16:19 <DIR> d-------- C:\Program Files\Startup Inspector for Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
d-s---w 0 2008-02-28 22:33:44 \\nap-svr-dc\Users\argarza\Application Data\Microsoft
d-----w 0 2008-04-05 05:04:51 \\nap-svr-dc\Users\argarza\Application Data\Uniblue
d-----w 0 2008-03-19 00:44:41 \\nap-svr-dc\Users\argarza\Application Data\Apple Computer
d-----w 0 2008-03-10 04:42:31 \\nap-svr-dc\Users\argarza\Application Data\wsInspector
d-----w 0 2008-03-05 14:56:35 \\nap-svr-dc\Users\argarza\Application Data\gtk-2.0
d-----w 0 2008-03-05 14:56:26 \\nap-svr-dc\Users\argarza\Application Data\ICAClient
2008-04-05 14:47 52 ----a-w C:\Documents and Settings\All Users\Application Data\yup.dat
2008-03-03 05:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-03 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-02 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-01 19:56 --------- d-----w C:\Program Files\Sprint
2008-03-01 19:56 --------- d-----w C:\Program Files\Common Files\Research in Motion
2008-03-01 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sprint
2008-02-29 18:38 --------- d-----w C:\Program Files\Sierra Wireless
2008-02-25 19:04 --------- d-----w C:\Program Files\CentraOne
2008-02-14 15:41 3,980,800 ----a-w C:\WINDOWS\Chicago Dusk to Dark.scr
2008-02-14 15:41 --------- d-----w C:\Program Files\Chicago Dusk to Dark
2008-02-11 17:31 --------- d-----w C:\Program Files\QuickTime
2008-02-11 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-28 15:14 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 39,792 2007-10-11 01:51:55 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 1,015,808 2007-04-09 20:23:56 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

-c--a-w 839,680 2007-04-03 23:55:08 C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe

-c--a-w 81,920 2004-07-27 20:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

-c--a-w 221,184 2004-07-27 20:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 540,672 2007-07-10 20:16:10 C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe

-c--a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

-c--a-w 91,688 2006-11-07 23:51:40 C:\Program Files\Lenovo\AwayTask\bak\AwaySch.EXE

-c--a-w 66,176 2007-03-09 18:49:42 C:\Program Files\Lenovo\HOTKEY\bak\TPOSDSVC.exe

-c--a-w 58,416 2007-04-10 07:03:00 C:\Program Files\Lenovo\NPDIRECT\bak\TPFNF7SP.exe

----a-w 385,024 2008-01-25 18:55:37 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-02-01 05:13:08 C:\Program Files\QuickTime\QTTask.exe

-c--a-w 512,000 2007-08-10 22:30:12 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

-c--a-w 110,592 2007-08-10 22:30:40 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 413,696 2007-07-05 18:58:40 C:\Program Files\ThinkPad\ConnectUtilities\bak\ACTray.exe

----a-w 126,976 2007-07-05 18:51:48 C:\Program Files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe

-c--a-w 243,248 2007-04-27 06:33:00 C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe

-c--a-w 155,857 2006-08-23 21:26:18 C:\Program Files\UniPrint\Client\bak\SetDfltSettings.exe

----a-w 162,328 2007-08-15 19:07:32 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 137,752 2007-08-15 19:07:40 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 141,848 2007-08-15 19:07:48 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 122,940 2006-02-02 09:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2406F5BF-CE7E-443E-A825-5674078ADB08}]
2008-03-02 14:42 291328 --a------ C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AE72536-E807-4ACC-8B07-72275B05B5A5}]
\C:\WINDOWS\system32\c4\np89104.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC2EE6CC-112D-456D-86D5-AF73FDDCD6E1}]
\C:\WINDOWS\system32\c4\np89104.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Centra Launcher"="C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe" [2004-04-27 13:49 233472]
"SpeedItUpEX"="C:\Program Files\Speeditup Free\SpeedItUp.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 15:16 356352]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2006-02-28 07:00 143360]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-28 10:14:08 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-28 10:11:51 692224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMovingBands"= 1 (0x1)
"NoPropertiesMyComputer"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoCloseDragDropBands"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSetTaskbar"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2007-07-05 13:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkij]
nnnnkij.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 15:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 10:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3043167079-704927677-1773674988-45637\Scripts\Logon\0\0]
"Script"=\\alliedsecurity.com\SysVol\alliedsecurity.com\scripts\Wintm.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3043167079-704927677-1773674988-500\Scripts\Logon\0\0]
"Script"=\\alliedsecurity.com\SysVol\alliedsecurity.com\scripts\Wintm.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 08:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 10:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-08-30 00:17]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-08 17:01]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-11-28 15:44]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 08:36]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-08-10 12:08]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2007-03-08 16:41]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-05-14 11:21]
S3 tpflhlp;tpflhlp;C:\Program Files\Lenovo\System Update\session\7luj08us\tpflhlp.sys [2007-07-24 16:14]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 21:55:15 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 16:55:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\geedc.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\TEMP\XPFF2.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2008-04-05 17:13:36 - machine was rebooted [argarza]
ComboFix-quarantined-files.txt 2008-04-05 22:13:30
Pre-Run: 68,900,716,544 bytes free
Post-Run: 68,866,793,472 bytes free
.
2008-02-26 20:09:42 --- E O F ---


and a new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:27, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\TEMP\XPFF2.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
\nap-svr-dc\Users\argarza\Desktop\Andrea\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insideab.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insideab.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2406F5BF-CE7E-443E-A825-5674078ADB08} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {4AE72536-E807-4ACC-8B07-72275B05B5A5} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CC2EE6CC-112D-456D-86D5-AF73FDDCD6E1} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insideab.com
O15 - Trusted Zone: www.choicepoint.com
O15 - Trusted Zone: www.citrix.com
O15 - Trusted Zone: www.greatsecurityjobs.com
O15 - Trusted Zone: mymail.inisideab.com
O15 - Trusted Zone: www.java.com
O15 - Trusted Zone: www.officedepot.com
O15 - Trusted Zone: www.salesforce.com
O15 - Trusted Zone: www.stapleslink.com
O15 - Trusted Zone: http://mypassword.insideab.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.inside...aDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\Software\..\Telephony: DomainName = alliedsecurity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: nnnnkij - nnnnkij.dll (file missing)
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: ACMService - Unknown owner - C:\Program Files\Removal Tool\ACMService.exe (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 8598 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\spysplash.dat
C:\Documents and Settings\All Users\Application Data\ksaf.dat
C:\WINDOWS\system32\geedc.dll

Folder::
C:\Program Files\MalwareAlarm
C:\Documents and Settings\All Users\Application Data\Rabio

AWF::
C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Lenovo\AwayTask\bak\AwaySch.EXE
C:\Program Files\Lenovo\HOTKEY\bak\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\bak\TPFNF7SP.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
C:\Program Files\ThinkPad\ConnectUtilities\bak\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe
C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe
C:\Program Files\UniPrint\Client\bak\SetDfltSettings.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\0877c22e

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



Reboot and post a new HijackThis log
  • 0

#5
argarza

argarza

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I know there's probably a few more steps to go but thank you very much I see a big improvement already :)

Here is the ComboFix Log:

ComboFix 08-04-04.1 - argarza 2008-04-05 21:51:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -5:00]
Running from: \\nap-svr-dc\Users\argarza\Desktop\ComboFix.exe
Command switches used :: \\nap-svr-dc\Users\argarza\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\ksaf.dat
C:\WINDOWS\spysplash.dat
C:\WINDOWS\system32\geedc.dll
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geedc.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\ksaf.dat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\MalwareAlarm
C:\Program Files\MalwareAlarm\diagnosis.dat
C:\Program Files\MalwareAlarm\MalwareAlarm.exe
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\MalwareAlarm0.ma
C:\Program Files\MalwareAlarm\MalwareAlarm1.ma
C:\Program Files\MalwareAlarm\mfc71.dll
C:\Program Files\MalwareAlarm\msvcp71.dll
C:\Program Files\MalwareAlarm\msvcr71.dll
C:\Program Files\MalwareAlarm\pv.dat
C:\Program Files\MalwareAlarm\pv.exe
C:\Program Files\MalwareAlarm\Uninstall.exe
C:\Program Files\MalwareAlarm\up.dat
C:\WINDOWS\spysplash.dat

.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-05 21:59 . 0 C:\WINDOWS\system32\tmsock.tmp
2008-04-05 09:49 . 2008-04-05 09:49 <DIR> d-------- C:\Program Files\WinUndelete
2008-04-04 23:49 . 2008-04-04 23:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 23:49 . 2008-04-04 23:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-30 14:07 . 2008-03-30 14:35 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\sacache
2008-03-30 14:01 . 2008-03-30 14:01 <DIR> d-------- C:\WINDOWS\Speeditup Free
2008-03-30 14:01 . 2008-03-30 14:11 <DIR> d-------- C:\Program Files\Speeditup Free
2008-03-30 13:38 . 2008-04-05 09:47 <DIR> d-------- C:\Program Files\Removal Tool
2008-03-16 15:13 . 2008-03-16 15:13 15 --a------ C:\WINDOWS\system32\0877c22e
2008-03-09 23:38 . 2008-04-05 16:19 <DIR> d-------- C:\Program Files\Startup Inspector for Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
d-s---w 0 2008-02-28 22:33:44 \\nap-svr-dc\Users\argarza\Application Data\Microsoft
d-----w 0 2008-04-05 05:04:51 \\nap-svr-dc\Users\argarza\Application Data\Uniblue
d-----w 0 2008-03-19 00:44:41 \\nap-svr-dc\Users\argarza\Application Data\Apple Computer
d-----w 0 2008-03-10 04:42:31 \\nap-svr-dc\Users\argarza\Application Data\wsInspector
d-----w 0 2008-03-05 14:56:35 \\nap-svr-dc\Users\argarza\Application Data\gtk-2.0
d-----w 0 2008-03-05 14:56:26 \\nap-svr-dc\Users\argarza\Application Data\ICAClient
2008-04-06 02:58 --------- d-----w C:\Program Files\QuickTime
2008-04-05 14:47 52 ----a-w C:\Documents and Settings\All Users\Application Data\yup.dat
2008-03-03 05:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-03 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 19:56 --------- d-----w C:\Program Files\Sprint
2008-03-01 19:56 --------- d-----w C:\Program Files\Common Files\Research in Motion
2008-03-01 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sprint
2008-02-29 18:38 --------- d-----w C:\Program Files\Sierra Wireless
2008-02-25 19:04 --------- d-----w C:\Program Files\CentraOne
2008-02-14 15:41 3,980,800 ----a-w C:\WINDOWS\Chicago Dusk to Dark.scr
2008-02-14 15:41 --------- d-----w C:\Program Files\Chicago Dusk to Dark
2008-02-11 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-28 15:14 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AE72536-E807-4ACC-8B07-72275B05B5A5}]
\C:\WINDOWS\system32\c4\np89104.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC2EE6CC-112D-456D-86D5-AF73FDDCD6E1}]
\C:\WINDOWS\system32\c4\np89104.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Centra Launcher"="C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe" [2004-04-27 13:49 233472]
"SpeedItUpEX"="C:\Program Files\Speeditup Free\SpeedItUp.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-25 13:55 385024]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 15:16 356352]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2006-02-28 07:00 143360]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-28 10:14:08 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-28 10:11:51 692224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMovingBands"= 1 (0x1)
"NoPropertiesMyComputer"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoCloseDragDropBands"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSetTaskbar"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2007-07-05 13:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkij]
nnnnkij.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 15:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 10:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3043167079-704927677-1773674988-45637\Scripts\Logon\0\0]
"Script"=\\alliedsecurity.com\SysVol\alliedsecurity.com\scripts\Wintm.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3043167079-704927677-1773674988-500\Scripts\Logon\0\0]
"Script"=\\alliedsecurity.com\SysVol\alliedsecurity.com\scripts\Wintm.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 08:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 10:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-08-30 00:17]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-08 17:01]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-11-28 15:44]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 08:36]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-08-10 12:08]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2007-03-08 16:41]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-05-14 11:21]
S3 tpflhlp;tpflhlp;C:\Program Files\Lenovo\System Update\session\7luj08us\tpflhlp.sys [2007-07-24 16:14]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 22:18:46 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 21:59:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\XWC6E8.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-05 22:12:24 - machine was rebooted [argarza]
ComboFix-quarantined-files.txt 2008-04-06 03:12:19
ComboFix2.txt 2008-04-05 22:13:37
Pre-Run: 69,177,339,904 bytes free
Post-Run: 69,182,849,024 bytes free
.
2008-02-26 20:09:42 --- E O F ---




The Virus Total Results:

File 0877c22e received on 04.06.2008 05:16:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.05 -
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.06 -
AVG 7.5.0.516 2008.04.05 -
BitDefender 7.2 2008.04.06 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.06 -
DrWeb 4.44.0.09170 2008.04.05 -
eSafe 7.0.15.0 2008.04.01 -
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.05 -
F-Prot 4.4.2.54 2008.04.05 -
F-Secure 6.70.13260.0 2008.04.05 -
FileAdvisor 1 2008.04.06 -
Fortinet 3.14.0.0 2008.04.05 -
Ikarus T3.1.1.20 2008.04.06 -
Kaspersky 7.0.0.125 2008.04.06 -
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.05 -
NOD32v2 3005 2008.04.06 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.05 -
Prevx1 V2 2008.04.06 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.06 -
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.06 -
TheHacker 6.2.92.266 2008.04.05 -
VBA32 3.12.6.4 2008.04.05 -
VirusBuster 4.3.26:9 2008.04.05 -
Webwasher-Gateway 6.6.2 2008.04.05 -
Additional information
File size: 15 bytes
MD5...: 3d68e693d476bd4df0d1ab72e79c13fa
SHA1..: 30b0179c8fe97e37b9835ddcb56d5ee70cf1ec23
SHA256: 2ff15e328f5bc21cffc72bc9285dc3a98cdcd697d71178977c844e511ed439fd
SHA512: 26169eca55610b246521c0a47a11a78e5700b887bc81a11c6a4ffca516f1f970
8fa9ff85536a6c5fe711060fd846e71d1f24c74c4fe9fd1c18cb1b4d5adf383e
PEiD..: -
PEInfo: -



The HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:28, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\ZT2242.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\nap-svr-dc\Users\argarza\Desktop\Andrea\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insideab.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insideab.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AE72536-E807-4ACC-8B07-72275B05B5A5} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CC2EE6CC-112D-456D-86D5-AF73FDDCD6E1} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insideab.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.inside...aDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\Software\..\Telephony: DomainName = alliedsecurity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: nnnnkij - nnnnkij.dll (file missing)
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: ACMService - Unknown owner - C:\Program Files\Removal Tool\ACMService.exe (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 8417 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {4AE72536-E807-4ACC-8B07-72275B05B5A5} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O2 - BHO: (no name) - {CC2EE6CC-112D-456D-86D5-AF73FDDCD6E1} - \C:\WINDOWS\system32\c4\np89104.exe.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: nnnnkij - nnnnkij.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Reboot and post a new HijackThis log
  • 0

#7
argarza

argarza

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The Kapersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-06 19:07
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 686975
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 599869
Number of viruses found: 12
Number of infected objects: 37
Number of suspicious objects: 0
Duration of the scan process: 03:06:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\argarza\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\argarza\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\argarza\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\argarza\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\argarza\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\argarza\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\argarza\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\L0000005.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\argarza\Data\storydb.idx Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080405.log Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\catchme.zip.a03744/geedc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\catchme.zip.a03744 ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\catchme.zip.a03744 CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\catchme.zip_844.VIR/geedc.dll.1 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\catchme.zip_844.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\catchme.zip_844.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\geedc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\np89104.exe.VIR/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\np89104.exe.VIR NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\np89104.exe.VIR CryptFF.b: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MalwareAlarm\MalwareAlarm.exe.vir Infected: not-a-virus:FraudTool.Win32.DrAntispy.bo skipped
C:\QooBox\Quarantine\C\Program Files\MalwareAlarm\pv.exe.vir Infected: not-a-virus:FraudTool.Win32.DrAntispy.bp skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP41\A0018995.exe Infected: not-virus:Hoax.Win32.Renos.bej skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP41\A0019078.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP41\A0019122.exe/data0002 Infected: not-a-virus:Monitor.Win32.AdvancedCompMonitor.a skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP41\A0019122.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP45\A0019331.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.bo skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP45\A0019336.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.bp skipped
C:\System Volume Information\_restore{6CE17831-742A-48DF-935A-31C2D23F4A44}\RP46\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\CSC\00000002 Object is locked skipped
C:\WINDOWS\CSC\00000003 Object is locked skipped
C:\WINDOWS\CSC\d1\00000050 Object is locked skipped
C:\WINDOWS\CSC\d2\000000C9 Object is locked skipped
C:\WINDOWS\CSC\d2\000016C1 Object is locked skipped
C:\WINDOWS\CSC\d3\000021BA Object is locked skipped
C:\WINDOWS\CSC\d4\00000013 Object is locked skipped
C:\WINDOWS\CSC\d4\000000A3 Object is locked skipped
C:\WINDOWS\CSC\d5\00000014 Object is locked skipped
C:\WINDOWS\CSC\d8\0000004F Object is locked skipped
C:\WINDOWS\CSC\d8\000022FF Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\kimg.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.60006 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\TmEncryptTemp.000 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.001 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.002 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.003 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.004 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.005 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.006 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.007 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.008 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.009 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\TmEncryptTemp.010 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


The HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15, on 2008-04-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\DQ8734.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
\nap-svr-dc\Users\argarza\Desktop\Andrea\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insideab.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.insideab.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insideab.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.inside...aDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\Software\..\Telephony: DomainName = alliedsecurity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alliedsecurity.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: ACMService - Unknown owner - C:\Program Files\Removal Tool\ACMService.exe (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 7899 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\kimg.dll
    C:\WINDOWS\system32\TmEncryptTemp.000 
    C:\WINDOWS\system32\TmEncryptTemp.001
    C:\WINDOWS\system32\TmEncryptTemp.002 
    C:\WINDOWS\system32\TmEncryptTemp.003 
    C:\WINDOWS\system32\TmEncryptTemp.004 
    C:\WINDOWS\system32\TmEncryptTemp.005 
    C:\WINDOWS\system32\TmEncryptTemp.006 
    C:\WINDOWS\system32\TmEncryptTemp.007 
    C:\WINDOWS\system32\TmEncryptTemp.008 
    C:\WINDOWS\system32\TmEncryptTemp.009 
    C:\WINDOWS\system32\TmEncryptTemp.010 
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and tell me how your PC is running
  • 0

#9
argarza

argarza

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I installed the program, ran it and tried to move the files but it gave me error messages. First was error creating log file the second was unable to error creating restore file it asked me to reboot I clicked yes but when it started up it it listed the code you gave and said it was unsuccessful. When it rebooted it also said it couldn't locate the logfile \\n_OTMoveIt\MovedFiles\04062008_200738.log
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok can you manually delete these files if present

C:\WINDOWS\kimg.dll
C:\WINDOWS\system32\TmEncryptTemp.000
C:\WINDOWS\system32\TmEncryptTemp.001
C:\WINDOWS\system32\TmEncryptTemp.002
C:\WINDOWS\system32\TmEncryptTemp.003
C:\WINDOWS\system32\TmEncryptTemp.004
C:\WINDOWS\system32\TmEncryptTemp.005
C:\WINDOWS\system32\TmEncryptTemp.006
C:\WINDOWS\system32\TmEncryptTemp.007
C:\WINDOWS\system32\TmEncryptTemp.008
C:\WINDOWS\system32\TmEncryptTemp.009
C:\WINDOWS\system32\TmEncryptTemp.010

Let me know how that goes
  • 0

#11
argarza

argarza

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Went through and deleted all but the kimg.dll which wasn't found.

The computer is running great still a little slow on startup but nothing compared to how it was before. OfficeScan isn't detecting the virus anymore and IE is much much faster.

Thank you very much! :)
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
argarza

argarza

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for all your help I was about ready to throw this thing out the window a few days ago I will definitely be making a donation on payday this week

I uninstalled ComboFix but again had an error message pop up with OTMoveIt
Can I manually delete these other programs?
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes go ahead and manually delete them, thats all OTMoveIt was going to do

Let me know if you have any questions
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP