Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde infection [RESOLVED]


  • This topic is locked This topic is locked

#1
rallen295

rallen295

    Member

  • Member
  • PipPip
  • 24 posts
There maybe other problems as well...I am not very good at this....symptoms are ; computer freezing...crashing..running real slow. this is a computer of my gf that she asked me to help her with. It was compelety unusable when i started. I have installed symantec antivirus, and cyber armor firewall. I ran all the sugested tools in the guide above. It has helped but the computer is still running very slow. Several of the programs found some Vundu trojans, but i dont think any deleted them. Now i cannot even run a complete scan with symantic...it just locks up. I cannot start the computer in safe mode, it says the username/pw is wrong. I am running XP.

logs :

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-06-02 00:14:10
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec Endpoint Protection 11.0.1000.1112 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00041904 adware/sidesearch Adware No 0 Yes No hkey_classes_root\sep.av.scandlgs
00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\classes\sep.av.scandlgs
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================






Malwarebytes' Anti-Malware 1.14
Database version: 807

3:10:05 PM 5/31/2008
mbam-log-5-31-2008 (15-10-05).txt

Scan type: Quick Scan
Objects scanned: 39554
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\__c009B35E.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXRjihi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.





[05/30/2008, 23:32:04] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\rcarabal\Desktop\VirtumundoBeGone.exe" )
[05/30/2008, 23:32:10] - Detected System Information:
[05/30/2008, 23:32:10] - Windows Version: 5.1.2600, Service Pack 2
[05/30/2008, 23:32:10] - Current Username: rcarabal (Admin)
[05/30/2008, 23:32:10] - Windows is in NORMAL mode.
[05/30/2008, 23:32:10] - Searching for Browser Helper Objects:
[05/30/2008, 23:32:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/30/2008, 23:32:10] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/30/2008, 23:32:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/30/2008, 23:32:11] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/30/2008, 23:32:11] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/30/2008, 23:32:11] - BHO 3: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[05/30/2008, 23:32:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/30/2008, 23:32:11] - No filename found. Continuing.
[05/30/2008, 23:32:11] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/30/2008, 23:32:11] - BHO 5: {D54845D6-0B6A-468A-A581-7E8805FB9C77} ()
[05/30/2008, 23:32:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/30/2008, 23:32:11] - Checking for HKLM\...\Winlogon\Notify\byXRjihi
[05/30/2008, 23:32:11] - Key not found: HKLM\...\Winlogon\Notify\byXRjihi, continuing.
[05/30/2008, 23:32:11] - BHO 6: {ec6b8e40-4f64-4b0b-a72b-877886ba0405} ()
[05/30/2008, 23:32:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/30/2008, 23:32:11] - Checking for HKLM\...\Winlogon\Notify\bigcvilm
[05/30/2008, 23:32:11] - Key not found: HKLM\...\Winlogon\Notify\bigcvilm, continuing.
[05/30/2008, 23:32:11] - Finished Searching Browser Helper Objects
[05/30/2008, 23:32:11] - Finishing up...
[05/30/2008, 23:32:11] - Nothing found! Exiting...

[05/31/2008, 14:43:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\rcarabal\Desktop\VirtumundoBeGone.exe" )
[05/31/2008, 14:43:31] - Detected System Information:
[05/31/2008, 14:43:31] - Windows Version: 5.1.2600, Service Pack 2
[05/31/2008, 14:43:31] - Current Username: rcarabal (Admin)
[05/31/2008, 14:43:31] - Windows is in NORMAL mode.
[05/31/2008, 14:43:31] - Searching for Browser Helper Objects:
[05/31/2008, 14:43:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/31/2008, 14:43:31] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/31/2008, 14:43:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/31/2008, 14:43:31] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/31/2008, 14:43:31] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/31/2008, 14:43:31] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/31/2008, 14:43:31] - Finished Searching Browser Helper Objects
[05/31/2008, 14:43:31] - Finishing up...
[05/31/2008, 14:43:31] - Nothing found! Exiting...




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:31 AM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://inside.openwave.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ACTray] "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe"
O4 - HKLM\..\Run: [ACWLIcon] "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe"
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorHelper] "C:\Program Files\CyberArmor\pcshelp.exe" -check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00FB4A3C2.exe] C:\DOCUME~1\rcarabal\LOCALS~1\Temp\_A00FB4A3C2.exe
O4 - HKCU\..\Run: [A00F246E75.exe] C:\DOCUME~1\rcarabal\LOCALS~1\Temp\_A00F246E75.exe
O4 - HKCU\..\Run: [A00F3FD1DE.exe] C:\DOCUME~1\rcarabal\LOCALS~1\Temp\_A00F3FD1DE.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.myopwv.com
O15 - Trusted Zone: *.netscaler.com
O15 - Trusted Zone: *.openwave.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.myopwv.com (HKLM)
O15 - Trusted Zone: *.netscaler.com (HKLM)
O15 - Trusted Zone: *.openwave.com (HKLM)
O15 - Trusted Zone: *.peopleclick.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119451976022
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://rwc-a1159-prd...tor/oajinit.exe
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigne...p/view22rte.cab
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://sidedoor.ope...ipts/nsload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\Software\..\Telephony: DomainName = myopwv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myopwv.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)
O20 - Winlogon Notify: __c003C10E - C:\WINDOWS\system32\__c003C10E.dat (file missing)
O20 - Winlogon Notify: __c00C3050 - C:\WINDOWS\system32\__c00C3050.dat (file missing)
O20 - Winlogon Notify: __c00C5269 - C:\WINDOWS\system32\__c00C5269.dat (file missing)
O20 - Winlogon Notify: __c00D5284 - C:\WINDOWS\system32\__c00D5284.dat (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12465 bytes





Access IBM
Adobe Flash Player ActiveX
Adobe Reader 6.0
Agere Systems AC'97 Modem
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bonjour
CleanUp!
CyberArmor
Fiberlink Global Remote
FIRE GL driver for 3D Studio MAX/VIZ
HijackThis 2.0.2
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM Update Connector
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Intel® PROSet/Wireless Software
Intel® Sebring API
InterVideo WinDVD
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java™ SE Runtime Environment 6 Update 1
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft Office Professional Edition 2003
Microsoft Organization Chart 2.0
mMHouse
Mozilla Firefox (2.0.0.14)
mPfMgr
mProSafe
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mWlsSafe
mXML
OLYMPUS CAMEDIA Master 4.1
Oracle JInitiator 1.1.8.16
Panda ActiveScan 2.0
PC-Doctor for Windows
QuickTime
Scroll Lock Indicator Utility
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Series 65 Databank
Software Installer
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Sprint PCS Connection Manager
Spy Sweeper
Spybot - Search & Destroy 1.5.2.20
SUPERAntiSpyware Free Edition
Symantec Endpoint Protection
System Migration Assistant 5.0
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Integrated 56K Modem
ThinkPad Keyboard Customizer Utility
ThinkPad Power Management Driver
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
TrackPoint Accessibility Features
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
V620 Driver Setup
VanDyke Software SecureCRT 4.0
VideoLAN VLC media player 0.8.6f
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Messenger 5.1
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip

Edited by rallen295, 03 June 2008 - 09:23 AM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here are the logs. I cannot access the internet with that computer from work. Can we proceed without doing the online scan ?

thank you for your help.

ComboFix 08-06-10.5 - rcarabal 2008-06-11 11:05:53.1 - NTFSx86
Running from: C:\Documents and Settings\rcarabal\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6b785091.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\anmulrvg.ini
C:\WINDOWS\system32\aqkmkxci.ini
C:\WINDOWS\system32\brpctchp.ini
C:\WINDOWS\system32\ccefOXyb.ini
C:\WINDOWS\system32\ccefOXyb.ini2
C:\WINDOWS\system32\csuefjlo.ini
C:\WINDOWS\system32\dptgacvk.ini
C:\WINDOWS\system32\eaxyhwlu.ini
C:\WINDOWS\system32\eecvwewb.ini
C:\WINDOWS\system32\FghgQqru.ini
C:\WINDOWS\system32\fifcanok.ini
C:\WINDOWS\system32\fksuatim.ini
C:\WINDOWS\system32\gbnqysln.ini
C:\WINDOWS\system32\GjPrBcfe.ini
C:\WINDOWS\system32\GjPrBcfe.ini2
C:\WINDOWS\system32\ihijRXyb.ini
C:\WINDOWS\system32\ihijRXyb.ini2
C:\WINDOWS\system32\jdrjriyb.ini
C:\WINDOWS\system32\jilvotps.ini
C:\WINDOWS\system32\jnxmmpko.ini
C:\WINDOWS\system32\jxgrfike.ini
C:\WINDOWS\system32\knrtperp.ini
C:\WINDOWS\system32\kujujvxc.ini
C:\WINDOWS\system32\kyliyofs.ini
C:\WINDOWS\system32\ldagebvl.ini
C:\WINDOWS\system32\lrbvgqrp.ini
C:\WINDOWS\system32\lsjcmqnw.ini
C:\WINDOWS\system32\lyuxnecf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlnllqyy.ini
C:\WINDOWS\system32\mmncbncs.ini
C:\WINDOWS\system32\ndtgrwdt.ini
C:\WINDOWS\system32\nnkrjpix.ini
C:\WINDOWS\system32\ntpsglco.ini
C:\WINDOWS\system32\oiphcuqm.ini
C:\WINDOWS\system32\ovlxmixs.ini
C:\WINDOWS\system32\reenofkh.ini
C:\WINDOWS\system32\rlxrpquj.ini
C:\WINDOWS\system32\rokeavfc.ini
C:\WINDOWS\system32\saeejuey.ini
C:\WINDOWS\system32\shbibmvi.ini
C:\WINDOWS\system32\twfsifvn.ini
C:\WINDOWS\system32\UwaGOqss.ini
C:\WINDOWS\system32\UwaGOqss.ini2
C:\WINDOWS\system32\vyyxx.bak1
C:\WINDOWS\system32\vyyxx.bak2
C:\WINDOWS\system32\vyyxx.ini
C:\WINDOWS\system32\xfooqdsj.ini
C:\WINDOWS\system32\xopokqgm.ini
C:\WINDOWS\system32\xwlpbyio.ini
C:\WINDOWS\system32\xxfkmvne.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-03 07:15 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-02 00:59 . 2008-06-02 00:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 18:50 . 2008-05-31 18:52 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 18:41 . 2008-05-31 18:41 <DIR> d-------- C:\Webroot
2008-05-30 23:46 . 2008-05-30 23:46 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\Malwarebytes
2008-05-30 23:40 . 2008-05-30 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 23:40 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 23:39 . 2008-05-30 23:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 23:39 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 23:37 . 2008-05-30 23:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-30 22:42 . 2008-05-30 22:42 <DIR> d-------- C:\VundoFix Backups
2008-05-30 22:28 . 2008-05-30 22:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-30 22:28 . 2008-05-30 22:28 2,553 --a------ C:\WINDOWS\unins000.dat
2008-05-30 16:19 . 2008-05-30 16:19 0 --a------ C:\WINDOWS\system32\TP4EX
2008-05-30 16:18 . 2008-05-30 16:18 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-30 16:06 . 2008-05-30 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 16:05 . 2008-06-04 14:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-30 16:05 . 2008-06-04 14:54 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\SUPERAntiSpyware.com
2008-05-30 16:01 . 2008-05-30 16:01 <DIR> d-------- C:\Program Files\Webroot
2008-05-30 11:17 . 2007-12-18 19:06 91,008 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-30 11:14 . 2008-05-30 11:17 136,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 11:14 . 2008-05-30 11:17 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 11:14 . 2008-05-30 11:17 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 11:14 . 2008-05-30 11:17 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 11:08 . 2008-05-30 11:17 <DIR> d-------- C:\Program Files\Symantec
2008-05-30 11:08 . 2008-05-30 21:34 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-30 11:08 . 2008-05-30 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-30 00:43 . 2008-05-30 00:43 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-30 00:42 . 2008-05-30 22:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 00:42 . 2008-05-30 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 00:27 . 2008-06-11 11:13 <DIR> d-------- C:\Program Files\CyberArmor
2008-05-30 00:27 . 2005-11-09 20:45 257,087 --a------ C:\WINDOWS\system32\drivers\viexpf2k.sys
2008-05-30 00:27 . 2005-11-09 20:36 143,360 --a------ C:\WINDOWS\system32\cahookd.dll
2008-05-30 00:27 . 2005-11-09 20:36 131,072 --a------ C:\WINDOWS\system32\cahooknt.dll
2008-05-30 00:27 . 2005-11-09 20:42 53,248 --a------ C:\WINDOWS\system32\pcsldr.exe
2008-05-30 00:27 . 2005-11-09 16:33 36,864 --a------ C:\WINDOWS\system32\vsctool.dll
2008-05-29 23:53 . 2008-05-29 23:53 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\Lavasoft
2008-05-28 04:08 . 2008-05-28 04:08 318,936 --a------ C:\13.tmp
2008-05-28 04:08 . 2008-05-28 04:08 0 --a------ C:\16.tmp
2008-05-28 04:08 . 2008-05-28 04:08 0 --a------ C:\15.tmp
2008-05-28 04:08 . 2008-05-28 04:08 0 --a------ C:\14.tmp
2008-05-18 17:01 . 2008-05-18 17:01 48 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 22:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-04 19:54 --------- d-----w C:\Program Files\Databank
2008-06-04 19:51 --------- d-----w C:\Program Files\ThinkPad
2008-06-04 18:35 --------- d-----w C:\Program Files\Oracle
2008-06-04 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-31 20:36 --------- d-----w C:\Program Files\LimeWire
2008-05-30 20:19 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-05-30 20:18 --------- d-----w C:\Program Files\NetWaiting
2008-05-17 15:49 --------- d-----w C:\Documents and Settings\rcarabal\Application Data\LimeWire
2008-05-01 18:57 --------- d-----w C:\Program Files\iTunes
2008-05-01 18:56 --------- d-----w C:\Program Files\iPod
2008-05-01 18:42 --------- d-----w C:\Program Files\QuickTime
2008-05-01 18:06 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 02:09 --------- d-----w C:\Documents and Settings\rcarabal\Application Data\vlc
2008-04-17 01:52 --------- d-----w C:\Program Files\VideoLAN
2006-01-11 16:40 221,184 ----a-w C:\Documents and Settings\VCS GUI\setup.exe
2006-01-11 16:40 1,822,520 ----a-w C:\Documents and Settings\VCS GUI\instmsiw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 17:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 17:57 512000]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 18:15 94208]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-14 20:34 36864]
"TpShocks"="TpShocks.exe" [2005-08-22 23:29 86016 C:\WINDOWS\system32\TpShocks.exe]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 04:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 04:38 20480]
"BMMMONWND"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"BLOG"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 01:00 344064]
"frymxins"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [ ]
"TP4EX"="tp4ex.exe" [2005-10-17 04:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 19:08 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"CyberArmorHelper"="C:\Program Files\CyberArmor\pcshelp.exe" [2005-11-09 20:42 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQgDt]
geBtQgDt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghihg]
hgghihg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 03:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-17 02:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003C10E]
C:\WINDOWS\system32\__c003C10E.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C3050]
C:\WINDOWS\system32\__c00C3050.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C5269]
C:\WINDOWS\system32\__c00C5269.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D5284]
C:\WINDOWS\system32\__c00D5284.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= cahooknt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-682003330-1801674531-43809\Scripts\Logon\0\0]
"Script"=ITCSAdmins.wsf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-16 05:30 1611480 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-06-06 15:59]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-06 15:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 04:38]
R2 CyberArmorRunService;CyberArmor Run Service;C:\Program Files\CyberArmor\casvc.exe [2005-11-09 20:36]
R2 PMEMNT.SYS;PMEMNT.SYS;C:\WINDOWS\system32\drivers\PMEMNT.SYS [2005-01-03 12:24]
R2 Viexpf2k;CyberArmor W2KDriver;C:\WINDOWS\system32\drivers\viexpf2k.sys [2005-11-09 20:45]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 18:19:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-06-22 20:35:47 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 11:29:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-11 11:39:16 - machine was rebooted [rcarabal]
ComboFix-quarantined-files.txt 2008-06-11 15:38:46

Pre-Run: 11,491,966,976 bytes free
Post-Run: 11,425,505,280 bytes free

266 --- E O F --- 2008-04-15 06:04:02







Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46, on 2008-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://inside.openwave.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorHelper] "C:\Program Files\CyberArmor\pcshelp.exe" -check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.myopwv.com
O15 - Trusted Zone: *.netscaler.com
O15 - Trusted Zone: *.openwave.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.myopwv.com (HKLM)
O15 - Trusted Zone: *.netscaler.com (HKLM)
O15 - Trusted Zone: *.openwave.com (HKLM)
O15 - Trusted Zone: *.peopleclick.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119451976022
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://rwc-a1159-prd...tor/oajinit.exe
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigne...p/view22rte.cab
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://sidedoor.ope...ipts/nsload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\Software\..\Telephony: DomainName = myopwv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myopwv.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)
O20 - Winlogon Notify: __c003C10E - C:\WINDOWS\system32\__c003C10E.dat (file missing)
O20 - Winlogon Notify: __c00C3050 - C:\WINDOWS\system32\__c00C3050.dat (file missing)
O20 - Winlogon Notify: __c00C5269 - C:\WINDOWS\system32\__c00C5269.dat (file missing)
O20 - Winlogon Notify: __c00D5284 - C:\WINDOWS\system32\__c00D5284.dat (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 8989 bytes
  • 0

#4
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I just noticed that warning...i thought I installed the recovery console... ! ( i followed the instructions)

Edited by rallen295, 11 June 2008 - 09:49 AM.

  • 0

#5
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I reinstalled, and it looks like I did it correct this time. Here are the logs

ComboFix 08-06-10.5 - rcarabal 2008-06-11 11:54:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.129 [GMT -4:00]
Running from: C:\Documents and Settings\rcarabal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rcarabal\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-03 07:15 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-02 00:59 . 2008-06-02 00:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 18:50 . 2008-05-31 18:52 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 18:41 . 2008-05-31 18:41 <DIR> d-------- C:\Webroot
2008-05-30 23:46 . 2008-05-30 23:46 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\Malwarebytes
2008-05-30 23:40 . 2008-05-30 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 23:40 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 23:39 . 2008-05-30 23:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 23:39 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 23:37 . 2008-05-30 23:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-30 22:42 . 2008-05-30 22:42 <DIR> d-------- C:\VundoFix Backups
2008-05-30 22:28 . 2008-05-30 22:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-30 22:28 . 2008-05-30 22:28 2,553 --a------ C:\WINDOWS\unins000.dat
2008-05-30 16:19 . 2008-05-30 16:19 0 --a------ C:\WINDOWS\system32\TP4EX
2008-05-30 16:06 . 2008-05-30 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 16:05 . 2008-06-04 14:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-30 16:05 . 2008-06-04 14:54 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\SUPERAntiSpyware.com
2008-05-30 16:01 . 2008-05-30 16:01 <DIR> d-------- C:\Program Files\Webroot
2008-05-30 11:17 . 2007-12-18 19:06 91,008 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-30 11:14 . 2008-05-30 11:17 136,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 11:14 . 2008-05-30 11:17 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 11:14 . 2008-05-30 11:17 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 11:14 . 2008-05-30 11:17 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 11:08 . 2008-05-30 11:17 <DIR> d-------- C:\Program Files\Symantec
2008-05-30 11:08 . 2008-05-30 21:34 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-30 11:08 . 2008-05-30 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-30 00:43 . 2008-05-30 00:43 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-30 00:42 . 2008-05-30 22:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 00:42 . 2008-05-30 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 00:27 . 2008-06-11 11:13 <DIR> d-------- C:\Program Files\CyberArmor
2008-05-30 00:27 . 2005-11-09 20:45 257,087 --a------ C:\WINDOWS\system32\drivers\viexpf2k.sys
2008-05-30 00:27 . 2005-11-09 20:36 143,360 --a------ C:\WINDOWS\system32\cahookd.dll
2008-05-30 00:27 . 2005-11-09 20:36 131,072 --a------ C:\WINDOWS\system32\cahooknt.dll
2008-05-30 00:27 . 2005-11-09 20:42 53,248 --a------ C:\WINDOWS\system32\pcsldr.exe
2008-05-30 00:27 . 2005-11-09 16:33 36,864 --a------ C:\WINDOWS\system32\vsctool.dll
2008-05-29 23:53 . 2008-05-29 23:53 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\Lavasoft
2008-05-28 04:08 . 2008-05-28 04:08 318,936 --a------ C:\13.tmp
2008-05-28 04:08 . 2008-05-28 04:08 0 --a------ C:\16.tmp
2008-05-28 04:08 . 2008-05-28 04:08 0 --a------ C:\15.tmp
2008-05-28 04:08 . 2008-05-28 04:08 0 --a------ C:\14.tmp
2008-05-18 17:01 . 2008-05-18 17:01 48 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 22:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-04 19:54 --------- d-----w C:\Program Files\Databank
2008-06-04 19:51 --------- d-----w C:\Program Files\ThinkPad
2008-06-04 18:35 --------- d-----w C:\Program Files\Oracle
2008-06-04 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-31 20:36 --------- d-----w C:\Program Files\LimeWire
2008-05-30 20:19 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-05-30 20:18 --------- d-----w C:\Program Files\NetWaiting
2008-05-17 15:49 --------- d-----w C:\Documents and Settings\rcarabal\Application Data\LimeWire
2008-05-01 18:57 --------- d-----w C:\Program Files\iTunes
2008-05-01 18:56 --------- d-----w C:\Program Files\iPod
2008-05-01 18:42 --------- d-----w C:\Program Files\QuickTime
2008-05-01 18:06 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 02:09 --------- d-----w C:\Documents and Settings\rcarabal\Application Data\vlc
2008-04-17 01:52 --------- d-----w C:\Program Files\VideoLAN
2008-04-15 05:51 128,968 ----a-w C:\WINDOWS\system32\mLEtropQ.dll
2008-04-13 21:16 3,521 ----a-w C:\WINDOWS\system32\vbgxvoxx.dll
2008-04-13 21:13 3,520 ----a-w C:\WINDOWS\system32\nsnxtgqh.dll
2008-04-13 21:13 3,517 ----a-w C:\WINDOWS\system32\jnypvumw.dll
2008-04-13 21:10 3,517 ----a-w C:\WINDOWS\system32\inhtnaas.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-01-11 16:40 221,184 ----a-w C:\Documents and Settings\VCS GUI\setup.exe
2006-01-11 16:40 1,822,520 ----a-w C:\Documents and Settings\VCS GUI\instmsiw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 17:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 17:57 512000]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 18:15 94208]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-14 20:34 36864]
"TpShocks"="TpShocks.exe" [2005-08-22 23:29 86016 C:\WINDOWS\system32\TpShocks.exe]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 04:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 04:38 20480]
"BMMMONWND"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"BLOG"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 01:00 344064]
"frymxins"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [ ]
"TP4EX"="tp4ex.exe" [2005-10-17 04:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 19:08 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"CyberArmorHelper"="C:\Program Files\CyberArmor\pcshelp.exe" [2005-11-09 20:42 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQgDt]
geBtQgDt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghihg]
hgghihg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 03:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-17 02:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003C10E]
C:\WINDOWS\system32\__c003C10E.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C3050]
C:\WINDOWS\system32\__c00C3050.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C5269]
C:\WINDOWS\system32\__c00C5269.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D5284]
C:\WINDOWS\system32\__c00D5284.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= cahooknt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-682003330-1801674531-43809\Scripts\Logon\0\0]
"Script"=ITCSAdmins.wsf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-16 05:30 1611480 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-06-06 15:59]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-06 15:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 04:38]
R2 CyberArmorRunService;CyberArmor Run Service;C:\Program Files\CyberArmor\casvc.exe [2005-11-09 20:36]
R2 PMEMNT.SYS;PMEMNT.SYS;C:\WINDOWS\system32\drivers\PMEMNT.SYS [2005-01-03 12:24]
R2 Viexpf2k;CyberArmor W2KDriver;C:\WINDOWS\system32\drivers\viexpf2k.sys [2005-11-09 20:45]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 18:19:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-06-22 20:35:47 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 11:56:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-06-11 11:58:14
ComboFix-quarantined-files.txt 2008-06-11 15:58:00
ComboFix2.txt 2008-06-11 15:39:17

Pre-Run: 11,397,373,952 bytes free
Post-Run: 11,367,337,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

202 --- E O F --- 2008-04-15 06:04:02



Hijack this



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23, on 2008-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://inside.openwave.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorHelper] "C:\Program Files\CyberArmor\pcshelp.exe" -check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.myopwv.com
O15 - Trusted Zone: *.netscaler.com
O15 - Trusted Zone: *.openwave.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.myopwv.com (HKLM)
O15 - Trusted Zone: *.netscaler.com (HKLM)
O15 - Trusted Zone: *.openwave.com (HKLM)
O15 - Trusted Zone: *.peopleclick.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119451976022
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://rwc-a1159-prd...tor/oajinit.exe
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigne...p/view22rte.cab
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://sidedoor.ope...ipts/nsload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\Software\..\Telephony: DomainName = myopwv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myopwv.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)
O20 - Winlogon Notify: __c003C10E - C:\WINDOWS\system32\__c003C10E.dat (file missing)
O20 - Winlogon Notify: __c00C3050 - C:\WINDOWS\system32\__c00C3050.dat (file missing)
O20 - Winlogon Notify: __c00C5269 - C:\WINDOWS\system32\__c00C5269.dat (file missing)
O20 - Winlogon Notify: __c00D5284 - C:\WINDOWS\system32\__c00D5284.dat (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 9155 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\13.tmp
C:\16.tmp
C:\15.tmp
C:\14.tmp
C:\WINDOWS\system32\mLEtropQ.dll
C:\WINDOWS\system32\vbgxvoxx.dll
C:\WINDOWS\system32\nsnxtgqh.dll
C:\WINDOWS\system32\jnypvumw.dll
C:\WINDOWS\system32\inhtnaas.dll

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#7
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here you go...thanks again

ComboFix 08-06-10.5 - rcarabal 2008-06-11 15:12:00.3 - NTFSx86
Running from: C:\Documents and Settings\rcarabal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rcarabal\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\WINDOWS\system32\inhtnaas.dll
C:\WINDOWS\system32\jnypvumw.dll
C:\WINDOWS\system32\mLEtropQ.dll
C:\WINDOWS\system32\nsnxtgqh.dll
C:\WINDOWS\system32\vbgxvoxx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\WINDOWS\system32\inhtnaas.dll
C:\WINDOWS\system32\jnypvumw.dll
C:\WINDOWS\system32\mLEtropQ.dll
C:\WINDOWS\system32\nsnxtgqh.dll
C:\WINDOWS\system32\vbgxvoxx.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-03 07:15 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-02 00:59 . 2008-06-02 00:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 18:50 . 2008-05-31 18:52 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 18:41 . 2008-05-31 18:41 <DIR> d-------- C:\Webroot
2008-05-30 23:46 . 2008-05-30 23:46 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\Malwarebytes
2008-05-30 23:40 . 2008-05-30 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 23:40 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 23:39 . 2008-05-30 23:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 23:39 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 23:37 . 2008-05-30 23:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-30 22:42 . 2008-05-30 22:42 <DIR> d-------- C:\VundoFix Backups
2008-05-30 22:28 . 2008-05-30 22:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-30 22:28 . 2008-05-30 22:28 2,553 --a------ C:\WINDOWS\unins000.dat
2008-05-30 16:19 . 2008-05-30 16:19 0 --a------ C:\WINDOWS\system32\TP4EX
2008-05-30 16:06 . 2008-05-30 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 16:05 . 2008-06-04 14:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-30 16:05 . 2008-06-04 14:54 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\SUPERAntiSpyware.com
2008-05-30 16:01 . 2008-05-30 16:01 <DIR> d-------- C:\Program Files\Webroot
2008-05-30 11:17 . 2007-12-18 19:06 91,008 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-30 11:14 . 2008-05-30 11:17 136,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 11:14 . 2008-05-30 11:17 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 11:14 . 2008-05-30 11:17 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 11:14 . 2008-05-30 11:17 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 11:08 . 2008-05-30 11:17 <DIR> d-------- C:\Program Files\Symantec
2008-05-30 11:08 . 2008-05-30 21:34 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-30 11:08 . 2008-05-30 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-30 00:43 . 2008-05-30 00:43 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-30 00:42 . 2008-05-30 22:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 00:42 . 2008-05-30 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 00:27 . 2008-06-11 12:18 <DIR> d-------- C:\Program Files\CyberArmor
2008-05-30 00:27 . 2005-11-09 20:45 257,087 --a------ C:\WINDOWS\system32\drivers\viexpf2k.sys
2008-05-30 00:27 . 2005-11-09 20:36 143,360 --a------ C:\WINDOWS\system32\cahookd.dll
2008-05-30 00:27 . 2005-11-09 20:36 131,072 --a------ C:\WINDOWS\system32\cahooknt.dll
2008-05-30 00:27 . 2005-11-09 20:42 53,248 --a------ C:\WINDOWS\system32\pcsldr.exe
2008-05-30 00:27 . 2005-11-09 16:33 36,864 --a------ C:\WINDOWS\system32\vsctool.dll
2008-05-29 23:53 . 2008-05-29 23:53 <DIR> d-------- C:\Documents and Settings\rcarabal\Application Data\Lavasoft
2008-05-18 17:01 . 2008-05-18 17:01 48 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 22:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-04 19:54 --------- d-----w C:\Program Files\Databank
2008-06-04 19:51 --------- d-----w C:\Program Files\ThinkPad
2008-06-04 18:35 --------- d-----w C:\Program Files\Oracle
2008-06-04 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-31 20:36 --------- d-----w C:\Program Files\LimeWire
2008-05-30 20:19 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-05-30 20:18 --------- d-----w C:\Program Files\NetWaiting
2008-05-17 15:49 --------- d-----w C:\Documents and Settings\rcarabal\Application Data\LimeWire
2008-05-01 18:57 --------- d-----w C:\Program Files\iTunes
2008-05-01 18:56 --------- d-----w C:\Program Files\iPod
2008-05-01 18:42 --------- d-----w C:\Program Files\QuickTime
2008-05-01 18:06 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 02:09 --------- d-----w C:\Documents and Settings\rcarabal\Application Data\vlc
2008-04-17 01:52 --------- d-----w C:\Program Files\VideoLAN
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-01-11 16:40 221,184 ----a-w C:\Documents and Settings\VCS GUI\setup.exe
2006-01-11 16:40 1,822,520 ----a-w C:\Documents and Settings\VCS GUI\instmsiw.exe
.

((((((((((((((((((((((((((((( [email protected]_11.38.11.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-11 15:12:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 16:17:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 16:18:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_774.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 17:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 17:57 512000]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 18:15 94208]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-14 20:34 36864]
"TpShocks"="TpShocks.exe" [2005-08-22 23:29 86016 C:\WINDOWS\system32\TpShocks.exe]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 04:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 04:38 20480]
"BMMMONWND"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"BLOG"="rundll32.exe" [2004-08-04 04:56 33280 C:\WINDOWS\system32\rundll32.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 01:00 344064]
"frymxins"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [ ]
"TP4EX"="tp4ex.exe" [2005-10-17 04:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 19:08 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"CyberArmorHelper"="C:\Program Files\CyberArmor\pcshelp.exe" [2005-11-09 20:42 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQgDt]
geBtQgDt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghihg]
hgghihg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 03:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-17 02:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003C10E]
C:\WINDOWS\system32\__c003C10E.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C3050]
C:\WINDOWS\system32\__c00C3050.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C5269]
C:\WINDOWS\system32\__c00C5269.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D5284]
C:\WINDOWS\system32\__c00D5284.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= cahooknt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-682003330-1801674531-43809\Scripts\Logon\0\0]
"Script"=ITCSAdmins.wsf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-16 05:30 1611480 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-06-06 15:59]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-06 15:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 04:38]
R2 CyberArmorRunService;CyberArmor Run Service;C:\Program Files\CyberArmor\casvc.exe [2005-11-09 20:36]
R2 PMEMNT.SYS;PMEMNT.SYS;C:\WINDOWS\system32\drivers\PMEMNT.SYS [2005-01-03 12:24]
R2 Viexpf2k;CyberArmor W2KDriver;C:\WINDOWS\system32\drivers\viexpf2k.sys [2005-11-09 20:45]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 18:19:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-06-22 20:35:47 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 15:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-06-11 15:17:05
ComboFix-quarantined-files.txt 2008-06-11 19:16:44
ComboFix2.txt 2008-06-11 15:58:15
ComboFix3.txt 2008-06-11 15:39:17

Pre-Run: 11,374,718,976 bytes free
Post-Run: 11,361,374,208 bytes free

211 --- E O F --- 2008-04-15 06:04:02






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17, on 2008-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://inside.openwave.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorHelper] "C:\Program Files\CyberArmor\pcshelp.exe" -check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.myopwv.com
O15 - Trusted Zone: *.netscaler.com
O15 - Trusted Zone: *.openwave.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.myopwv.com (HKLM)
O15 - Trusted Zone: *.netscaler.com (HKLM)
O15 - Trusted Zone: *.openwave.com (HKLM)
O15 - Trusted Zone: *.peopleclick.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119451976022
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://rwc-a1159-prd...tor/oajinit.exe
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigne...p/view22rte.cab
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://sidedoor.ope...ipts/nsload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\Software\..\Telephony: DomainName = myopwv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myopwv.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)
O20 - Winlogon Notify: __c003C10E - C:\WINDOWS\system32\__c003C10E.dat (file missing)
O20 - Winlogon Notify: __c00C3050 - C:\WINDOWS\system32\__c00C3050.dat (file missing)
O20 - Winlogon Notify: __c00C5269 - C:\WINDOWS\system32\__c00C5269.dat (file missing)
O20 - Winlogon Notify: __c00D5284 - C:\WINDOWS\system32\__c00D5284.dat (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 8952 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O15 - Trusted Zone: *.myopwv.com
O15 - Trusted Zone: *.netscaler.com
O15 - Trusted Zone: *.openwave.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.myopwv.com (HKLM)
O15 - Trusted Zone: *.netscaler.com (HKLM)
O15 - Trusted Zone: *.openwave.com (HKLM)
O15 - Trusted Zone: *.peopleclick.com (HKLM)
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://rwc-a1159-prd...tor/oajinit.exe
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigne...p/view22rte.cab
O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)
O20 - Winlogon Notify: __c003C10E - C:\WINDOWS\system32\__c003C10E.dat (file missing)
O20 - Winlogon Notify: __c00C3050 - C:\WINDOWS\system32\__c00C3050.dat (file missing)
O20 - Winlogon Notify: __c00C5269 - C:\WINDOWS\system32\__c00C5269.dat (file missing)
O20 - Winlogon Notify: __c00D5284 - C:\WINDOWS\system32\__c00D5284.dat (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#9
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here you go. Desktop looks better !!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44, on 2008-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://inside.openwave.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorHelper] "C:\Program Files\CyberArmor\pcshelp.exe" -check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119451976022
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://sidedoor.ope...ipts/nsload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\Software\..\Telephony: DomainName = myopwv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myopwv.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 8335 bytes
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: geBtQgDt - geBtQgDt.dll (file missing)
O20 - Winlogon Notify: hgghihg - hgghihg.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#11
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16, on 2008-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://inside.openwave.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberArmorHelper] "C:\Program Files\CyberArmor\pcshelp.exe" -check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119451976022
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://sidedoor.ope...ipts/nsload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\Software\..\Telephony: DomainName = myopwv.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myopwv.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myopwv.com
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 8078 bytes
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
rallen295

rallen295

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thank you !
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP