Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.smitfraud.c


  • This topic is locked This topic is locked

#1
ItsInTheSoup

ItsInTheSoup

    Member

  • Member
  • PipPip
  • 17 posts
I am also new to this forum, and I see the topics regarding this virus are being posted hot and heavy. I've been following the advice in the last day to try and remove this from a friend's Thinkpad, and while I've been able to get rid of the blue screen and restore the wallpaper and desktop properties, things are still just not right.

Examples of continuing problems are

Unable to run Norton Internet Security (nothing happens)
Unable to run Ad-Aware SE Personal (nothing happens)
Weird, unexpected behavior in IE
Unable to run Windows Update (get an "I'm sorry" message)

Also, if I go to Desktop properties and change the wallpaper without also unchecking the "security page" under the Advanced-Web tab, I get the black screen with the spyware warning back again. Finally, I am getting a yellow warning triangle and popup that says I have spyware on the system.

Here is my HijackThis log (hope I did this right :tazz: ):

Logfile of HijackThis v1.99.1
Scan saved at 4:29:10 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\init32m.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\taskmg.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\gpogind.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Michael Wells\Start Menu\Programs\Startup\winupdate49481353[1].exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [wgeffcu] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [vufyyus] c:\windows\rgdwwwb.exe
O4 - HKCU\..\Run: [tifgikh] c:\windows\ylnpkjg.exe
O4 - HKCU\..\Run: [rqlfqrl] c:\windows\wuxvbej.exe
O4 - HKCU\..\Run: [rdsqups] c:\windows\kmmctsr.exe
O4 - HKCU\..\Run: [qtwculd] c:\windows\kmmctsr.exe
O4 - HKCU\..\Run: [qrwdfhn] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [qcjmqxd] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [ktbbmtj] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [kfayrfx] c:\windows\sprgqlm.exe
O4 - HKCU\..\Run: [jiljawh] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [jfrfxqw] c:\windows\uptlmch.exe
O4 - HKCU\..\Run: [ibbdhds] c:\windows\kmmctsr.exe
O4 - HKCU\..\Run: [efttjbv] c:\windows\foefgtd.exe
O4 - HKCU\..\Run: [ctmuvrd] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [bsdnsyg] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [bkjxkxh] c:\windows\uptlmch.exe
O4 - HKCU\..\Run: [bhjwjaa] c:\windows\jlcript.exe
O4 - HKCU\..\Run: [nonvfik] c:\windows\jlcript.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: winupdate49481353[1].exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114628262366
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


Thanks for your help!
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on flsmngr.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

To fix the wallpaper problem, do this also:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\init32m.exe
C:\windows\system32\taskmg.exe
C:\windows\gpogind.exe
C:\Documents and Settings\Michael Wells\Start Menu\Programs\Startup\winupdate49481353[1].exe


Exit Task Manager.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Open Notepad, and copy EVERYTHING in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4":

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-

Locate fix.reg on your Desktop and double-click on it. When asked if you want to merge with the registry, click YES.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [wgeffcu] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [vufyyus] c:\windows\rgdwwwb.exe
O4 - HKCU\..\Run: [tifgikh] c:\windows\ylnpkjg.exe
O4 - HKCU\..\Run: [rqlfqrl] c:\windows\wuxvbej.exe
O4 - HKCU\..\Run: [rdsqups] c:\windows\kmmctsr.exe
O4 - HKCU\..\Run: [qtwculd] c:\windows\kmmctsr.exe
O4 - HKCU\..\Run: [qrwdfhn] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [qcjmqxd] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [ktbbmtj] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [kfayrfx] c:\windows\sprgqlm.exe
O4 - HKCU\..\Run: [jiljawh] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [jfrfxqw] c:\windows\uptlmch.exe
O4 - HKCU\..\Run: [ibbdhds] c:\windows\kmmctsr.exe
O4 - HKCU\..\Run: [efttjbv] c:\windows\foefgtd.exe
O4 - HKCU\..\Run: [ctmuvrd] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [bsdnsyg] c:\windows\gpogind.exe
O4 - HKCU\..\Run: [bkjxkxh] c:\windows\uptlmch.exe
O4 - HKCU\..\Run: [bhjwjaa] c:\windows\jlcript.exe
O4 - HKCU\..\Run: [nonvfik] c:\windows\jlcript.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: winupdate49481353[1].exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O11 - Options group: [JAVA_IBM] Java (IBM)



Post a new HiJackThis log.
  • 0

#3
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi, thanks so much for your help. I followed all the instructions but was not able to remove the following statement through HijackThis:

O4 - Startup: winupdate49481353[1].exe

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:29 AM, on 5/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Michael Wells\Start Menu\Programs\Startup\winupdate49481353[1].exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: winupdate49481353[1].exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114628262366
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

You asked me to save the scan file from ActiveScan:

Incident Status Location

Virus:Trj/Small.LQ Disinfected Operating system
Adware:Adware/Findspy No disinfected C:\Documents and Settings\Michael Wells\Favorites\ Free Hidden Cams World - Realtime.url
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\thun32.dll
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Wind-find No disinfected C:\WINDOWS\dfumlfb.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\foefgtd.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\gpogind.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\jlcript.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\kmmctsr.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\lwefitn.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\qdejngu.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\rgdwwwb.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\sprgqlm.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\system32\axgsqrdk.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\system32\byymfaaa.exe
Adware:Adware/CWS.Flsmngr No disinfected C:\WINDOWS\system32\flsmngr.dll
Virus:Trj/Lowzones.CL Disinfected C:\WINDOWS\system32\kcmoaaaa.exe
Virus:Trj/Downloader.BUL Disinfected C:\WINDOWS\system32\pcxeeaaa.exe
Virus:Trj/Downloader.CKQ Disinfected C:\WINDOWS\system32\srpcsrv32.dll
Virus:Trj/Hpt.C Disinfected C:\WINDOWS\system32\taskmg.exe
Virus:Trj/Small.LQ Disinfected C:\WINDOWS\system32\thun32.dll
Virus:Trj/Downloader.CKQ Disinfected C:\WINDOWS\system32\txfdb32.dll
Adware:Adware/Wind-find No disinfected C:\WINDOWS\uptlmch.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\vjhpfci.exe
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\Web\desktop.html
Adware:Adware/Wind-find No disinfected C:\WINDOWS\wuxvbej.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\ylnpkjg.exe

Thanks again!
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please set your system to show
all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\Documents and Settings\Michael Wells\Start Menu\Programs\Startup\winupdate49481353[1].exe
Exit the Task Manager when finished.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - Startup: winupdate49481353[1].exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\Documents and Settings\Michael Wells\Start Menu\Programs\Startup\winupdate49481353[1].exe

If you were unable to find any of the files then please follow these additional instructions:

Download Killbox By Option^Explicit

http://forums.tomcoy...?showtopic=9904

Paste the full file path (C:\WINDOWS\System32\) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

Also, delete these files with pocket killbox

[B]C:\Documents and Settings\Michael Wells\Favorites\ Free Hidden Cams World - Realtime.url<<what is this?
C:\WINDOWS\System32\thun32.dll
C:\WINDOWS\dfumlfb.exe
C:\WINDOWS\foefgtd.exe
C:\WINDOWS\gpogind.exe
C:\WINDOWS\jlcript.exe
C:\WINDOWS\kmmctsr.exe
C:\WINDOWS\lwefitn.exe
C:\WINDOWS\qdejngu.exe
C:\WINDOWS\rgdwwwb.exe
C:\WINDOWS\sprgqlm.exe
C:\WINDOWS\system32\axgsqrdk.exe
C:\WINDOWS\system32\byymfaaa.exe
C:\WINDOWS\system32\flsmngr.dll
C:\WINDOWS\system32\kcmoaaaa.exe
C:\WINDOWS\system32\pcxeeaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\taskmg.exe
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\uptlmch.exe
C:\WINDOWS\vjhpfci.exe
C:\WINDOWS\Web\desktop.html
C:\WINDOWS\wuxvbej.exe
C:\WINDOWS\ylnpkjg.exe




Let the system reboot.

Post back a fresh HijackThis log and we will take another look. :tazz:
  • 0

#5
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
This seems to have done the trick! I am posting the HijackThis log, but I do believe the problems are solved. Thank you so much!

Logfile of HijackThis v1.99.1
Scan saved at 10:16:58 AM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114628262366
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)

..
We highly recommend installing SP2. Click here: http://windowsupdate.microsoft.com/.
-or-
It's a very large download, so if you're on dial-up, order a free CD here:
http://www.microsoft...default810.mspx

I will leave this topic open for a few days. Please post back if you have any more troubles. ;)
  • 0

#7
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
coachwife6, thanks so much for your help. However, I am still having a couple of problems that I think are due to the malware problem I was having. Specifically:

1. Windows Update does not work - following a click on "express installation" or "custom installation" i get a "we're sorry but there seems to be a problem..." and then nothing I click on is responsive.

2. Norton Internet Security 2005 does not come up. Despite trying to initiate several of the programs and links, absolutely nothing happens (including going to Control Panel - Add/Remove Programs and trying to "change" this program).

These both worked before I had the above problem - can you help? I've posted another HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:04:46 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114628262366
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Open Notepad, and copy EVERYTHING in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4":


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]

Locate fix.reg on your Desktop and double-click on it. When asked if you want to merge with the registry, click YES.

Reboot your computer again.

1.) Press "Restore Original Hosts" in the Hosters program and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp! again

4.) Run the same online virus scan: ActiveScan - Save the results from the scan!
  • 0

#9
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok, did that - same problems still exist. Here's my log from the ActiveScan:

Incident Status Location

Adware:Adware/Adsmart No disinfected Windows Registry
Adware:Adware/Wind-find No disinfected C:\WINDOWS\dfumlfb.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\foefgtd.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\gpogind.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\jlcript.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\kmmctsr.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\lwefitn.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\qdejngu.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\rgdwwwb.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\sprgqlm.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\system32\axgsqrdk.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\system32\byymfaaa.exe
Adware:Adware/CWS.Flsmngr No disinfected C:\WINDOWS\system32\flsmngr.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\thun.dll
Adware:Adware/Wind-find No disinfected C:\WINDOWS\uptlmch.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\vjhpfci.exe
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\Web\desktop.html
Adware:Adware/Wind-find No disinfected C:\WINDOWS\wuxvbej.exe
Adware:Adware/Wind-find No disinfected C:\WINDOWS\ylnpkjg.exe
  • 0

#10
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Run pocket killbox again and follow the same instructions to get rid of these files:

C:\WINDOWS\dfumlfb.exe
C:\WINDOWS\foefgtd.exe
C:\WINDOWS\gpogind.exe
C:\WINDOWS\jlcript.exe
C:\WINDOWS\kmmctsr.exe
C:\WINDOWS\lwefitn.exe
C:\WINDOWS\qdejngu.exe
C:\WINDOWS\rgdwwwb.exe
C:\WINDOWS\sprgqlm.exe
C:\WINDOWS\system32\axgsqrdk.exe
C:\WINDOWS\system32\byymfaaa.exe
C:\WINDOWS\system32\flsmngr.dll
d C:\WINDOWS\system32\thun.dll
C:\WINDOWS\uptlmch.exe
C:\WINDOWS\vjhpfci.exe
C:\WINDOWS\Web\desktop.html
C:\WINDOWS\wuxvbej.exe
C:\WINDOWS\ylnpkjg.exe


Scan the computer here:
http://www.ewido.net/en/
Let it do a full run, than copy the log. Paste it to a blank Notepad file and save it to post here.

Please download CleanUp!and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program. Post the logs. :tazz:
  • 0

Advertisements


#11
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Not quite clear on your instructions - am I supposed to copy each of the items into the killbox window one at a time (hitting the red X after each)? or can I copy the whole list at one time? Also, was there supposed to be a "d" in front of

d C:\WINDOWS\system32\thun.dll

??

Thanks again.
  • 0

#12
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download Killbox By Option^Explicit

http://forums.tomcoy...?showtopic=9904

Paste the full file path (C:\WINDOWS\System32\) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

Also, delete these files with pocket killbox.

No "d"
  • 0

#13
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sorry, coachwife6, I must be getting tired. The link

http://forums.tomcoy...?showtopic=9904

gives me an error message. Are there 2 programs - killbox and pocket killbox? The only one I have is pocket killbox, the one you asked me to download

http://www.atribune....ads/KillBox.exe.

I am confused, I'm not sure I've done what you've asked.

I did do the scan, here's the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:39:37 PM, 5/8/2005
+ Report-Checksum: DCDD9E70

+ Date of database: 5/8/2005
+ Version of scan engine: v3.0

+ Duration: 24 min
+ Scanned Files: 60285
+ Speed: 41.27 Files/Second
+ Infected files: 27
+ Removed files: 27
+ Files put in quarantine: 27
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP70\A0009959.exe -> TrojanDownloader.Small.aql -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP74\A0011098.exe -> TrojanDownloader.Small.aql -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP77\A0011207.exe -> TrojanDownloader.Small.aql -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP82\A0011845.exe -> Trojan.Agent.ct -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP82\A0012976.exe -> TrojanDownloader.Small.aql -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP82\A0013064.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP87\A0014822.exe -> TrojanDropper.Small.wv -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP87\A0014824.dll -> TrojanDownloader.Adload.g -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP87\A0014825.exe -> Trojan.Hpt.j -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP87\A0014826.dll -> TrojanDownloader.Adload.g -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP87\A0014827.dll -> TrojanProxy.Small.bk -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP88\A0014862.exe -> TrojanDownloader.Small.aql -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015290.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015291.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015292.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015293.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015294.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015295.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015296.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015297.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015298.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015299.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015300.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015303.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015304.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015305.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP89\A0015306.exe -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End


Unfortunately the problems with Windows Update and Norton Internet Security still exist. Sorry I'm not picking this up, I really appreciate your patience and help.

Edited by ItsInTheSoup, 09 May 2005 - 08:37 AM.

  • 0

#14
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I haven't forgotten about you. I've just been very busy.
  • 0

#15
ItsInTheSoup

ItsInTheSoup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
No problem - Thanks for letting me know. Whenever you get the time, I appreciate your help.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP